When Will COVID-19-Related Scams Show Up on Breach Tally?Ransomware Attacks Recently Added to Health Data Breach Tally Predated the Virus Surge
Several ransomware attacks prior to the COVID-19 surge have been added to the federal health data breach tally in recent weeks. But will more such attacks and other breaches tied to coronavirus-related scams begin showing up on the Department of Health and Human Services' HIPAA breach reporting website soon?
The FBI and other law enforcement agencies have been warning of COVID-19-related phishing scams, business email compromises, ransomware attacks and other cyberattacks.
"I think it will be a long time before COVID-19-related incidents appear on the HHS website," predicts Tom Walsh, president of consulting firm tw-Security. "Hospitals are trying to cope with the influx of patients, setting up tent hospitals and COVID-19 testing stations outside of the hospital building. Those efforts require IT resources. Running audit reports or investigating security alerts are a lower priority."
Recent "HIPAA waivers" issued by the HHS Office for Civil Rights are creating some confusion among some healthcare sector entities, which could potentially affect the reporting of health data breaches, Walsh adds.
"Some people may have mistaken the 'HIPAA waivers' announced by HHS as a 'hall pass,"' meaning that HIPAA compliance has been suspended. That's not true," he says.
While OCR could potentially suspend its HIPAA enforcement efforts - such as investigations and penalties - during the crisis, "HIPAA compliance is still expected," he adds.
Walsh adds that at a recent webinar he hosted for Kansas hospitals, the most frequently asked questions were: "Do I still have to report breaches to the OCR?" (yes), and "Do the waivers mean that we can temporarily suspend HIPAA compliance?" (no).
Under HIPAA, covered entities must report to HHS breaches affecting 500 or more individuals no later than 60 days following the discovery - unless law enforcement requests a delay. Smaller incidents must be reported to HHS annually.
"Since we have experienced a surge in COVID-19-related attacks increasing since January, we should expect to see many organizations starting to report," says Clyde Hewitt, executive adviser at security consultancy CynergisTek.
But, he notes, "there will be many organizations that are not able to report within their HIPAA-mandated 60-day window as the remote workforce issues are limiting their ability to adequately assess the extent of these breaches and identify all impacted patients."
Recent Ransomware Breaches
The HHS OCR HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals, includes at least three ransomware attacks that were reported to OCR in March but apparently occurred prior to the COVID-19 surge.
Wilmington, Delaware-based Brandywine Urology Consultants on March 27 reported a ransomware attack affecting nearly 132,000 individuals.
In a breach notification statement, Brandywine says the attack, which was discovered on Jan. 27, appears to have begun on Jan. 25. "The attack was neutralized, and a complete scan of the central server was run to assure no malicious software remained. " The practice says its electronic medical records system was not affected.
Potentially compromised information, may include patients' names, addresses, Social Security numbers, medical file numbers and claims information.
As of Wednesday, the attack on Brandywine was the sixth largest health data breach added to the federal tally so far this year in terms of the number affected.
Affordacare Urgent Care Clinic in Abilene, Texas on March 31 reported a ransomware attack affecting more than 57,400 individuals. In a statement, the clinic says it discovered a ransomware attack in early February.
"Upon further investigation, Affordacare learned that hackers also accessed its servers, and some confidential information may have been removed," the statement says.
Affordacare's servers contained patients' full names, addresses, telephone numbers, dates of birth, ages, details about visits, insurance plan policy and group numbers, treatment codes and descriptions, brief comments from the healthcare provider, as well as other information.
"Affordacare continues to investigate the scope of information affected," the statement says.
Radiology Practice Attack
In a third ransomware incident, Stockdale Radiology based in Bakersfield, California reported on March 27 a ransomware attack affecting 10,700 individuals. Stockdale says that it discovered the attack on Jan. 17.
"We immediately contacted the FBI, who arrived at our offices within 30 minutes and are currently investigating the matter. A limited number of files were publicly exposed by the intruder," a notification statement says.
Personal information that was accessible by hackers included patients' names, addresses, personal health information - including parts of refund logs - and some doctor's notes.
Brandywine, Affordacare and Stockdale did not indicate in their statements whether they paid ransoms.
Other Security Risks During Pandemic
While hospitals in regions hit hard by the COVID-19 pandemic struggle to keep up, other healthcare entities - such as dental practices, opticians, and clinics offering non-urgent care and elective procedures, are shut down due to the coronavirus outbreak.
Some shuttered facilities are offering services via telehealth, but others are dealing only with occasional emergency situations or are just waiting to reopen. But those practices need to stay on their toes to detect and defend against cyberattacks and data breaches, some security experts warn.
"Closed practices may be at some risk for attacks," Walsh says. "Because the practice is on 'hiatus' - no one is closely watching the shop. For example, staff could be doing some work from home, but may be using their personally owned equipment, which may lack the security controls typically found on the workstations within the practice."
Practices that have shut their doors may not have shut down their servers or backend operations, Hewitt notes.
"Patient accounting activities - including filing claims, sending invoices for co-payments and reconciling the books - must still be performed, although remotely," he says. "Since the pace of attacks is higher now, we can expect more remote workforce attacks. For the security and compliance staff, it is also important to increase the monitoring of security logs to validate that all remote logins are legitimate."
Transitioning to a remote workforce means that previously undocumented risks can be overlooked, he adds. "Organizations should use this downtime to perform a risk assessment on their supporting vendors as well as their remote work environments, then remediate those risks."
Meeting HIPAA requirements for reporting major health data breaches amid the COVID-19 crisis is challenging because many non-clinical staff, including IT, security, privacy and compliance specialists, are working from home, Hewitt notes.
"This adversely impacts an organization's ability to detect, respond and recover from incidents," he says. "In addition, many covered entities and business associates depend on their supporting vendors, including cyber insurance carriers, outside legal firms, forensics teams and technology vendors. These third parties' ability to respond is also impacted. This confluence of remote challenges causes additional delays."
For those working at home, forwarding email, printing documents and using unencrypted mobile storage devices for PHI pose risks, Walsh adds.
Also, personally owned equipment may lack the security controls and settings - such as screen timeouts - found in the workstations within the organization, he notes. And wireless networks within the telecommuter's residence may not be properly secured, he adds.
"Members of the same household may use the same computer/laptop as the telecommuter for online school assignments or other personal reasons," potentially putting PHI at risk, Walsh says.
"Drastic times means that people will take drastic measures to accomplish what they feel is necessary, even if their actions violate policy or HIPAA."