Supply chain cyber threats are happening so often it seems like they keep showing up in the news daily. The list of cases keeps growing every month. So much is still slowly being learned about the SolarWinds attack it is getting hard to keep up with how far it goes. Now we have water systems and more healthcare breaches trickling in. This week I even saw a case we covered before about exposed PACS images. It’s time for us to talk about what these supply chain attacks mean to the rest of us.
In this episode:
PACS Images Exposed Part 2 – Ep 294
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Aug 17-19, 2021
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[08:43] Sixteenth – yes, 16th Patient Right of Access settlement.OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative
Sharp Rees-Stealy Medical Centers HIPAA Resolution Agreement and Corrective Action Plan
Sharp HealthCare has agreed to take corrective actions and pay $70,000
“Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right,” said Acting OCR Director Robinsue Frohboese.
June 2019, a complaint was filed with OCR alleging that SRMC failed to take timely action in response to a patient’s records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. OCR provided SRMC with technical assistance on the HIPAA Right of Access requirements. In August 2019, OCR received a second complaint alleging that SRMC still had not responded to the patient’s records access request. OCR initiated an investigation and determined that SRMC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, SRMC provided access to the requested records.
PACS Images Exposed Part 2
[17:46] https://www.healthcareinfosecurity.com/pacs-flaws-put-data-at-risk-for-18-months-a-16021Article Feb 17, 2021
PACS Flaws Put Data at Risk for 18 Months
California Medical Imaging Group Describes Data Exposure
A California medical imaging group practice says vulnerabilities in its picture archiving and communications system left patient data at risk of unauthorized access for more than a year.
Wait a minute. This sounds familiar.
[18:55] Oh, yeah, this does sound familiar. In Feb 2020 we did an episode about this – Images Exposed – Episode 243. At the time we had been following the story for months before discussing it. Let’s review what we knew back then….Sutter Buttes Imaging Medical Group, based in Yuba City, California, recently disclosed that in December 2020, it learned that the PACS system had been vulnerable to hacking from July 2019 to December 2020.
The practice’s administrator tells Information Security Media Group that the vulnerabilities left accessible “names of about 100,000 patients on a worklist.” The German security firm Greenbone Networks discovered the flaws while it was conducting its own research, the administrator says.
The vulnerabilities in the PACS included open ports and authentication issues, the administrator says. The practice did not reveal the brand of the PACS system.
The practice learned about the potential data exposure when it was alerted by the Department of Health and Human Services’ Office for Civil Rights, the administrator says.
An article was published in ProPublica in September 2019 based on findings from a German research company, Greenbone. At that time it was reported that there were images exposed for around 5 million patients in the US alone, plus millions more from around the world.
By the time it was all said and done, they found that there were over 5 million patients with images exposed in some states all by themselves. And they published a really cool map of the US showing how many patients had images exposed by state. GA and FL had over 1 million patients with images exposed and California, where Sutter Buttes in Yuba City is located, had over 10 million patients with exposed images.
[21:55] Turns out the PACS system had been vulnerable from July 2019 to December 2020. And they didn’t learn about this until the Department of Health and Human Services Office for Civil Rights alerted them. Uh oh!There is some good news, though. According to the article Sutter Buttes has “hired IT consultants to help bolster SBI’s security controls”. So does that mean they didn’t have that done before. Was no one handling security prior to this? Did they believe that someone was taking care of it only to find out they were screwed.
There are millions of images from thousands of providers still exposed on the internet. Apparently no one is paying attention at the healthcare facilities. But you know who is paying attention? The criminals are. They see these announcements and take it as their queue to try to exploit this vulnerability to do even more damage.
[35:05] You don’t even have to be a sophisticated criminal to use those images to identify people or at least narrow the list down to sometimes a very small number of people. MIT researchers have created a website where you can enter in your zip code, date of birth and maybe your sex and it will show you how easy it is to identify you with just a few pieces of information.Have you ever tried to find someone by their name and maybe state or company they work for say on Facebook or LinkedIn. It isn’t that hard. Right?
So, the idea that these are just images with very little information about an individual so no one needed to be dealing with it is crazy… and scary. So, if you see information actively out there and vulnerable, share it with someone who can do something about it.
Your IT company may be protecting your network, but are they protecting your medical devices? Do they even ask you about them? Do you assume they are protecting those devices too? You better ask. Most IT companies do not. But someone needs to. Check with your medical device vendors. Are they securing them, updating them, backing them up? Don’t assume! Because you know what that does.
And remember medical devices is #5 in the list of the top 5 threats in cybersecurity from the 405d Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients (HICP) publication. We’ve mentioned the HICP guide in several previous podcasts, starting with this 5 Threats and 10 protection Practices – Ep 189 from February 2019.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
