Home Care Technology: The Rowan Report

Incident #1	Incident #2
A U.S. medical training school has exposed the personally identifiable information of thousands of students after an unsecured bucket was left exposed online. As ZDNet reports, he server, which did not have authentication controls in place and was, therefore, accessible by anyone to view, contained 157GB of data. The quantity of data exposed equates to just under an estimated 200,000 files including driver license copies, names, dates of birth, home addresses, phone numbers, email addresses, and both professional and educational summaries.	Washington residents received a record amount of data breach notifications in the last year, according to a report released Friday by the state’s attorney general. Breached businesses and agencies in the last year sent 6.3 million notices to Washingtonians—by far the largest number of notifications sent to state residents since attorney general Bob Ferguson began tracking the data in 2016, the report states. In addition to the millions of notices, 280 data breaches, 245 cyberattacks, and 150 ransomware attacks were reported, according to the report.

Incident #3	Incident #4
INDIANAPOLIS — Roughly three months after Eskenazi Health released a statement announcing a cyber security breach that compromised personal data, some patients are just now receiving that news in the mail. According to a release posted last month, Eskenazi Health was notified of a cyber attack “on or about August 4, 2021” that resulted in the personal information of some employees and patients being leaked to cyber-criminals. However, the same release claims the breach actually happened three months prior “on or about May 19, 2021.” According to the U.S. Department of Health and Human Services, the breach impacted 1,515,918 individuals. However, some of those potentially impacted are just now receiving notification by mail. Some of the stolen information was posted on the dark web.	EHR vendor QRS began notifying its clients of an August cyberattack that exposed the PII and PHI of nearly 320,000 individuals. The attack occurred between August 23 and August 26, 2021, when a hacker accessed one QRS dedicated patient portal server. QRS said it immediately took the server offline, notified law enforcement, and engaged a forensic security firm to investigate the incident. During the three-day attack window, the hacker accessed and may have acquired files on the server containing PII and PHI. The breached information may have included names, birth dates, addresses, Social Security numbers, portal usernames, medical treatment and diagnosis information, and patient identification numbers. QRS began notifying impacted individuals on October 22. Third-party vendor cyberattacks are becoming increasingly common as threat actors look for innovative ways to target healthcare organizations.

Cyber criminals target healthcare organizations more than any other type of business. Hospitals accounted for 30 percent of all large-scale data security incidents in 2020. Over the last three years, a staggering 93% of healthcare organizations experienced a data breach, while 57% of healthcare organizations have had more than 5 breaches. Other attacks may impact more people and thereby attract bigger headlines (Marriott, T-Mobile, Colonial Pipeline), but the threat of shutting down life-saving functions makes attacks on healthcare organizations far more serious.

While hospitals often have the resources to build up cyber-security protection systems, post-acute-care providers are often forced to put such expenditures on the back burner. If attacked, the consequences can be severe enough to destroy a small business. Home Health, Home Care, and Hospice are not immune.

In recent years, agencies forced by law to disclose an attack that may have exposed personal information and protected health information include Personal Touch, OSF Healthcare Systems, and even the VA. Georgia-based Aveanna Health was attacked in August, 2019 and informed staff and patients in February, 2020.

Post-Acute Care providers do not have to navigate the cyber security waters alone. There are several resources available to help healthcare organizations protect themselves from those international hackers.

KnowBe4 is the company that Casamba turned to after its ransomware attack two years ago. They train workers to be better at recognizing emails and web sites that should be deleted instead of opened.
HIMSS, the Healthcare Information Management and Systems Society, has educational resources about the threats and the solutions.
The HCI Group published a free, helpful article online at 9 Essential Cyber Security Measures for Healthcare
The government itself has many resources. A good place to start is Top 10 Tips for Cybersecurity in Health Care

©2021 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Home Care Technology: The Rowan Report. homecaretechreport.com One copy may be printed for personal use; further reproduction by permission only. editor@homecaretechreport.com

Security Breaches Plague Healthcare Providers

×