Episode 65 of HIPAA Critical features an interview with Aja Anderson on this month’s Paubox HIPAA Breach Report.
Hannah Trum: I'm Hannah Trum and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders. Each month, Paubox publishes a report analyzing HIPAA breaches affecting more than 500 people as reported to the HHS. Under the HITECH Act, the HHS secretary is required to post these breaches to the Breach Notification Portal publicly. Or what most people in the industry call the HHS Wall of Shame. The latest edition of the HIPAA Breach Report analyzed data breaches reported in December 2021. Top takeaways to note include almost two million individuals affected by twenty network server breaches and ten breaches via email affecting over 500,000 people. When we compare December 2021’s data to previous December data, 2021 had the highest number of network server breaches. 4.5 million people have been breached via a network server and almost 3 million people via email in the last 5 December months. Aja Anderson, Paubox customer success manager, joins me again to discuss the latest report, trends she’s observed over the last month, and the ongoing fight against bad actors in healthcare. Hi, Aja. Thanks so much for joining me on the first episode of the year of the HIPAA Critical podcast. How are you?
Aja Anderson: I am great. How are you? Happy New Year!
Hannah: Happy New Year! Happy New Year and new cybersecurity breaches for us to talk about. But before we talk about 2022, let's give a little wrap-up of 2021. The most recent edition of the HIPAA breach report was published that went over the December 2021 breaches. Will you go ahead and give us just some interesting tidbits from that report?
Aja: As you mentioned at the top of the episode, network servers were the number one threat vector and the space that targeted the most folks, most people affected. Two incidences had the highest number of people affected.
One was the Oregon Anesthesiology Group. They had 750,500 patients as well as 500, more than 500 past and current employees were affected. Bad actors gained access to their systems through a vulnerability in a third-party platform. And then there was a Texas EMT specialists, they have the second-largest breach with over 500,000 people affected.
Over the last five years, December is the month that we see the most breaches. We saw the most network server breaches, there are 20 of them. The most breaches historically in that month. Obviously, we've talked about this before, the holiday season is a very vulnerable time. People are checked out because they're ready to come on break. We're also entering the third year of a pandemic, people are tired, and not paying attention.
Hannah: And work from home is never going away.
Aja: Yes and people are a lot more vulnerable in the remote environment.
Hannah: Not surprising. We knew this was going to happen. So right now when I asked you to give me the highlights, or I guess the lowlights of 2021. We can cover all of those cybersecurity aspects too.
Aja: There are four things that we saw when we looked back at 2021.
One of the biggest things is app vulnerability in general. When I mentioned the Oregon [Anesthesiology Group] issue, the threat actors got into their system through a third-party platform or app.
We take the security of third-party platforms for granted, we try to We’vehandle all of that. And I know people do try, but there's more vulnerability in apps we saw Microsoft Power Apps is HIPAA compliant.
The same as Microsoft Exchange is, but they had multiple zero-day exploits over this year. So you want to make sure that your third-party apps have proper security configurations to make sure that data leaks are not going to happen.
Hannah: Exactly. I think Zero Day was trending on Twitter a few too many times this year.
Aja: Definitely. Those vulnerabilities lead to provider downtime, which was another big theme of 2021. Which you can't afford that ever, but particularly during pandemics when we're seeing hospitals having record numbers of folks, inpatient and also just in the ER in general.
So the question that comes up for me is, do you have backups? Do you have an off-premise server? Do you have your stuff in the cloud? Do you have physical backups of all your information?
Because more than once we saw incidences where organizations like the Maryland Department of Health had to shut down servers after discovering a breach, which we completely understand why they did that, but that also shut down its website. And that meant that patients couldn't access their health records.
In Ohio, we saw something similar with the hospitals there shut down their servers, they spent days canceling and rescheduling appointments, and all throughout that, that time, their patient portal wasn't active. So that led to a lot of confusion on the part of their patients made everything much more difficult and nobody could access their records.
Hannah: That reminds me of something that my last guest, Dave Ledoux from Innovive Health , said there are just some things that you can't have backups of, there are some things that you can't have a secondary, electronic medical record system or an email system, but the things that you do need backups for you should have a backup.
Aja: Definitely. One of the other themes that we saw in 2021 was IP spoofing. The biggest incident of this was also the largest network server breach of the year. We talked about this earlier last year. It was with Eskenazi Health and affected 1.5 million people.
Through IP spoofing a hacker pretends to be using a different IP address and then is able to disable the network security protections. So the IT team can even detect suspicious activity. Um, you know, that's a really tough one.
Hannah: IP spoofing can be very sophisticated. Could you imagine being the Director of IT, VP of IT, or the CTO and going to your CEO and all your patients and employees and saying, “Oh, we didn't even know this was here.” This is why you have to patch your vulnerabilities and look at your attack surface because of IP spoofing, hacking, and IT incidents.
Metro Infectious Disease Consultants was the victim of an email breach that affected over 170,000 individuals. A hacker gained access to employee email accounts, probably through the use of phishing emails.
Hannah: It’s always phishing.
Aja: The company was able to secure the email accounts, but it just serves as a reminder that even small healthcare providers can be targets.
I tell customers once you get to be somewhere between 50 and 150 employees, that's the sweet spot for threat actors coming after you because they know that there's money there.
Hannah: Mmhmm. Definitely. What can you tell us about just interesting things you've seen in the last month, late December, early January?
Aja: Well you mentioned patching your software. That's a great segue.
The Log4j vulnerability was discovered right around the Christmas holiday. And that was related to a patch in software. It's utilized to control systems and medical devices and hardware. And that company did a great job in releasing a patch quickly, but the implementation of a patch hinges on updating your site. You have to update everything. It's not just about clicking one button.
Hannah: What can you tell me about my favorite topic, which is ransomware.
Aja: One of the articles that we've published on the blog recently talks about ransomware as a service.
Hannah: That’s cool. Well, I'm hesitant to say that's cool. But that's cool.
Aja: Well, it's cool and it's sort of ironic. Where you have software as a service, you can equally have ransomware as a service. Where folks are developing programs that they then sell to other people that want to get into the hacking game.
One of the organizations that I'm keeping an eye on right now is called Mespinoza. They're a cybercriminal group that operates ransomware software. They're one of the top 10 Global Health Care threat actors. They've been around since 2018. And there have been a lot of sort of warnings for the industry to keep an eye out for activity from them. They love going after health care.
Hannah: Well, yeah, health care is where all of the money is on the black market. PHI (protected health information) is worth a fortune on the black market because it's more robust than a credit card number. It's someone's social security number and specific information about them that they might use for the government when they are applying for things and so on. It's scary that ransomware as a service is something. It's kind of cool because as humans, we fix the problem, we create a problem.
Aja: Definitely one of the things that our friend Tony UcedaVélez says is you have to stay one step ahead of the threat actor. So, here's an example of software as a service, having a chance to really catch up and get ahead of these folks.
Hannah: Speaking of catching up and getting ahead, can you go ahead and let us know some of your cybersecurity tips for January?
Aja: Certainly. I've mentioned many of these things before, and I'm going to say them again because they are still just as important.
We've gotten on the other side of some of the big holidays for the year, but you want to be extra vigilant during all of the holidays that come up in the next year and beyond. As we mentioned at the top of the episode, the times where we are feeling tired and ready for a break are the times that threat actors are going to take advantage of us the most.
Where we see the most incidences are always around the holidays. There are so many resources that are out there for you to be able to inform yourself on practices and protocols that you can put in place for your cybersecurity. Health and Human Services has a new website, which we highly recommend checking out where they catalog a lot of those resources
Hannah: For health care, particularly, correct?
You want to monitor and maintain readiness, make sure that your emergency action plans are up to date, and that you have some kind of business continuity plan in place. When we talked about the folks that had to they had to disable their servers, that meant that they had to shut down their websites that shut down their patient portals, that's what we're talking about.
When we say business continuity, you have to have a plan in place to continue to deliver care when you are dealing with the fallout of a breach. Tired and stressed staff equates to more risk. Not that we put the onus on your people, but I would say the onus is on the organization to make sure that folks are getting breaks and chances to sort of regroup and recoup so that they can come back into the office and be as vigilant as possible.
Hannah: Yes, I would agree. Look at your IT department, look at your cybersecurity department and see what they're saying. What do they need? What can they provide that can help the entire organization as a whole?
Aja: Definitely, and talk to your support teams, because they're the ones that are getting sort of the early warnings from the customers when things start to get weird. They're going to be getting a spike in tickets. You can kind of analyze the themes. Such as what people are writing in about and that can help inform what the company is to take a look at.
Hannah: Spoken like a true customer success manager.
Aja: Who has spent a lot of time in support.
You want to report any incidents. Sometimes I end up putting in a ticket that turns out to be a false positive, but I would rather have a false positive in front of our engineers than not report an incident.
Hannah: It is much better to email someone to say, “Hey, I think this email is phishy,” than to click on something, and then your entire company is down for two or three weeks.
Aja: Definitely. And the cornerstone of all this advice is that you develop and execute a solid cybersecurity plan.
Some of the things that, again, we've talked about before, but these are the themes that came up overwhelmingly in 2021. These are the things we're also looking at as we move forward into 2022.
Employee training and awareness, with a balanced approach to overall employee mental health and well-being. If you have people that are well-rested, who feel that they are being taken care of, then they're going to be much more aware and focused on these elements of the job, the things that they have to you know, they have to serve as an alert system.
Hannah: They'll notice when something is weird as you said earlier.
Aja: Exactly, exactly. Unless they're so tired, that they're not paying attention in the way they would otherwise. Email encryption we're a big fan of, and two-factor authentication. If you have not implemented two-factor authentication in your organization, this is your reminder. And please ditch the fax machine.
Hannah: If you can. I understand there's a very small subset of the population that cannot deviate from the fax machine. But if you can send an email you can send an eFax as a PDF. it's 10 times easier and it can be encrypted from end to end.
Hannah: Aja, thank you so much for joining me on today's episode of HIPAA Critical and I will see you next month. For more information about the Paubox HIPAA Breach Report or to see any of the data mentioned in this episode, please visit paubox.com/blog. You can listen to every episode of HIPAA Critical on paubox.com or subscribe via Apple Podcasts , Spotify , iHeartRadio , Stitcher , Amazon Music , or wherever you listen. Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.