In August, as many as 1.4 million patient records were compromised at UnityPoint Health Systems when an email phishing scam breached the provider’s network. This was the second of two cyber attacks on the Iowa-based health provider, with clinics and hospitals in Iowa, Wisconsin and Chicago.
The first attack was discovered in April and compromised more than 16,000 health records. The attack may have been found a full four months after the provider’s network had already been compromised. Employees rushed to change passwords, but another series of email phishing attacks loomed.
Email phishing scams, in this case, mean the contact or employee received an email that mimicked a legitimate contractor, vendor or company.
These types of cleverly-disguised emails may include an access link giving the hacker carte blanche with the system. The phishing email may also encourage the contact to update their information. The better phishing emails sometimes appear to come from a vendor that the contact has already worked with or is working with, which makes it more likely that the contact will share requested information.
A spokesperson for UnityPoint Health Systems explained that the cyber attacks were probably aimed at vendor accounts—an attempt to redirect payments or payroll—and not patient records. Despite this, the attacks compromised names, social security numbers, banking information and more.
The sheer number of compromised files after the second series of attacks—equal to more than one-fifth of the Wisconsin state population—prompted the state’s attorney general to recommend credit freezes on compromised health accounts, and a class action lawsuit has already, allegedly, been levied against UnityPoint Health Systems.
The Outlook for UnityPoint Health Systems
The Office of Civil Rights has yet to weigh in on UnityPoint Health System’s possible HIPAA violations, but if recent fines are any indication, the health provider may be in trouble.
Earlier this year, Fresenius Medical Care North America was fined $3.5 million when an OCR investigation revealed that the provider or related covered entities had not performed thorough risk analyses to expose ePHI vulnerabilities. These fines were levied despite no evidence of a breach and following an OCR investigation that took place in 2013.
In summary, and in relation to UnityPoint Health Systems, HIPAA compliance calls for weighing the strength of cybersecurity and physical security protocols against threats to client data, this includes the way employees and business associates handle, access, or store PHI and ePHI. HIPAA also calls for compliance documentation, and encryption is part of the Security Rule—45 CFR 164.304. There is no specific wording in HIPAA regarding email phishing scams, but past fines for phishing compromises fell under 164.308, a section that outlines the responsibility of covered entities to provide security awareness training.
THE HIPAA PENALTY BREAKDOWN
Tier 1: The covered entity is unaware of the violation, and the violation could not have been reasonably avoided–PENALTY: $100 per violation up to $50,000.
Tier 2: The covered entity should have been aware of the violation, and the violation is deemed preventable—PENALTY: $1,000 per violation up to $50,000.
Tier 3: The covered entity demonstrates compliance neglect, but shows efforts to bring the flagged issues into compliance—PENALTY: $10,000 per violation up to $50,000.
Tier 4: The covered entity demonstrates compliance neglect, but shows no effort to bring the flagged issues into compliance—PENALTY: $50,000 per violation.
So far, no money has changed hands in the reported civil suit filed against UnityPoint Health Systems.
However, OCR has already issued more than $24 million in HIPAA fines to other covered entities, and it is only October. At the close of 2017, total fines stood at just over $20 million, and at the close of 2015, HIPAA fines stood at just $6.1 million. When the OCR issues fines for HIPAA violations, these fines are per violation and per day that the violation was active, and the fines can reach back years.
A recent round of OCR audits revealed that almost 85% of evaluated covered entities scored below tier 3 in risk. This equates to negligible and preventable violations, still commonplace more than 20 years after HIPAA implementation.
UnityPoint Health Systems has since reset passwords, utilized multi-factor authentication and enrolled employees in phishing education, but it may be too little too late.
According to a report released by McAfee Labs in March, the health care industry is the number one target for hackers. In fact, cyber attacks grew by more than 200 percent in 2017 over the previous year, and 2018 is gearing up to top last year.
How blockchain can help
Guardtime is a production example that utilizes blockchain technology to secure data. Instead of utilizing verification keys, they instead distribute data to a decentralized set of nodes where the system routinely compares metadata packets. If any end up not aligning, they are excluded. As a result the only way to alter data distributed on the nodes is to alter the blockchain itself by destroying all the nodes. The advantage of this is that if just one node with accurate data remains online after countermeasures defeat the attack, the entire system can be restored.
Guardtime’s system detects changes to data and is subsequently constantly verifying the changes. These types of measures ensure minimal weak ‘links in the chain’ i.e. tampering with the ledgers contained in the blocks, thus the data remains uncompromised.