Even a pandemic can’t stop the hackers

Despite being in the middle of a pandemic, hackers have wasted no time in stealing patient and personal data. Here is a summary of cybersecurity breaches that occurred over the year to several healthcare entities:

Florida Orthopaedic Institute (FOI): a ransomware attack inserted malware on their servers. Administrators were able to quickly secure the system, but the investigation found that patient data was potentially exfiltrated or accessed during the attack. 640,000 patients were impacted.

Magellan Health: a sophisticated ransomware attack hit their servers, compromising the data of 365,000 patients. Hackers gained access by leveraging a social engineering phishing scheme that impersonated a Magellan Health client five days before the ransomware was deployed.

BJC Healthcare (Missouri): a phishing attack was detected by its security team on the same day it occurred, however the data was still compromised, impacting about 288,000 patients.

Benefit Recovery Specialists (Missouri): employee credentials were hacked to gain access to the insurer’s systems and deploy malware, breaching the data of 274,837 patients from several providers and payers that use them for billing and collections services.

Ambry Genetics (California): This clinical genomic diagnostics vendor suffered an email hack which compromised the data of 232,772 patients. The hacker gained access through an employee’s email.

Northwestern Memorial Healthcare: 56,000 donors and patients were notified that their personal records were accessed due to a data breach by one of their software vendors (Blackbaud) where an unauthorized party had gained access to Blackbaud’s systems.

Northshore Health System: 348,000 patients, employees, and/or donors were notified that their personal records were accessed due to a data breach by one of their software vendors (Blackbaud), where an unauthorized party had gained access to Blackbaud’s systems.

University of Kentucky Healthcare: 163,000 patients, employees, and/or donors were notified that their personal records were accessed due to a data breach by one of their software vendors (Blackbaud), where an unauthorized party had gained access to Blackbaud’s systems.

Roper St Francis Healthcare (South Carolina): 92,963 donors were notified that their personal records were accessed due to a data breach by one of their software vendors (Blackbaud), where an unauthorized party had gained access to Blackbaud’s systems.

Not all breaches are related to cybersecurity, but implementing cyber secure practices are still critically important. For example, the following data breaches occurred this year:

Health Share of Oregon: The theft of a laptop owned by their transportation vendor compromised the data of 654,000 patients.

Elite Emergency Physicians and St. Joseph Health System (Indiana) reported a security incident involving the improper disposal of patient records, impacting 550,000 patients through their third-party record storage vendor.

There was also an increase in phishing campaigns related to the coronavirus. For example, emails that looked like they were from the Center for Disease Control (CDC) were actually hackers trying to access data by luring the receiver into clicking the malicious link.​​​​​​​

Some may even look like they are coming from your employer, creating a sense of urgency to click on a link.

As you can see, breaches can occur in various ways, including accidental exposure by employees. Here is what Discovery is doing to remain cyber secure:

  • Making sure remote connections are secure
  • Training employees on what social engineering, phishing, and ransomware attacks look like and how to prevent employees from clicking on malicious links. Monthly training is required as part of Discovery’s ongoing commitment to security
  • Updating our vendor management process to prevent third-party incidents and breaches
  • Annual attestation to policies to help remind and educate Discovery’s workforce of our compliance, security, and privacy practices

Quick tips for recognizing and avoiding coronavirus-themed phishing emails

  • Beware of online requests for personal information. A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information. Never respond to the email with your personal data.
  • Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Notify/forward the email to your security team and delete the email.
  • Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email.
  • Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” can be a signal that the email is not legitimate.
  • Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information—right now.
Asra AliEven a pandemic can’t stop the hackers
read more

The bad news: the bad guys are getting smarter. The good news: so are we.

It can be the small, unintentional errors that expose valuable health data to data thieves.  Filling out social media quizzes that are actually gathering information about you—like your birth month or high school mascot. Holding your building door open for a delivery person with their hands full. Clicking on an urgent email request from a senior executive.

Small errors can lead to massive data breaches. Here’s how we help keep health data safe.

A company’s security is only as strong as their weakest link.  At Discovery Health Partners, we’ve earned certified status for information security by HITRUST for several of our technologies that drive the use of data across our solutions.

One of the parts of HITRUST compliance is user awareness training—reinforcing the procedures everyone needs to follow to ensure that our employees aren’t going to violate your health plan’s data.

Along with processes, tools and technology, we’ve implemented ongoing employee training:

  • Our employees are trained to understand how to handle data in any type of media—whether it’s in an email, a computer monitor, or a printed document
  • We have specific instructions on how to handle data at any point—including destruction of media
  • We’ve educated our team on the many social engineering tactics hackers use (Tips and tricks featured below)
  • We follow up this training with monitoring and reporting to ensure that these safe practices happen—and we can respond quickly if we discover a glitch
  • We also ensure our third-party providers protect your data with tight security protocols, monitoring, and training

While a company can have the latest cybersecurity technology in place, if someone in our building opens the door to let someone in—or clicks on a link in an email that seems to come from HR, they’ve just bypassed that technology.

So as the bad guys get better and smarter, it’s even more important for us to train our employees to be diligent and aware of the latest tricks.

As a recent report on healthcare data breaches reasonably pointed out—while people are a company’s most valuable asset, from a security point of view, they can also be its weakest link.

Learn more about HITRUST certification here.

Tips and tricks

Data breaches are often the result of social engineering, attempts to trick unsuspecting employees into handing over confidential or sensitive data. Social engineering plays on human nature and emotion to deceive someone into providing access to information or deviating from established security protocols. Here are some examples of social engineering and how you can help avoid falling for these attacks.

TIP Be careful on social media. Based on your social networking, hackers may already have a lot of information about you. They may know your name, where you work, your birthday, what position you hold.

TIP You get an email from HR asking you to click a link for an employee opinion survey. Before you click that link—verify the sender by hovering over the email address.

TIP Have at least three algorithms for your online passwords—one for your banking, one for your personal use and one only for work.

Juliet DeVriesThe bad news: the bad guys are getting smarter. The good news: so are we.
read more

Count on Discovery’s HITRUST CSF® certified technologies to protect your health plan’s data

In the midst of HIPAA regulations and ongoing threats to healthcare data, health plans increasingly require their vendors and partners to demonstrate a strong commitment to patient and member data privacy and protection. As a provider of data-driven solutions for healthcare payers, Discovery Health Partners has stepped up to meet this demand with the achievement of HITRUST CSF® certification for its core technologies.HITRUST certification

The certification for our Discovery Case Manager, Dashboard and Reports, Secure File Transfer Protocol (SFTP), and Medicare Secondary Payer (MSP) technologies demonstrates that they have met key regulations and industry-defined requirements and are appropriately managing risk. These technologies drive the use of data across our solutions including Medicare Secondary Payer (MSP) Validation, Subrogation, and Coordination of Benefits:

  • Secure File Transfer Protocol: The technology that allows us to securely and quickly load and integrate data from multiple sources to help identify payment and revenue integrity opportunities.
  • Discovery Case Manager: Our core workflow software that is used to manage work in progress across all our solutions. This is the application that captures and stores information needed to support payment integrity processes and creates an audit trail to support tracking and compliance.
  • Dashboard and Reports: The technology that provides standard and custom reports that track key performance indicators and results across our solutions.
  • Medicare Secondary Payer: The application that is used to identify, validate, and track updates to CMS eligibility information and premium reconciliation for Medicare Advantage plans.

This achievement places Discovery in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

“In entrusting their data to us, our clients expect a highly secure environment. I am thrilled that we can demonstrate our commitment to meet their needs through our HITRUST CSF certification, the gold standard in our industry,” said Jason Brown, Discovery Health Partners’ Chief Executive Officer.

He went on to explain that, “Our mission for strong information security does not stop with HITRUST certification. We will continue to evolve our tools as threats evolve, and will continue to drive for better policies and procedures that further safeguard our technology and our clients’ data.”

Discovery Health PartnersCount on Discovery’s HITRUST CSF® certified technologies to protect your health plan’s data
read more