As it continues to investigate a cyber attack and give initial public notification via the media, MaineGeneral is experiencing a recent phenomenon of such attacks—dealing with fraudsters after the attack has been acknowledged.
The delivery system is warning patients, employees and donors who may be affected of organizations offering identity protection services for a fee. Like many providers that have been breached, MaineGeneral will be offering free credit monitoring services when it is ready to formally send breach notification to those thought to be affected.
“Be aware of paid services and never give your personal information to people you don’t know,” MaineGeneral advises.
For now, MaineGeneral continues to work with the FBI and breach remediation firm AllClearID to better understand the extent of the attack, and likely also has been in contact with the HHS Office for Civil Rights, which enforces the HIPAA privacy, security and breach notification rules but also offers guidance in recovering from the breach.
Gerry Hinkley, a HIPAA attorney at the Pillsbury Winthrop Shaw Pittman law firm, notes that if an organization does not know how large the breach is, OCR suggests it provide an initial estimate that can always be updated later.
“This appears likely to have been the result of an employee victimized by a phishing email,” Hinkley says. “Occurrence of this type of attack is on the dramatic rise and we have advised companies to undertake specific training regarding phishing and to test their employees’ gullibility by staging fake phishing exercises to see how many employees are likely to fall prey, then better target training.”
Under a phishing scheme, an employee is fooled by a person believed to be trusted to reveal credentials such as username and password to access an information system.
HIPAA attorney Daniel Gottlieb at McDermott Will & Emery notes that the HHS Office of Inspector General warns healthcare stakeholders that cyber criminals can attack just about any connected information system or medical device to get inside a network. This can include not just an electronic health records system but dialysis machines, radiology systems, medication dispensing systems, laptops and smartphones, among other devices.
But the HHS OIG itself may be behind the times and needing to catch up to the cyber threat. In its 2016 work plan, the agency indicates it will examine if the Food and Drug Administration’s oversight of hospitals’ networked devices is sufficient to protect electronic protected health information.
“Government regulation of this area has been slow,” notes Veleka Peeples-Dyer of McDermott Will & Emery. “The FDA guidelines finalized last October only recommended that medical device manufacturers consider cybersecurity risks in their design and development phases—they were not required to do anything. Moreover, as technologies evolve and the types of risk proliferate, it is simply not possible for the FDA to anticipate where the law will need to go in the future.”
Natalie Lehr, co-founder and director of analytics at cybersecurity firm TSC Advantage, says that just because a breach may not expose a lot of protected health information does not mean there is little risk. “While the attack itself does not empower a host of credit abuses, it creates an opening if a patient or prospective donor is not educated on how to protect themselves. Experience shows us that these breaches lead to sophisticated follow-on attacks. Information from the breach might be used for targeted phishing with the intent to gather more sensitive user information.”
(This article appears courtesy of our sister publication, Health Data Management)