Banner Health is contacting 3.7 million individuals whose personal information may have been accessed in a cyberattack that began on systems that process credit card payments for food and beverage purchases at Banner locations. The breach then expanded to include patient and health plan information.

The Phoenix-based health system, with locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming, first learned of the attack on July 7, according to a company statement. Around June 23, the attack began to target data from credit cards, including the cardholders’ names, card numbers, expiration dates and verification codes.

By July 13, an investigation revealed that the attackers “may have gained unauthorized access to patient information, health plan member and beneficiary information, as well as information about physician and healthcare providers,” the statement said. “The patient and health plan information may have included names, birth dates, addresses, physicians’ names, dates of service, claims information, and possibly health insurance information and Social Security numbers.”

Banner announced Wednesday that it is mailing letters to 3.7 million patients, health plan members and food service customers about the attack. The system has also hired a computer forensics firm, contacted law enforcement officials and is taking steps to prevent further attacks.

Bill Byron, vice president of public relations for Banner, said there was no evidence the information has been misused in any way. He added that further details may not be forthcoming.

“Banner is committed to maintaining the privacy and security of information of our patients, employees, plan members and beneficiaries, customers at our food and beverage outlets, as well as our providers,” said Peter S. Fine, president and CEO of Banner Health.

Michael “Mac” McMillan, co-founder and CEO of security firm CynergisTek, said it was odd that the point of sale systems at Banner’s 27 food service locations that were affected appear to have been on the same network as clinical systems.

A 2012 study by Verizon showed that point of sale systems are responsible for 48% of assets compromised in healthcare data breaches. While this might seem counterintuitive, the report continues, it shows that most cybercriminals are more interested in accessing a patient’s bank account than the details of electronic health records that might be stored in a file or database server.

At 3.7 million affected individuals, the Banner Health breach would be the eight largest on the “wall of shame” website that’s been kept by HHS’ Office for Civil Rights. The site lists all breaches of healthcare information involving 500 or more individuals since September 2009 when the Health Insurance Portability and Accountability Act breach notification rule went into effect.

By far the largest breach on the list is Anthem’s March 2015 cyberattack that affected the records of 78.8 million individuals. Seven of the top 10 breaches have been cyberattacks. All of those hacking breaches were reported either this year or last.

A list of the outlets that were affected can be found here.

Article source:

read more

For a hacker who’s looking to make money out of stolen personal information, healthcare systems and hospitals can be a one-stop shop.

Along with the usual names, addresses, dates of birth, Social Security numbers and claims information come credit card and banking account numbers used to process payments.

Cyber security experts will tell you the two types of information should be stored in computer systems completely unrelated and disconnected to avoid leaving either one vulnerable — something that seems to have happened to Banner Health.

The Arizona-based hospital chain this week said hackers tapped into credit and debit card information belonging to 3.7 million people through point of sale systems (POS) that process payment card data at dozens of food and beverage outlets serving Banner Health locations.

The hack occurred on June 17 and went undiscovered until July 7.

Six days later, Banner learned patient information and health plan records on its computer networks may also have been comprised.

Banner spokesman Bill Byron said the incident is under investigation and that details won’t be known or shared for weeks.

But the incident has left cybersecurity experts wondering if the healthcare industry, which in the past few years has been hit mercilessly with data breaches and ransomware threats, now has yet another weak spot — the point of sale system.

The vast majority of these systems that process credit card payments are brought in by third-party vendors, hooked up to a cash register, plugged into the internet and “away they go,” said Chris Ensey, chief operating officer of Dunbar Security Solutions.

“(POS systems) are often treated as somebody else’s stuff,” he said, adding that the healthcare organizations view the vendors as responsible for the systems.

But each new third-party services provider creates yet another entry point for hackers, he said.

And in fact, a 2012 study by Verizon showed that point of sale systems are responsible for 48% of assets compromised in healthcare data breaches.

It’s important to conduct audits to review how the systems are interoperating and what vulnerabilities they might reveal during the set-up, Ensey said.

Cyber security expert Jeremy King said hackers are data omnivores who will feast on one system for one type of data then rummage around for different data, as long as it’s marketable.

Criminals regard healthcare records as more valuable than credit card records because their data elements, such as DOBs, addresses and Social Security numbers, can’t be readily changed. A credit card, on the other hand, can be cancelled once a breach has been discovered.

Last month, a hacker was spotted on the black market offering to sell nearly 10 million patient records for $880,000. A lot of criminals who steal credit card account information will use it themselves for fraudulent purchases or sell it.

Hackers can get anywhere from $5 for the card number to $1,000 for the information contained in account balances, according to Business Insider.

“It’s big money,” King said.

King, who is international director of the Payment Card Industry Security Standards Council, said it’s important to maintain a firewall between POS systems and other information networks.

“Segmentation is a way to try and reduce your risk,” he said. “Even then, you’ve got to make sure you do that segmentation correctly, you’ve got the systems in place and you test it.”

King also advises access to credit card systems be on a “need-to-know” basis.

Now, just because Banner’s POS system breach was discovered first doesn’t mean that was the system that was first hacked, said King. “The forensic investigators will find that out in time.”

Byron, the Banner spokesman, said, so far, there is no evidence indicating any of its data were removed or “misused in any way.”

Banner’s breach is the 8th largest on the online “wall of shame” kept by HHS. The site lists all breaches of healthcare information involving 500 or more individuals since 2009.

By far the largest breach on the list was Anthem’s in 2015. The cyberattack comprised the records of 78.8 million individuals. More than 114.1 million individuals’ records have been exposed in the past two years.

Article source:

read more


On Tuesday, May 17, the Health IT Policy Committee and Standards Committee, Federal Advisory Committees to the Office of the National Coordinator for Health IT (ONC), convened for an in-person joint meeting. Three new members were welcomed to the Health IT Policy Committee; Carolyn Petersen with Mayo Clinic Global Business Services, Karen van Caulil with the Florida Health Care Coalition; and James Ferguson with Kaiser Permanente.

Kate Goodrich, Director, Center for Clinical Standards and Quality at CMS, provided a presentation on MACRA and Delivery System Reform. Dr. Goodrich gave a high level overview of the proposed rule to include a look into the quality payment program, Advanced Payment Models (APMs), MIPS, and a deeper dive into the advancing care information performance category within MIPS. For additional information and instructions on how to submit comments to the proposed MACRA rule by the June 27, 2016 deadline, please visit the CMS website.

Steve Posnack, Director of the Office of Standards and Technology with ONC, presented on two funding opportunity announcements to include the High Impact Pilot (HIP) and Standards Exploration Awards (SEA). Three to seven HIP awards, expected to range from $100,000 to $500,000 each, and three to five SEA awards, expected to range from $50,000 to $100,000 each, will be awarded. Interested applicants are encouraged to attend the Information Sessions on May 23 (HIP) or May 26 (SEA).  For more information, visit the ONC website.

The Precision Medicine Task Force, co-chaired by Leslie Kelly Hall with Healthwise and Andrew Wiesenthal with Deloitte Consulting, LLP, presented final Task Force recommendations. The PMI Task Force recommendations identify three interoperability pathways that are critical to the Precision Medicine Initiative (PMI).  The three pathways include one that focuses on EHR data; a pathway that enables data gathering from other independent non-provider sources such as labs, PBMs, and retail pharmacies; and a third pathway to accelerate the ability to return an individual participant’s aggregated data from multiple sources and eventually research results. Final recommendations were approved by the Joint Committee and will be forwarded to ONC for review.

The API Task Force co-chaired by Josh Mandel with Harvard Medical School and Meg Marshall with Cerner Corporation presented final recommendations from the Task Force to the Joint Committee. The recommendations were broken down into 8 generic use case topics: Types of apps and organizations who provide them; app registration; endorsement/certification of apps; communication of the app’s privacy policies; patient authorization framework; limitations and safeguards on sharing; auditing and accounting for disclosures; and identity proofing, user authentication, and app authentication. Recommendations were approved by a narrow margin due to privacy and security concerns.
The next Joint Committee meeting will be a virtual meeting on June 8, 2016.

Article source:

read more