Home Health Agencies Keep Getting Hit by Cyberattacks

Preferred Care Home Health Services found unusual activity within its email services in April. On Monday, it notified individuals that personal information may have been exposed during a data-security incident tied to that email activity.

Among the information hacked may have been names, dates of birth, contact information, and Social Security or driver’s license numbers, according to the in-home care provider. Private health insurance data, plus Medicare and Medicaid information may also have been compromised, in addition to sensitive medical information..

Although only information transmitted through email was affected, compromised accounts were subject to unauthorized access between Jan. 13 and April 27 of this year. Once the unusual activity was detected, the emails were secured and an internal investigation was launched.

The details of the investigation’s findings have been made known to current and past patients who may have had personal information hacked.

Naples, Florida-based Preferred Care offers an array of skilled nursing and rehab services, as well as other home health care and social services. It provides over 100,000 visits per year to patients in eight counties.

In addition to notifying patients of the data security incident, the agency also provided resources to help mitigate some of the risks that come with this sort of incident. Preferred Care has set up a toll-free service to answer questions that patients may have about the security breach and is offering identity protection services through risk consulting firm Kroll.

Though there is no evidence yet that the compromised information has been misused, Preferred Care has reported what happened to the FBI.

Preferred Care Home Health Services did not respond to a request for comment from Home Health Care News.

The Florida-based provider is just the latest home health agency to operate through a cyberattack. In 2018, a hacker group reportedly stole personal, medical and financial information from roughly 80,000 patients when they hacked the computer systems of CarePartners.

Universal Health Services experiences cyberattack

One of the largest health systems in the U.S., Universal Health Services (UHS), experienced a major computing outage on Sept. 27 that has been attributed to a significant ransomware attack, according to Wired.

King of Prussia, Pennsylvania-based UHS has more than 400 facilities across the United States, Puerto Rico and the United Kingdom. The attack occurred in the U.S. and affected its digital networks at locations around the country.

For now, the cyberattack has forced the health system to move to all-paper documentation. Patients have, in turn, faced facility reroutes and delayed test results, among other inconveniences, Wired reported.

“We are making steady progress and are confident that we will be able to get hospital networks restored and reconnected soon,” UHS officials said in a statement posted online. “Our major information systems such as the electronic medical record (EMR) were not directly impacted; we are focused on restoring connections to these systems. In the meantime, our facilities are using their established back-up processes including offline documentation methods.”

UHS announced in July that it was partnering with Moorestown, New Jersey-based home health giant Bayada on a new joint venture focused on the home. Bayada, however, was reportedly unaffected by the ransomware attack.

The health care industry is the top target for data breaches, according to Wipro’s State of Cybersecurity Report 2018. Over 40% of reported breaches were from the health care world in 2017.

Providers have routinely had to pay out ransoms of over $1 million to get their data unlocked when bad actors have hacked their systems in the past. As the use of telehealth and other remote technologies increases, cyber attacks have also been on the rise.

But it’s not easy for providers to always prevent hacks and nefarious online activity.

“If you are a target, unfortunately, they will hack you,” John Prost, the director of information technology at Mueller Prost, said this summer at the National Association for Home Care & Hospice (NAHC) 2020 Financial Management Conference.

What separates some health systems and agencies from others is the existing barriers in place to prevent hacking.

“What you need to do is take the measures to protect yourself and put as many hurdles in front of them as you can. Hopefully, they will get tired of trying to hack you and move on to somebody else,” Prost said.

Weak passwords and re-used passwords are one of the simplest ways to get hacked, which means strong passwords and good password management generally is one of the best ways to mitigate these risks. A password manager that can store encrypted passwords online and then two-factor authentication are ways to keep employees safe from online risks.

Educating workers on good online hygiene practices, just as agencies train employees on infection protocol and disinfection techniques, will need to become par for the course for agencies in the future.

The post Home Health Agencies Keep Getting Hit by Cyberattacks appeared first on Home Health Care News.

‘If You Are a Target, They Will Hack You’: Cyber-Hygiene Increasingly Important for In-Home Care Agencies

As technology becomes a bigger part of the home-based care universe, more agencies are starting to take cybersecurity seriously.

If they don’t, agencies are at risk of losing highly sensitive patient information and leaving their operations vulnerable. If that ends up happening, they could then end up on the hook for thousands of dollars or more.

The health care industry is the top target for data breaches, according to Wipro’s State of Cybersecurity Report 2018. In 2017, over 40% of reported breaches were from the health care world.

“We need to think about some of those things, especially when it comes to ransomware, [which is] on the rise,” Barbara Citarella, the president of RBC Limited, said recently at the National Association for Home Care & Hospice (NAHC) 2020 virtual Financial Management Conference. “And it is particularly dangerous to us home care and hospice providers.”

RBC Limited assists agencies with strategic planning for leadership, health care reform and business continuity.

Ransomware is a type of cyber attack where the perpetrator withholds stolen data or threatens to publish it until a ransom is paid. There are many examples of this happening to health care providers over the last few years.

In July 2018, for example, as many as 80,000 patients in Canada may have had detailed medical, financial and personal records stolen by a hacker group after it infiltrated the computer systems of home care services provider CarePartners.

Cyber attacks can play out a few different ways. Often, an individual within an agency hits a wrong advertisement or email, which enables a criminal to get into locked information.

Next, the perpetrator locks down the information systems so that no one within the agency or health system can access it. They then demand payment, usually through cyber money such as Bitcoin, Citarella said.

“In the last year, a significant number of health care providers have been hit with ransomware events,” Citarella said. “One particular facility decided not to pay a ransom. And it ended up costing them $10 million. It was a large health care system, and they had to start from scratch. They were working for months with paper documentation.”

Other providers have paid out ransoms as large as $1.5 million after negotiating down from around $5 million in demands. In that case, cyber attackers unlocked the information.

But only two-thirds of criminals typically re-grant access to the data they’ve withheld once a ransom is paid, according to Citarella.

The ultimate question for agencies to consider is how much they are willing to pay if they’re struck by a ransomware attack.

In some cases, perpetrators even contact patients to get money from them as well.

New technological advancements and different usages of computers with remote work during COVID-19 makes providers particularly vulnerable to these sorts of issues. Some are willing to pay a lot to settle the problem once it has happened — and others are completely unwilling to pay.

“We know these types of attacks are happening,” Citarella said. “In the world we’re in right now, we are bringing in other systems [that we didn’t used to work on]. We do third-party billers. We’re doing Zoom meetings. We’re using a lot of different platforms that we don’t normally utilize on our computers.”

Password management

If hackers want to hack you, they most likely will be able to. Their motivation to hack you is usually greater than yours is to protect yourself, at least until something bad happens, John Prost, the director of information technology at Mueller Prost, said at the Financial Management Conference.

“If you are a target, unfortunately, they will hack you,” Prost said. “What you need to do is take the measures to protect yourself and put as many hurdles in front of them as you can. Hopefully, they will get tired of trying to hack you and move on to somebody else.”

Prost is a security and cybersecurity expert.

Agencies’ No. 1 priority should be securing passwords, both at an individual and group level.

Weak passwords and re-used passwords are one of the simplest ways to get hacked. Likewise, strong passwords are one of the best ways to give yourself a fighting chance against hackers. Despite strong-password awareness seemingly being high, reports show that it’s still one of the biggest threats in cybersecurity, Prost said.

Getting a password manager that can store encrypted passwords online is a good starting point. Next is two-factor authentication.

Overall, agencies need to educate themselves and their employees and beware of the threats.

“Agencies need to have a certain hygiene — you wash your hands and you disinfect [your equipment]. The same thing holds true with the cyber world,” Prost said. “You have to have good cyber-hygiene. Use two-factor authentication, be careful where you go on the internet. … Be aware, take precautions and be careful.”

The post ‘If You Are a Target, They Will Hack You’: Cyber-Hygiene Increasingly Important for In-Home Care Agencies appeared first on Home Health Care News.