The failure of two healthcare-related companies to keep their remote computer access software up to date has allowed them to be subjected to a malicious hacker attack, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) announced.
According to an alert issued by HC3 on January 22, 2024, an outdated version of the ScreenConnect program was used by malicious actors to gain access to the internal systems of the companies. The impact, while still unknown, could be substantial, as the threat actor leveraged local ScreenConnect instances used by a pharmacy supply chain and management systems solution provider that is present in all 50 states.
HC3 warned that all Healthcare and Public Health (HPH) organizations that use the remote access tool ScreenConnect could be adversely affected or targeted by threat actors if their systems are not fully updated. ScreenConnect is a self-hosted remote desktop software application that allows remote users access to computer systems in geographically disparate locations, for the purpose of technical servicing or data transfer.
According to HC3, an unknown threat actor used an unmanaged on-premises installation of ScreenConnect—which had not been updated since 2019—to access the companies’ computer networks between October 28 and November 8, 2023. After gaining access to the computer systems, the malicious actor was then able to install other software applications which allowed open and persistent access to the companies’ records. This was, HC3 said, an indication that the way was being prepared for an attack escalation.
The compromised attack points all operated on a Windows Server 2019 system, belonging to two distinct organizations, a pharmaceutical firm and a healthcare provider, the common link between them being the ScreenConnect installation. The full impact of the breach is still under investigation.
Access the HC3 alert here.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Healthcare providers are under a legal duty to safeguard protected health information (PHI). A failure to keep software systems updated to protect such information constitutes a breach of this legal duty and can open organizations to unwanted judicial processes, penalties, or fines.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Security Rule. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, the importance of regularly updating software and operating systems, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Security Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed. Also audit to make sure computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
