The University of California San Diego's Christian Dameff called on a congressional panel to support resource-constrained providers in the ransomware fight and for research into the risks cyberattacks pose to patient safety. When technology systems go down, he said, "health care grinds to a near halt.

The lawsuit filed against Elekta on July 16 focuses on the impact to Northwestern Memorial HealthCare, which reportedly affected 201,197 patients.

In 2014, attackers cracked into UPMC's HR server and stole personally identifiable information belonging to 66,000 employees, which was later sold to cybercriminals on the dark web who used the data to file $2 million in fraudulent tax returns. The settlement will provide monetary compensation to recoup losses incurred by the data theft.

In the rush to respond to COVID-19, many health care providers swiftly onboarded technologies to support the nation’s response and enable the rapid adoption of remote digital health platforms, such as connected medical devices and telemedicine tools. Now, as the pandemic crisis begins to slow, hospitals and medical facilities are left to address significant security gaps that emerged with the tech buying surge.

This week’s health care data breach roundup is anchored by new Fitch Ratings insights that confirm the “relentless cyberattacks” against the sector are further burdening the resources of nonprofit providers; impacted providers include MultiPlan, UPMC, and McLaren Health.

The findings come even as the researchers report that the volume and severity of ransomware attacks have remained relatively stable for the last 18 months.

In 2022, HHS will launch its nationwide interoperability framework known as TEFCA. As additional agency efforts continue to fuel data sharing in the health care sector, privacy and security concerns tied to potentially overlapping standards.

In health care, there's a longstanding debate on whether incentivizing providers could improve the sector's overall cybersecurity posture. Leaders from PC Matic, HSCC, NTT, Rapid7, Fortified Health Security, Veeam, and the AbedGraham Group make the case for – and against – using incentives to improve cyber hygiene and reduce the risk of cyber threats to patient safety.

Two new reports from IBM Cybersecurity and CynergisTek spotlight two critical challenge areas facing the health care sector. Most providers are failing to secure their supply chains, and data breaches cost the health care sector more than others at $9.23 million. The data confirms the need for provides to swiftly review vendor security and other vulnerabilities.

A recent Reposify report examined the state of cybersecurity in the pharma sector, which found a concerning level of active vulnerabilities, misconfigurations, and weak access controls, following the uptick in digitization amid the COVID-19 pandemic response.

This week's breach roundup is led by a phishing attack on Orlando Family Physicians earlier this year, which led to the compromise of data tied to nearly 450,000 patients. The incident is among the largest reported in the health care sector this year, serving as a reminder to review all endpoints and access controls.

While confined to the region of Lazio, Italy, the cyberattack and shutdown of the COVID-19 vaccine scheduling app, websites, and connected servers sheds light on the overall risk to health care applications and the need for continued mitigation.

The typical health care network relies on a host of connected medical devices and a vast number of access points for its clinicians, vendors, administrators, and other business partners. Vendors must consider these unique challenges when designing and implementing tools for the sector.

Indianapolis-based Eskenazi Health and Sanford Health in South Dakota are currently operating under EHR downtime procedures, after falling victim to separate cyberattacks on Aug. 4. The providers are the 35th and 36th health care entities to be struck with ransomware so far in 2021, renewing calls to bolster cyber defenses.

All U.S. sectors are facing an increase in attack sophistication and exploits of vulnerable systems. But with patient safety at risk, providers need greater digital resilience with cybersecurity measures.

Though the FDA, device manufacturers, and health care providers all play a role in securing vulnerable devices, it’s providers and patients facing the brunt of the risk, according to a recent DEFCON Biohacking Village Talk.

As the health care sector continues to adopt new technologies, like 5G, to increase digital innovation and improve patient care outside of the traditional hospital setting, leaders from AT&T and SentinelOne addressed some of the key challenges to these rapid adoptions and best practice recommendations for endpoint security ahead of a recent HIMSS21 presentation.

While threat actors have abused legitimate RTLO Unicode to evade detection for a decade, H-ISAC has observed a rise in these phishing attacks being used against the health care sector.

The May ransomware attack against Scripps Health resulted in at least four weeks of EHR downtime procedures and related emergency care diversion. A new financial report shows the cyberattack resulted in $112.7 million in lost revenue and recovery costs.

A CyberMDX report shows a disconnect between the reality and impact of cybersecurity in the health care space: although providers are a key hacking target, cybersecurity investments are often lacking.

The pandemic demonstrated the best and worst of many organization's security posture, particularly in the health care space. A HIMSS21 digital conversation with Geisinger Health and Northwell Health leaders provided a couple examples of how health systems were able to thrive despite COVID-19 pressures.

Ohio-based Memorial Health System is canceling urgent surgical cases and diverting emergency care patients, as it attempts to recover from a cyberattack that struck early Sunday morning.

This week’s breach roundup is led by a two-month network hack of UNM Health, which led to the exfiltration of data tied to 637,252 patients. Memorial Health, St. Joseph’s Candler, Electromed, and other providers also recently reported security incidents tied to patient data compromise.

BlackBerry and CISA are urging critical infrastructure entities to patch a critical flaw in Blackberry QNX RTOS, used in a range of tech that include health care medical devices. The vulnerability is part of the BadAlloc group of RTOS flaws.

A recent, damning report on the pharma sector found most entities are actively, and often inadvertently, exposing data through unsecured endpoints. As COVID-19 keeps pharma in cybercriminals’ focus, the need for zero trust security is more apparent.

In the last week, multiple ransomware incidents have spurred massive breach notices, care disruptions, and for Memorial Health, EHR downtime procedures. The health care sector should adopt a heightened state of awareness based on DHS CISA ransomware recommendations.

The ability to access core tech functions outside the hospital is no longer “nice to have”: it’s now a necessity. But greater tech adoption begs for stronger cybersecurity cultures across the health care enterprise.

A new McAfee report shows how an attacker could exploit vulnerabilities found in B. Braun infusion pumps to directly modify medication doses, posing a serious risk to patient safety.

Prior to the ransomware attack and subsequent EHR downtime procedures, officials confirm that threat actors stole some patient-related information from Eskenazi Health. The weekly breach roundup also includes some dubious delays in patient notifications.

Critical Insight examined health care data breaches reported to HHS, finding outpatient facilities and specialists were exploited at nearly the same rate as hospitals. The biggest culprit? Cyberattacks.

A roundup of notable health care data breaches this week is led by a cyberattack and network outage at DuPage Medical Group that compromised the data of 600,000 patients. Beaumont Health, San Andreas Regional, and other providers reported incidents this week, as well.

A range of flaws found in certain Philips patient monitoring devices could allow an attacker with access to the medical device network or physical access to the platform, leading to data exposure or other security risks.

While there are plenty of compliance checklists, resources, and security standards, there’s no one-size fits all for any health care entity. As a result, the onus of securing the enterprise falls solely on the provider organization. And with limited security staff to go around, many are clearly struggling to keep pace and fully secure the enterprise. Mitre’s health care leaders discuss the patient safety risks, the importance of response plans, and taking advantage of free resources.

In health care, shifting IT leaders into security positions is a common practice and one that is likely here to stay into the foreseeable future. The SANS Institute discusses the major risks to the process and ways providers can better equip IT leaders to succeed in security.

Patients impacted by data breaches at Sturdy Memorial Hospital and Dupage Medical filed separate lawsuits alleging claims that center around inadequate security measures. With the Supreme Court defining actual harm in a June decision, it’s unclear how the cases will proceed.

Critical attacks against health care thrived in the last year. Now, as patient volumes continue to surge in some parts of the country, safety concerns grow increasingly dire. And yet, say experts, specific data that clearly demonstrates the impact of cyberattacks on patient care remains elusive. This reality, in fact, further complicates an already complex effort among health care providers to establish technology plans and processes that put patient safety and care first.

A recent filing with the U.S. District Court of Northern California consolidates multiple lawsuits filed against Flo Health by its users, alleging the fertility app shares highly sensitive data with third parties like Facebook and Google — in direct contradiction with its privacy practices.

HHS OCR announced it reached an $80,000 settlement with Children's Hospital & Medical Center over potential HIPAA Right of Access failures. It’s the 20th settlement made under its access rights’ initiative.

LifeLong Medical is just now notifying 115,448 patients that their data was compromised during a ransomware attack against one of its vendors, Netgain. However, the initial breach reports were first released more than six months ago, putting the notice far outside the 60-day HIPAA requirement.

WebsitePlanet and Jeremiah Fowler discovered an unsecured GetHealth database containing nearly 17 GB of health and fitness tracking data in more than 61 million records. It's unclear of the immediate impact of the data compromise, but it demonstrates the ongoing challenges to securing consumer data privacy.

One of the group’s most notable incidents took place earlier this year when they attempted to extort major companies like Shell, Qualys, Jones Day, Flagstar and others who utilized the Accellion file transfer system.

Carnival has been hit by multiple cyberattacks since 2019, including a ransomware incident last summer.

Sophos researchers reported a curious malware program that comes disguised as pirated copies of software, but actually modifies infected users' HOSTS file to blocks them from visiting software piracy websites in the future.

A new poll found that 44% of firms would consider paying at least 10% of yearly revenue to resolve a ransom, while 20% of firms are willing to pay 20% of their revenue or more.

Digital transformation often means decentralized purchasing of cloud-based applications, which results in a disparate landscape of best-of-breed software with less oversight from security and IT.

Said Sen. Mike Rounds, R-S.D.: "The Department of Defense clearly has a role to play" in addressing the threat of ransomware.

AWS CISO Stephen Schmidt said that the move to a hybrid work environment due in part to the pandemic has led to a need among companies and government agencies
to protect their communications across multiple remote locations.

The Mercedes-Benz leak highlights an issue that security teams keep seeing time and again: Private data that’s accidentally left publicly accessible on a cloud storage platform by a vendor.

Apple had become Google’s largest customer of cloud data services, with the company’s encryption standards viewed as a positive development by some security researchers, who said more companies need to take the shared responsibility model with cloud service providers seriously.

The success of Pokemon Go pushed the company to create a security culture that included DevSecOps. Today’s columnist, John Worrall of Zero North, offers insights on how companies can focus more on application security.

Newly embraced by the Open Cybersecurity Alliance, Kestrel is open source and platform-agnostic, and leverages automation.

The company's vision, says CEO J.J Guy, is to transform how asset inventory is managed for better visibility into potential security gaps in the infrastructure.

The company’s investigation determined that social security numbers, driver's license numbers, passport numbers and/or financial account numbers may have been accessed or acquired.

The FTC Health Breach Notification Rule was enacted 10 years ago to protect the privacy and security of consumer health data not covered by HIPAA, but it was never enforced. A policy decision enacted on Sept. 15 will change that.

The CIO of Artesia General Hospital in rural Southeast New Mexico shares the ongoing staffing and resource challenges he faces on a daily basis, and how his IT team tackles risk and workforce training.