[BreachExchange] Bizmatics Cyberattack: Assessing the Fallout

Sun Jul 3 17:32:26 EDT 2016

http://www.databreachtoday.com/bizmatics-cyberattack-assessing-fallout-a-9234

The total impact of a 2015 hacker attack against cloud-based electronic
health records
<http://www.healthcareinfosecurity.com/electronic-health-records-c-252>
vendor Bizmatics Inc. might not be known for months because it's still
unclear how many of the company's group practice clients were affected -
and how many records were compromised.

*See Also:* Data Center Security Study - The Results
<http://www.databreachtoday.com/webinars/data-center-security-study-results-w-909?rf=promotional_webinar>

As a result, security experts are urging the company's clients to reach out
to the vendor to inquire whether their patients' protected health
information was potentially compromised by the hack.

Although San Jose, Calif.-based Bizmatics apparently has not publicly
commented about the incident, the disclosure of the cyberattack by
Bizmatics to certain customers has essentially put all its clients on
notice that their data, too, may have been compromised, says privacy
<http://www.healthcareinfosecurity.com/privacy-c-151> and security attorney
Stephen Wu of the law firm Silicon Valley Law Group.

"If you are a Bizmatics customer, you're under obligation to do due
diligence" to see if protected health information of your patients has been
compromised, requiring notification, he says.

Wu and other experts suggest the company's clients consider engaging
forensics specialists to help verify whether patients' data has been
exposed. They also suggest taking additional steps to help shore up
security related to all their business associates.
What Happened?

As of June 30, it appears that at least 17 Bizmatics clients - and a total
of about 264,000 patients - have been impacted by the cyberattack. Those
figures are based on the Department of Health and Human Services "wall of
shame" <https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf> tally of
major health data breaches and the breach notification statements issued by
the various affected healthcare organizations that specifically name the
involvement of Bizmatics, as first tracked by *Databreaches.net*
<https://www.databreaches.net/264000-and-counting-hack-of-ehremr-vendor-leaves-clients-scrambling/>.
The listings on the HHS breach tally, due in part to how some covered
entities fill out their breach reports submitted to HHS, do not mention the
involvement of Bizmatics.
Bizmatics Clients Reporting Breaches
Clinic State # Patients Affected
Southeast Eye Institute (dba Eye Associates of Pinellas) Florida 87,314
Stamford Podiatry Group Connecticut 40,491
Illinois Valley Podiatry Group Illinois 26,588
North Ottawa Community Health System Michigan 20,000
Integrated Health Solutions Pennsylvannia 19,976
Pain Treatment Centers of America Arkansas 19,397
ENT and Allergy Center Arkansas 16,200
Lafayette Pain Care Indiana 7,500
Grace Primary Care Tennessee 6,853
Complete Family Foot Care Nebraska 5,583
California Health and Longevity Institute California 5,386
The Vein Doctor Missouri 3,000
Allen Dell (law firm on behalf of client) Florida 2,500
Vincent Vein Center Grand Junction Colorado 2,250
Mark Anthony Quintero, M.D Florida 650
Family Medicine of Weston Florida 500
HeartCare Consultants Florida NA *Sources: Department of Health and Human
Services, notification letters and Databreaches.net*

The largest known Bizmatics-related incident listed on the federal tally
was reported May 5 by Florida-based Southeast Eye Institute, which does
business as Eye Associates of Pinellas
<http://www.eyeassociatesofpinellas.com/2-eye-conditions/56-patient-breach>.
That incident is listed as affecting 87,314 individuals.

Bizmatics claims on its website that its PrognoCIS EHR and practice
management software "serves over 15,000 medical professionals." And it
still remains to be seen how many of those professionals' practices were
affected by the breach.
Hard to Pinpoint

Part of the difficulty in tallying the full number of affected entities
appears to be rooted in uncertainties turning up in the post-breach
forensics investigation of the Bizmatics cyberattack.

In a breach notification posted on its website, one of the covered entities
known to be impacted, Florida-based HeartCare Consultants
<http://www.srqheartcare.com/important-hippa-breach-notification/>, notes
that Bizmatics recently informed the provider that a malicious hacker
attacked the vendor's data servers, resulting in "unauthorized access to
Bizmatics customers' records across the U.S., including some records
belonging to us."

HeartCare Consultants also notes that after becoming aware of the incident
in late 2015, Bizmatics began an investigation with the help of law
enforcement and the security forensics firm CrowdStrike. "Bizmatics
believes the incident may have occurred in early 2015 ... [but] CrowdStrike
could not find a sufficient log of evidence to determine all of the
information accessed or viewed by the hackers," HeartCare Consultants notes.

Records compromised may include health visit information, patient names,
addresses, health insurance numbers, and in some cases, Social Security
numbers, HeartCare Consultants reports.

Bizmatics did not immediately respond to an Information Security Media
Group request for comment on the incident .

Crowdstrike in a statement to ISMG says, "as a matter of policy,
CrowdStrike does not comment on customer engagements and issues pertaining
to customers, so we can neither confirm nor deny involvement in this case."
Being Proactive

Because Bizmatics claims to have thousands of customers and appears to have
insufficient log evidence to help sort out the incident, there could be
many more organizations potentially impacted by the cyberattack, experts
say.

Although Bizmatics, like other business associates under HIPAA
<http://www.healthcareinfosecurity.com/hipaa-hitech-c-282>, is required to
notify covered entities no later than 60 days after discovering a major
breach affecting a covered entity's data, Wu advises clients of Bizmatics
to directly contact the vendor about the incident if they have not yet been
notified about the cyberattack.

Rebecca Herold, CEO of The Privacy Professor and co-founder of SIMBUS360
Security and Privacy Services, says there's another possible reason why
more Bizmatics clients haven't been notified by the vendor about the breach
- or haven't themselves reported the incident to HHS.

"A large portion of those clients *may* have had less than 500 PHI records
within the Bizmatics data warehouse, which would mean they wouldn't need to
legally report them to HHS right away, but could wait and include that
information at the end of the year," Herold says. "Of course Bizmatics
should have reported to those smaller CEs already. Looking at the known
types of providers listed so far, it seems Bizmatics may have had a lot of
small clinics that they were doing work for. So after the end of 2016, you
will likely see the number of CEs whose PHI was involved jump up
dramatically." That's because smaller breaches must be reported annually to
HHS.

Nevertheless, Herold anticipates that more clinics will report data
compromises tied to the Bizmatics breach in the weeks ahead, given the
steady additions to the HHS tally in past weeks.
Quick Response

Regardless of HIPAA's breach reporting requirements, it's critical that
vendors notify covered entities of breaches as soon as possible, says Dodi
Glenn, vice president of cybersecurity at security services firm PC Pitstop.

"Breach notifications should happen just as soon as the breach has been
detected," he stresses. "This allows the healthcare organization to tighten
their own security and be on the lookout for suspicious activities related
to their own network. The longer the vendor waits on disclosing the breach,
the more damage it can do to the organizations who are associated with
them."

Herold says that business associates should contact covered entities within
24 hours of discovering a breach impacting the client's PHI. "The BA should
provide regular reports to their CEs as they mitigate the breach and answer
any questions they have," she says. "Following mitigation, the BA should
have an objective third part do a risk assessment covering the scope of the
breach to ensure all vulnerabilities have been addressed appropriately."

Wu suggests that Bizmatics clients engage a third-party security firm to
assess whether their patients' PHI has been compromised, especially because
it appears that Bizmatics might be having trouble sorting that out.
Vendor Lessons

The BizMatics cyberattack offers lessons to organizations using the
services of any cloud-based services vendor.

"Don't assume that your data is secure in the cloud
<http://www.healthcareinfosecurity.com/cloud-computing-c-232>, regardless
of who you are partnering with," Glenn says. "As we've seen from this
breach, and several others in the healthcare industry, hackers are actively
targeting these types of organizations. Make sure that the company you are
doing business with has an incident response plan in place and ask to view
the plan."

Herold suggests healthcare organizations reassess their business associate
management practices "and determine how they are going to provide some type
of ongoing oversight for BAs."

Meanwhile, she says business associates need to implement stronger and more
comprehensive information security programs
<http://www.healthcareinfosecurity.com/governance-c-93>.
Analyzing Logs

In light of Bizmatics reportedly having insufficient log information to
determine the extent of the cyberattack's impact, Herold recommends that
covered entities and business associates fortify their log-related
practices. That includes:

   - Documenting logging, network security activity and accounting of
   disclosures policies and procedures;
   - Assigning responsibility for oversight of the policies and procedures
   that include logging access to PHI, as well as logging security events that
   occur within the network and associated with PHI data repositories;
   - Providing training to those with audit and log review responsibilities;
   - Periodically conducting a test to ensure such access logging and
   procedures are adequate and accurate;
   - Establishing breach identification and response policies and
   procedures that include such log access tools and procedures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160703/95117692/attachment.html>