Dedicated to providing the latest
HIPAA compliance news

House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws
Apr25

House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws

The continued use of outdated software and the failure to patch vulnerabilities promptly is making cyberattacks on healthcare organizations too easy. This was clearly highlighted by the WannaCry ransomware attacks in May 2017. U.S healthcare providers may have escaped relatively unscathed, but that was not the case across the Atlantic in the UK. The NHS was hit particularly badly by WannaCry. Were it not for the discovery of a kill switch by a security researcher, it could have been a similar story in the U.S. This week, Symantec published a report on a recently discovered threat group that has been attacking healthcare organizations for three years and accessing highly sensitive information. Lateral movement within a network has been made easy due to the continued use of outdated operating systems. These are just two examples of several over the past couple of years and the attacks will continue unless action is taken to address the issue. In the UK, a post-WannaCry assessment by the health industry’s governing body revealed the NHS is still badly prepared for similar attacks....

Read More
Web Portal of Transcription Service Provider Discovered to be Leaking PHI
Apr25

Web Portal of Transcription Service Provider Discovered to be Leaking PHI

A transcription service provider has inadvertently left medical records and patient notes unsecured and freely accessible via a physician portal, which should have been password protected. The error has resulted in the exposure of thousands of patients’ PHI. MEDantex provides medical transcription services to many hospitals and physicians, many of whom choose to upload audio files to the MEDantex website. The audio files are accessed by the firm’s employees and transcribed, and documents containing the transcribed notes are uploaded to the portal where they can be downloaded by providers. In order to gain access the portal, a user must be authenticated by means of a password. According to a report on KrebsOnSecurity, certain portions of the website were recently discovered to lack any authentication controls. Anyone visiting the website could, through their browser, gain access to patient data stored on the site. Brian Krebs reports that several of the tools used by MEDantex staff and could also be accessed and used by unauthorized individuals. Those tools allowed unauthorized...

Read More
Report: Healthcare Data Breaches in Q1, 2018
Apr24

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size. In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records. Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017. Individuals Impacted by Healthcare Data Breaches in Q1, 2018 Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017,...

Read More
Kwampirs Backdoor Used in Targeted Attacks on Healthcare Industry
Apr24

Kwampirs Backdoor Used in Targeted Attacks on Healthcare Industry

A relatively recently identified threat group known as Orangeworm is conducting targeted attacks on large healthcare organizations in the United States according to Symantec. The threat group was first identified in January 2015 and has been conducting supply chain attacks with the aim of installing backdoors on devices used by large healthcare firms. Already, several healthcare providers, IT solution providers, pharmaceutical firms, and medical equipment manufacturers have been attacked. The Orangeworm threat group has conducted attacks on a wide range of industries, including manufacturing, agriculture, IT, and logistics. Even though these attacks have taken place on companies in seemingly unrelated industries, many targeted companies in these sectors have links to healthcare organizations, such as logistics firms that deliver medical supplies, IT firms that have contracts with healthcare providers, and manufacturers of medical imaging devices. 39% of all confirmed attacks have been on firms operating in the healthcare sector. Rather than use the spray and pray tactics of...

Read More
Healthcare Compliance Programs Not In Line With Expectations of Regulators
Apr23

Healthcare Compliance Programs Not In Line With Expectations of Regulators

Healthcare compliance officers are prioritizing compliance with HIPAA Privacy and Security Rules, even though the majority of Department of Justice and the HHS Office of Inspector General enforcement actions are not for violations of HIPAA or security breaches, but corrupt arrangements with referral sources and false claims. There are more penalties issued by regulators for these two compliance failures than penalties for HIPAA violations. HIPAA enforcement by the HHS’ Office for Civil Rights has increased, yet the liabilities to healthcare organizations from corrupt arrangements with referral sources and false claims are far higher. Even so, these aspects of compliance are relatively low down the list of priorities, according to a recent survey of 388 healthcare professionals conducted by SAI Global and Strategic Management Services. The survey was conducted on compliance officers from healthcare organizations of all sizes, from small physician practices to large integrated hospital systems. The aim of the study was to identify the key issues faced by compliance officers and...

Read More