Two More Californian Hospital Ransomware Attacks Reported
Two more hospitals in Southern California have reported being attacked with ransomware. The Chino Valley Medical Center and Victorville’s Desert Valley Hospital, which are both operated by Prime Healthcare, were attacked on Friday last week. A number of computers had data locked with the file-encrypting malware and the attackers managed to infiltrate some of the hospitals’ servers before the attack was discovered and contained. As soon as the ransomware attacks were discovered, IT systems were taken offline to prevent the spread of the infections. While some computers and servers were taken out of action, patient health records were not compromised and the attack did not affect patient safety. Healthcare services are still being provided to patients at both hospitals, although the attack did cause significant disruption to the hospitals’ IT systems on Friday last week. Prime Healthcare Spokesperson, Fred Ortega, said “most of the systems and critical infrastructure has been brought back online.” A ransom demand was received by Prime Healthcare, although no details have been...
HHS Effort to Address Confusion over Mobile Apps is Disappointing, Say Federal Legislators
Last month the Department of Health and Human Services issued new guidance to clear up confusion about HIPAA Regulations and how they apply to mobile health apps. The four-page document explained how HIPAA Rules apply to health information that is created by patients and entered into health apps, and set out to explain when developers of health apps needed to comply with HIPAA Rules. The guidance covered six scenarios and explained how and when HIPAA Rules applied. The guidance has helped to explain some of the obligations mobile health app developers have under HIPAA Rules, but according to one bipartisan group of congressmen, the guidance only covered a very narrow set of circumstances, and has “led to more questions than answers.” Reps Tom Marino (R-Pa.), Peter DeFazio (D-Ore.), Earl Blumenauer (D-Ore.), Blake Farenthold (R-Texas), Ted Lieu (D-Calif.), Suzanne Bonamici (D-Ore.), Renee Ellmers (R-N.C.), and Rep. Will Hurd (R-Texas) signed a letter sent to HHS Secretary Sylvia Mathews Burwell earlier this month in which the efforts of the HHS to address the confusion over HIPAA...
VA Information Security Weaknesses Will Take Further 22 Months To Remediate
Last week, the VA Office of Inspector General issued a report of a 2015 Department of Veteran Affairs (VA) audit conducted to determine whether the VA’s Security Program complied with Federal Information Security Modernization Act (FISMA) requirements and NIST guidelines. The audit report indicates progress has been made to improve cybersecurity protections at the VA, but there is still a long way to go before the VA’s InfoSec program raises standards to the level required by FISMA. Auditors discovered a number of significant security deficiencies in the VA’s identity management and access controls, configuration management controls, contingency planning processes, incident response and monitoring procedures, contractor systems oversight, continuous monitoring, system development/change management controls, and its agency-wide security management program. While some efforts have been made to improve access and configuration management controls, security control standards had not yet been applied to all servers, databases, and network devices and a number of system security...
Phase 2 HIPAA Compliance Audits Commence
The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA compliance audits have officially started. According to the recent OCR announcement, “Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.” The announcement goes on to explain that the process of auditing covered entities allows OCR to “proactively uncover and address risks and vulnerabilities to protected health information.” Start Date for the Second Phase of HIPAA Compliance Audits While the audit process has now officially started, covered entities still have some time to get their policies and procedures in order. It will still be some time before the document checks for the 2016 compliance audits actually begin. The OCR announcement does not give a start date for the 2016 HIPAA compliance audits, but indicates that the first stage of desk audits will be completed by December 2016. The date when the first desk audits will actually be conducted was not detailed in the...
Virtua Medical Group Vendor Error Puts Patient Data in Search Engines
Virtua Medical Group has notified 1,654 patients that some of their protected health information had been accidentally indexed by search engines and was accessible over the Internet. An error was made by a transcription vendor during a server upgrade that resulted in patients’ names, birthdates, physicians’ names, and treatment information being indexed by search engines for up to three weeks. The server error occurred in early January and the error was identified on January 21, 2016. No financial data, insurance information, or Social Security numbers were exposed. Upon discovery of the error, Virtua Medical Group contacted its vendor to secure the data and efforts were made to remove the records from the search engines. The information is no longer accessible. It is unclear whether data were accessed by unauthorized individuals during the period they were accessible, although no reports of inappropriate data use have been reported. As a result of the breach of patient data, Virtua Medical Group has terminated its relationship with the transcription vendor. According to a...



