25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

OCR Issues Guidance on HIPAA and Disclosures of PHI for Extreme Risk Protection Orders

The Department of Health and Human Services’ Office for Civil Rights (OCR) has published new guidance to explain how the HIPAA Privacy Rule applies to disclosures of protected health information (PHI) to support applications for extreme risk protection orders. In June 2021, the U.S. Department of Justice published model legislation to provide states with a framework for creating their own extreme risk protection order (ERPO) laws. Extreme risk protection orders temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms. ERPOs are intended to improve public safety and reduce the risk of firearm injuries and deaths. ERPO legislation permits certain entities such as law enforcement officers, family members, and healthcare providers to apply to the courts for an ERPO. Part of that process involves obtaining affidavits or sworn oral statements from petitioners and witnesses. If healthcare providers are involved in ERPOs, the HIPAA Privacy Rule applies and places restrictions on any disclosures of PHI. The HIPAA Privacy Rule permits...

Read More

New Data Reveals Extent of Ransomware Attacks on the Healthcare Sector

The CyberPeace Institute has released new data on cyberattacks on the healthcare industry. According to the latest figures, 295 cyberattacks are known to have been conducted on the healthcare sector in the past 18 months between June 2, 2020, and December 3, 2021. The attacks have been occurring at a rate of 3.8 per week and have occurred in 35 countries. Those attacks include 263 incidents that have either been confirmed as ransomware attacks (165) or are suspected of involving ransomware (98), with those attacks occurring in 33 countries at a rate of 3.4 incidents a week. Over the past 18 months, at least 39 different ransomware groups have conducted ransomware attacks on the healthcare sector. Those attacks have mostly been on patient care services (179), followed by pharma (35), medical manufacturing & development (26), and other medical organizations (23). The CyberPeace Institute studied darknet publications, correspondence with ransomware gangs, and interviews and identified 12 ransomware groups that had stated they would not conduct attacks on the healthcare sector...

Read More
Third Version of Log4j Released to Fix High Severity DoS Vulnerability
Dec20

Third Version of Log4j Released to Fix High Severity DoS Vulnerability

The original vulnerability identified in Log4j (CVE-2021-44228) that sent shockwaves around the world due to its seriousness, ease of exploitation, and the extent to which it impacts software and cloud services, is not the only vulnerability in the Java-based logging utility. After releasing version 2.15.0 to fix the flaw, it was determined that version 2.15.0 was still vulnerable in certain non-default configurations due to an incomplete patch. The new vulnerability is tracked as CVE-2021-45046 and was fixed in version 2.16.0 of Log4j. Initially, the vulnerability was assigned a CVSS score of 3.7 (low severity); however, the severity score has since been increased to critical (CVSS 9.0), as while this flaw was initially reported as a denial-of-service bug, it was later determined that it could be exploited to allow data exfiltration and remote code execution. According to Apache, “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious...

Read More

Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information

In 2019, it was alarming that healthcare data breaches were being reported at a rate of more than 1 a day. In 2021, there have been several months where healthcare data breaches have been occurring at a rate of more than 2 per day. With data breaches occurring so regularly and ransomware attacks disrupting healthcare services, it is no surprise that many patients do not have much trust in their healthcare providers to protect sensitive personally identifiable information (PII). That has been confirmed by a recent survey conducted by Dynata on behalf of Semafone. 56% of patients at private practices said they do not trust their healthcare providers to protect PII and payment information. Smaller healthcare providers have smaller budgets for cybersecurity than larger healthcare networks, but trust in large hospital networks is far lower. Only 33% of patients of large hospital networks trusted them to be able to safeguard their PII. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, has stepped up enforcement of compliance with the HIPAA Rules in recent years and...

Read More
Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos
Dec17

Payroll of Healthcare Providers Threatened by Ransomware Attack on Kronos

The number of healthcare providers affected by the recent ransomware attack on Kronos has been growing over the past few days. 7 healthcare providers have now confirmed they have been affected by the attack. Kronos is a Lowell, MA-based workforce management and human capital management solution provider that many healthcare organizations use for payroll, scheduling, and other services. On December 11, 2021, Kronos discovered unusual activity in its systems deployed within the Kronos Private Cloud. Steps were immediately taken to investigate the activity and block any unauthorized access. It was rapidly determined to be a ransomware attack, that affected parts of its cloud environment where Ultimate Kronos Group (UKG) solutions are deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling. UKG said it engaged a leading cyber security firm to assess and mitigate the attack and the investigation into the breach is ongoing. The affected solutions remain offline and Kronos has strongly suggested its clients should evaluate and implement...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist