Dedicated to providing the latest
HIPAA compliance news

HIPAA Compliance for Self-Insured Group Health Plans
Nov23

HIPAA Compliance for Self-Insured Group Health Plans

HIPAA compliance for self-insured group health plans – or self-administered health group plans – is one of the most complicated areas of HIPAA legislation. The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed obligations on health care clearinghouses, certain healthcare providers and health plans (collectively known as “Covered Entities”) to comply with national standards for electronic health care transactions, unique health identifiers, and data security. The standards were developed by the U.S. Department of Health & Human Services and published in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent amendments, guidelines and companion Rules have shaped HIPAA compliance for self-insured group health plans to account for advances in technology and changes in working practices. Definition of a Self-Insured Group Health Plan Due to the complicated nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define...

Read More
HIPAA Compliance for HR Departments
Nov22

HIPAA Compliance for HR Departments

Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan. Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information. Why HIPAA Compliance for HR Departments is Important The original purpose of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to improve the portability and continuity of health insurance coverage. As the Act progressed through Congress, amendments were added with the intention of combating waste, fraud and abuse in the health insurance and healthcare industries....

Read More
HIPAA Compliance for Community Health Centers
Nov21

HIPAA Compliance for Community Health Centers

There is an argument there should be a different level of HIPAA compliance for community health centers, due to community health centers having fewer resources available to them than other Covered Entities. Unfortunately, due to the complexity of the Healthcare Insurance Portability and Accountability Act (HIPAA), introducing different levels of HIPAA compliance for community health centers would be logistically complex and lead to demands for other “special interest groups” to be taken into account. A list of “special interest groups” could be extensive. Should charity-funded hospices, for example, have the same level of HIPAA compliance as privately-owned, for-profit medical centers? It may not seem fair, but the answer is “Yes”. This is because a breach of Protected Health Information (PHI) from any source is still a breach of PHI, and the potential consequences of a breach (identity theft, insurance fraud, etc.) will be no different, regardless of how, where or when the breach occurred. The Purpose of HIPAA Compliance for Community Health Centers The purpose of HIPAA compliance...

Read More
9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack
Nov21

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff. The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed. The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials. Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established...

Read More
November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches
Nov20

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October. The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net. Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed. Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017. The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the...

Read More
Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI
Nov20

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email. While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device. It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers. The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital,...

Read More
October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
How to Handle A HIPAA Privacy Complaint
Nov14

How to Handle A HIPAA Privacy Complaint

Healthcare providers need to be prepared to deal with a HIPAA privacy complaint from a patient. In order for an efficient response to be conducted, policies should be developed covering the complaints procedure and staff must be trained to handle HIPAA privacy complaints correctly. Patients must also be clearly informed how they can make a HIPAA privacy complaint if they feel that their privacy has been violated or HIPAA Rules have been breached. This should be clearly stated in your Notice of Privacy Practices. A HIPAA Privacy Complaint Should be Taken Seriously When a HIPAA privacy complaint is filed, it is important that it is dealt with quickly and efficiently. Fast action will help to reassure patients that that you treat all potential privacy and security violations seriously. While patients may be annoyed or upset that an error has been made, in many cases, patients are not looking to cause trouble. They want the issue to be investigated, any risks to be mitigated, the problem to be addressed to ensure it does not happen again, and in many cases, they seek an apology. If the...

Read More
Is Google Hangouts HIPAA Compliant?
Nov14

Is Google Hangouts HIPAA Compliant?

Is Google Hangouts HIPAA compliant? Can Google Hangouts be used by healthcare professionals to transmit and receive protected health information (PHI)? Is Google Hangouts HIPAA Compliant? Healthcare organizations frequently ask about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the latest incarnation of the Hangouts video chat system, and has taken the place of Huddle (Google+ Messenger). Google Hangouts is a cloud-based communication platform that incorporates four different elements: Video chat, SMS, VOIP, and an instant messaging service. Google will sign a business associate agreement for G Suite, which currently covers the following Google core services Gmail Calendar Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms) Apps Script Keep Sites Jamboard Google Cloud Search Vault (If applicable) Google Hangouts (Chat messaging) Hangouts Meet The Business Associate Agreement does not cover Google Groups, Google Contacts, and Google+, none of which can be used in...

Read More
President Trump Nominates Alex Azar for HHS Secretary
Nov13

President Trump Nominates Alex Azar for HHS Secretary

Former Deputy Secretary of the Department of Health and Human Services, Alex Azar, is tipped to take over from former Secretary Tom Price after receiving the presidential nomination for the role. Azar previously served as general counsel to the HHS and Deputy Secretary during the George W. Bush administration. President Trump confirmed on Twitter that he believes Azar is the man for the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!” The position of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September, following revelations about his controversial use of military aircraft and expensive charter flights to travel around the country. While there were several potential candidates tipped to receive the nomination, including commissioner of the Food and Drug Administration, Scott Gottlieb, and administrator of the Centers for Medicare and Medicaid Services, Seema Verma, President Trump has made a controversial choice. Alex...

Read More
In What Year Was HIPAA Passed into Legislature?
Nov13

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill. Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced. There have been several important dates in the past...

Read More
MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches
Nov10

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured. While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data. This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI. In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed...

Read More
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
Nov09

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

A 2017 data breach report from Risk Based Security (RBS), a provider of real time information and risk analysis tools, has revealed there has been a 305% increase in the number of records exposed in data breaches in the past year. For its latest breach report, RBS analyzed breach reports from the first 9 months of 2017. RBS explained in a recent blog post, 2017 has been “yet another ‘worst year ever’ for data breaches.” In Q3, 2017, there were 1,465 data breaches reported, bringing the total number of publicly disclosed data breaches up to 3,833 incidents for the year. So far in 2017, more than 7 billion records have been exposed or stolen. RBS reports there has been a steady rise in publicly disclosed data breaches since the end of May, with September the worst month of the year to date. More than 600 data breaches were disclosed in September. Over the past five years there has been a steady rise in reported data breaches, increasing from 1,966 data breaches in 2013 to 3,833 in 2017. Year on year, the number of reported data breaches has increased by 18.2%. The severity of data...

Read More
Healthcare Data Breach Analysis Questioned
Nov08

Healthcare Data Breach Analysis Questioned

Large healthcare providers experience more data breaches than smaller healthcare providers, at least that is what a healthcare data breach analysis from Johns Hopkins University Carey School of Business suggests. For the study, the researchers used breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. HIPAA-covered entities are required to submit breach reports to OCR, and under HITECT Act requirements, OCR publishes the breaches that impact more than 500 individuals. The Ge Bai, PhD., led study, which was published in the journal JAMA Internal Medicine, indicates between 2009 and 2016, 216 hospitals had reported a data breach and 15% of hospitals reported more than one breach. The analysis of the breach reports suggest teaching hospitals are more likely to suffer data breaches – a third of breached hospitals were major teaching centers. The study also suggested larger hospitals were more likely to experience data breaches. Now, a team of doctors from Vanderbilt University, in Nashville, TN have called the data breach statistics details...

Read More
What is a Limited Data Set Under HIPAA?
Nov07

What is a Limited Data Set Under HIPAA?

A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. In contrast to de-identified protected health information, which is no longer classed as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still subject to HIPAA Privacy Rule regulations. A HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific purposes, that the PHI will not be disclosed by the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be followed. The data use agreement, which must be accepted prior to the limited data set being shared, should outline the following:...

Read More
How Can Healthcare Organizations Prevent Phishing Attacks?
Nov07

How Can Healthcare Organizations Prevent Phishing Attacks?

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information. Phishing on an Industrial Scale More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years. Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’...

Read More
Can A Patient Sue for A HIPAA Violation?
Nov07

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules. So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws. In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information....

Read More
When Should You Promote HIPAA Awareness?
Nov06

When Should You Promote HIPAA Awareness?

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place? HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be provided before any employee is given access to PHI. Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices. The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur. Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology. HIPAA Training Cannot be a...

Read More
Former Employees of Virginia Medical Practice Inappropriately Used Patient Information
Nov06

Former Employees of Virginia Medical Practice Inappropriately Used Patient Information

Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies. The list was used to inform patients of a new practice that was opening in the area. One of the employees used the list to send postcards to Valley Family Medicine patients to advise them that a new practice, unaffiliated to Valley Family Medicine, was being opened. Patients were invited to visit the new practice. The mailing was sent in mid-July this year, although it was not discovered by Valley Family Medicine until September 15. The discovery prompted a full investigation of the breach, which confirmed that the only information used by the employees was the information contained on the list. That information was limited to names and addresses. No other protected health information was taken or used by the employees. Those two individuals are no longer employed at the practice and the list has now been recovered. Valley Family Medicine is satisfied that there have been no further misuses or disclosures of the...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
What Happens if a Nurse Violates HIPAA?
Nov03

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?   The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules? What are the Penalties if a Nurse Violates HIPAA? Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA...

Read More
New Study Reveals Lack of Phishing Awareness and Data Security Training
Nov03

New Study Reveals Lack of Phishing Awareness and Data Security Training

There is a commonly held view among IT staff that employees are the biggest data security risk; however, when it comes to phishing, even IT security staff are not immune. A quarter of IT workers admitted to falling for a phishing scam, compared to one in five office workers (21%), and 34% of business owners and high-execs, according to a recent survey by Intermedia. For its 2017 Data Vulnerability Report, Intermedia surveyed more than 1,000 full time workers and asked questions about data security and the behaviors that can lead to data breaches, malware and ransomware attacks. When all it takes is for one employee to fall for a phishing email to compromise a network, it is alarming that 14% of office workers either lacked confidence in their ability to detect phishing attacks or were not aware what phishing is. Confidence in the ability to detect phishing scams was generally high among office workers, with 86% believing they could identify phishing emails, although knowledge of ransomware was found to be lacking, especially among female workers. 40% of female workers did not know...

Read More
HIMSS Draws Attention to Five Current Cybersecurity Threats
Nov02

HIMSS Draws Attention to Five Current Cybersecurity Threats

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information. Wi-Fi Attacks Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks. BadRabbit Ransomware Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption...

Read More
Survey Reveals Sharing EHR Passwords is Commonplace
Nov02

Survey Reveals Sharing EHR Passwords is Commonplace

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses. The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research. The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password. Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is...

Read More
FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients
Nov02

FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients

The U.S. Food and Drug Administration (FDA) has released final guidance for medical device manufacturers sharing information with patients at their request. Legally marketed medical devices collect, store, process, and transmit medical information. When patients request copies of the information recorded by or stored on the devices, manufacturers may share patient-specific information with the patient that makes the request. The FDA encourages information sharing as it can help patients be more engaged with their healthcare providers. When patients give their healthcare providers data collected by medical devices, it can help them make sound medical decisions. While information sharing is not a requirement of the Federal Food, Drug, and Cosmetic Act (FD&C Act), the FDA felt it necessary to provide medical device manufacturers with recommendations about sharing patient-specific information with patients. The guidelines are intended to help manufacturers share information appropriately and responsibly. The FDA explains that in many cases, patient-specific information recorded by...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Who Do You Report HIPAA Violations To?
Nov01

Who Do You Report HIPAA Violations To?

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to implement safeguards to ensure the privacy of patients is protected and protected health information (PHI) is secured, but what happens when those rules are violated? Who do you report HIPAA violations to? Who do You Report HIPAA Violations To? If you suspect that HIPAA Rules have been violated by a HIPAA covered entity – Healthcare providers, health plans, healthcare clearinghouses, business associates of covered entities and their subcontractors – it is important for the violation to be reported to allow an investigation to take place. HIPAA violations frequently occur as a result of human error, a misunderstanding of HIPAA regulations, or in some cases, deliberate or willful violations of HIPAA Rules occur. A covered entity or business associate may not be aware that a HIPAA violation has occurred, and should be given the opportunity to correct errors and prevent similar violations from occurring in the future. How Can Healthcare Employees Report...

Read More
HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy
Oct31

HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy

Deven McGraw, the Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped down and left OCR. McGraw vacated the position on October 19, 2017. McGraw has served as Deputy Director for Health Information Privacy since July 2015, replacing Susan McAndrew. McGraw joined OCR from Manatt, Phelps & Phillips, LLP where she co-chaired the company’s privacy and data security practice. McGraw also served as Acting Chief Privacy Officer at the Office of the National Coordinator for Health IT (ONC) since the departure of Lucia Savage earlier this year. In July, ONC National Coordinator Donald Rucker announced that following cuts to the ONC budget, the Office of the Chief Privacy Officer would be closed out, with the Chief Privacy Officer receiving only limited support. It therefore seems an opportune moment for Deven McGraw to move onto pastures new. OCR’s Iliana Peters has stepped in to replace McGraw in the interim and will serve as Acting Deputy Director until a suitable replacement for McGraw can be found....

Read More
Who Does HIPAA Apply To?
Oct31

Who Does HIPAA Apply To?

Health Insurance Portability and Accountability Act (HIPAA) Rules cover the allowable uses and disclosures of protected health information secure and data security, but who does HIPAA apply to? Which types of organizations must implement HIPAA compliance programs? Who Does HIPAA Apply to? HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses if those organizations transmit health data electronically in connection with transactions for which the Department of Health and Human Services has adopted standards. Healthcare providers that are typically required to comply with HIPAA Rules includes hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists. Health plans include HMO’s, health insurance providers, company health plans, government programs that pay for health care such as Medicaid and Medicare, and veterans’ health programs. Self-insured companies that provide health coverage to their employees are also required to comply with HIPAA Rules. Healthcare clearinghouses include entities that process...

Read More
OCR Clarifies HIPAA Rules on Sharing Patient Information on Opioid Overdoses
Oct28

OCR Clarifies HIPAA Rules on Sharing Patient Information on Opioid Overdoses

The U.S. Department of Health and Human Services’ Office for Civil Rights has cleared confusion about HIPAA Rules on sharing patient information on opioid overdoses. The HIPAA Privacy Rule permits healthcare providers to share limited PHI in certain emergency and dangerous situations. Those situations include natural disasters and during drug overdoses, if sharing information can prevent or lessen a serious and imminent threat to a patient’s health or safety. Some healthcare providers have misunderstood the HIPAA Privacy Rule provisions, and believe permission to disclose information to the patient’s loved ones or caregivers must be obtained from the patient before any PHI can be disclosed. In an emergency or crisis situation, such as during a drug overdose, healthcare providers are permitted to share limited PHI with a patient’s loved ones and caregivers without permission first having been obtained from the patient. During an opioid overdose, healthcare providers can share health information with the patient’s family members, close friends, and caregivers if: The healthcare...

Read More
Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017
Oct27

Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails. Report Shows Massive Rise in Phishing Attacks Using Malicious URLs This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months. Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3. While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Oct26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
Employees Sue Lincare Over W2 Phishing Attack
Oct23

Employees Sue Lincare Over W2 Phishing Attack

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data. The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker. This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees. Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data. Three former...

Read More
Beazley Publishes 2017 Healthcare Data Breach Report
Oct23

Beazley Publishes 2017 Healthcare Data Breach Report

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017. While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data. As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.” Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the...

Read More
Who Should HIPAA Complaints be Directed to Within the Covered Entity?
Oct23

Who Should HIPAA Complaints be Directed to Within the Covered Entity?

Who should HIPAA complaints be directed to within the covered entity? Any healthcare employee who believes they have witnessed a HIPAA violation should report the incident internally. Typically, the person to report the violation to is your Privacy Officer, if your organization has appointed one. Reporting Potential HIPAA Violations Internally During your HIPAA training, you should have been told who should HIPAA complaints be directed to within the covered entity, and the procedures to follow for making complaints about potential HIPAA violations. Generally speaking, the HIPAA violation should be reported to the person in your organization who is responsible for HIPAA compliance, which is typically your Privacy Officer or CISO. You may feel more comfortable reporting the incident to your supervisor. All HIPAA violations, even HIPAA violations that seem relatively minor, should be reported. They could be indicative of a wider problem, so it is important they are investigated internally. Accidental HIPAA violations should also be reported. It is better to own up to a minor HIPAA...

Read More
Termination for Nurse HIPAA Violation Upheld by Court
Oct19

Termination for Nurse HIPAA Violation Upheld by Court

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’ The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician. Alleged Improper Disclosure of Sensitive Health Information Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked...

Read More
De-identification of Protected Health Information: How to Anonymize PHI
Oct18

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions no longer apply. HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed. HIPAA-Compliant De-identification of Protected Health Information HIPAA-compliant de-identification of protected health information is possible...

Read More
What Are Covered Entities Under HIPAA?
Oct18

What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates? Covered Entities Under HIPAA Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs. Healthcare clearinghouses are organizations that...

Read More
HIPAA Compliance for Hospices
Oct17

HIPAA Compliance for Hospices

HIPAA compliance is rarely straightforward in the healthcare industry, and HIPAA compliance for hospices is one area in which it less straightforward than most. The rules regarding the disclosure of Protected Health Information limit conversations with family members if patients have not previously given their consent for the conversations to take place. Furthermore, if no DPHA is appointed, obtaining consent when the patient cannot express themselves is impossible. And that´s just the beginning. Many hospices are supported by volunteers, who – under the Privacy Rule – are regarded as members of the workforce. Volunteers have to be provided with the same training on HIPAA, permissible disclosures of Protected Health Information and HIPAA-compliant policies as professional healthcare providers. They are also subject to the same sanctions policies as professional healthcare providers, which makes things difficult if the volunteer is a priest or nun who has given comfort to the dying. Administrative Issues Further Complicate HIPAA Compliance for Hospices Hospice personnel...

Read More
Namaste Health Care Pays Ransom to Recover PHI
Oct17

Namaste Health Care Pays Ransom to Recover PHI

A hacker gained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware, encrypting a wide range of data including patients’ protected health information. Access was gained to the file server over the weekend of August 12-13 and ransomware was installed; however, prior to the installation of ransomware it is unclear whether patients’ PHI was accessed or stolen. The Ashland clinic discovered its data had been encrypted when staff returned to work on Monday, August 14. Prompt action was taken to prevent any further accessing of its file server, including disabling access and taking the server offline. An external contractor was brought in to help remediate the attack and remove all traces of malware from its system. In order to recover data, Namaste Health Care made the decision to pay the attacker’s ransom demand. In this case, a valid key was supplied by that individual and it was possible to unlock the encrypted files. The clinic was able to recover data and bring its systems back online after a few days. The incident prompted the clinic to...

Read More
HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California
Oct17

HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California

The Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires. As was the case with the waivers issued after Hurricanes Irma and Maria, the limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol, and then only for a period of up to 72 hours following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care, even if the 72-hour period has not yet ended. Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule and the Privacy Rule is not suspended.  The HHS simply exercises its authority under the Project Bioshield Act of...

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More
Former Nurse Convicted of Theft of Patient Information and Tax Fraud
Oct16

Former Nurse Convicted of Theft of Patient Information and Tax Fraud

A former nurse from Midway, FL has been convicted of wire fraud, theft of government funds, possession of unauthorized access devices and aggravated identity theft by a court in Tallahassee. 41-year old Tangela Lawson-Brown was employed as a nurse in a Tallahassee nursing home between October 2011 and December 2012. During her time at the nursing home, Lawson-Brown stole the personal information of 26 patients, although she was discovered to have a notebook containing the personal information of 150 individuals. According to a press release issued by the United States Attorney’s Office for the Northern District of Florida, Lawson-Brown’s husband was arrested in January 2013 and items were seized from Lawson-Brown’s vehicle by the Tallahassee Police Department, including the notebook. The police investigation revealed that in 2011, Lawson-Brown used the stolen credentials to file fraudulent tax returns in the names of 105 individuals, including 24 patients of the nursing home. Lawson-Brown filed claims totaling more than $1 million. The IRS detected many of the claims as fraudulent,...

Read More
What Federal Department Regulates HIPAA?
Oct16

What Federal Department Regulates HIPAA?

Healthcare providers, health plans, healthcare clearinghouses, and business associates of those organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA), but what federal department regulates HIPAA and takes action against organizations that fail to comply with HIPAA Rules? What Federal Department Regulates HIPAA? HIPAA is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR). Since the introduction of the HIPAA Enforcement Rule in March 2006, OCR was given the power to investigate complaints about HIPAA violations. OCR was also given the right to issue civil monetary penalties if HIPAA-covered entities were found to have violated HIPAA Rules. While OCR had the power to issue financial penalties, it is relatively rare for HIPAA violations to result in financial penalties. Over the years since the Enforcement Rule was passed, OCR has steadily increased enforcement of HIPAA Rules, although it has only been in the past four years that financial penalties for HIPAA violations have become more common. Since the...

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Why is HIPAA Important?
Oct12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?
Oct11

Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?

Should covered entities monitor business associates for HIPAA compliance or is it sufficient just obtain a signed, HIPAA-compliant business associate agreement? If a business associate provides reasonable assurances to a covered entity that HIPAA Rules are being followed, and errors are made by the BA that result in the exposure, theft, or accidental disclosure of PHI, the covered entity will not be liable for the BA’s HIPAA violations – provided the covered entity has entered into a business associate agreement with its business associate. It is the responsibility of the business associate to ensure compliance with HIPAA Rules. The failure of a business associate to comply with HIPAA Rules can result in financial penalties for HIPAA violations for the business associate, not the covered entity. A covered entity should ‘obtain satisfactory assurances’ that HIPAA Rules will be followed prior to disclosing PHI. While covered entities are not required by HIPAA to monitor business associates for HIPAA compliance, they should obtain proof that their business associate has performed an...

Read More
Summary of September 2017 Healthcare Data Breaches
Oct10

Summary of September 2017 Healthcare Data Breaches

There were 39 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulted in the theft/exposure of 473,074 patients’ protected health information. September 2017 Healthcare Data Breaches September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities. The biggest cause of healthcare data breaches in September was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches). Three theft incidents were reported and one covered entity reported the loss of an unencrypted device containing ePHI. All of the incidents involving loss or theft of devices related to laptops. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI....

Read More
New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity
Oct10

New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity

A new partnership has been announced between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS). The aim of the new collaboration is to help advance medical device cybersecurity and improve patient safety. The two organizations will work together to help members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, educating about the threats to device security, training members, and promoting information sharing. For the past three years, AEHIS has been helping healthcare organizations improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have benefited from the education and networking opportunities provided by AEHIS. AEHIS helps its members protect patients from cyber threats, including cyberattacks on their medical devices, though its educational efforts, sharing best practices, and many other activities. MDISS now consists of...

Read More
What Does HIPAA Stand For?
Oct10

What Does HIPAA Stand For?

What does HIPAA stand for? HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 – a legislative act that had the primary aim of improving portability and accountability of healthcare coverage for employees between jobs. HIPAA also helped to ensure employees with pre-existing health conditions were provided with health insurance coverage. HIPAA also introduced standards that healthcare organizations were required to follow to reduce the paperwork burden and simplify the administration of health insurance. The HIPAA administrative simplification regulations streamlined billing, sending and receiving payments, and verifying eligibility. They also helped to ensure the smooth transition from paper to electronic health records and transitions. Since 1996, there have been several major updates to HIPAA, notably the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Enforcement Rule, the inclusion of the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (The HIPAA Omnibus Final Rule), and the Breach Notification...

Read More
Internet of Medical Things Resilience Partnership Act Bill Introduced
Oct09

Internet of Medical Things Resilience Partnership Act Bill Introduced

The Internet of Medical Things Resilience Partnership Act has been introduced in the U.S. House of Representatives. The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks. The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors. If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
HIPAA Compliance for Visiting Nurses
Oct09

HIPAA Compliance for Visiting Nurses

HIPAA compliance for visiting nurses is the same as for any other medical professional, even though their working environments can be much different. This is because a visiting nurse is an employee of medical facility, hospice or other independent visiting nurse service, and is regarded to be a member of a Covered Entity´s workforce. As such, a visiting nurse is not a Business Associate – even though he or she provides a service for the Covered Entity – and is subject to the policies and procedures enforced by the Covered Entity. However, there are unique challenges with regards to HIPAA compliance for visiting nurses working in the community. These challenges primarily concern the disclosure of Protected Health Information (PHI) to people they meet in their working environments and how their patients´ PHI is created, used, stored and shared with other members of the Covered Entity´s workforce. Families and HIPAA Compliance for Visiting Nurses Similar to nurses working in medical centers, visiting nurses have to use their discretion before disclosing the PHI of their...

Read More
Is WhatsApp HIPAA Compliant?
Oct06

Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant? Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI). However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, we believe WhatsApp is not a HIPAA compliant messaging platform. Why Isn’t WhatsApp HIPAA Compliant? First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users. HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is...

Read More
Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims?
Oct06

Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims?

The HIPAA Breach Notification Rule requires covered entities to issue notifications to individuals after their ePHI has been exposed or stolen, but what about credit monitoring and identity theft protection services? Must they be offered? HIPAA does not stipulate whether credit monitoring and identity theft protection services should be provided to individuals impacted by a data breach. The decision whether or not to provide those services is left to the discretion of the covered entity. However, following a breach of unsecured protected health information, HIPAA-covered entities are required to provide breach victims with details of the steps that should be taken to mitigate risk and protect themselves from harm. Those steps include obtaining a credit report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must provide consumers with a free credit report once every 12 months if requested. Breach victims should be instructed to monitor their accounts for any sign of fraudulent activity and should be told what to do if suspicious...

Read More
What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity
Oct06

What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity? What Are HIPAA Covered Entities? HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information for transactions covered by HHS standards. Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare, and HMO’s. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information. Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be...

Read More
Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies
Oct06

Government Accountability Office Report Confirms Widespread Security Failures at 24 Federal Agencies

A Government Accountability Office report has shown federal agencies are struggling to implement effective information security programs and are placing data systems and data at risk of compromise. In its report to Congress – Federal Information Security – Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices – GAO explained, “The emergence of increasingly sophisticated threats and continuous reporting of cyber incidents underscores the continuing and urgent need for effective information security.” However, “Systems used by federal agencies are often riddled with security vulnerabilities—both known and unknown.” GAO explained that “The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies in the executive branch to develop, document, and implement an information security program and evaluate it for effectiveness.” Every year, each federal agency is required to have information security program and practices reviewed by its inspector general, or an external auditor, to determine the effectiveness of the...

Read More
70% of Employees Lack Privacy and Security Awareness
Oct05

70% of Employees Lack Privacy and Security Awareness

When it comes to privacy and security awareness, many U.S. workers still have a lot to learn. Best practices for privacy and security are still not well understood by 70% of U.S. employees, according to a recent study by MediaPro, a provider of privacy and security awareness training. For the study, MediaPro surveyed 1,012 U.S. employees and asked them a range of questions to determine their understanding of privacy and security, whether they followed industry best practices, and to find out what types of risky behaviors they engage in. 19.7% of respondents came from the healthcare industry – the best represented industry in the study. Respondents were rated on their overall privacy and security awareness scores, being categorized as a hero, novice, or a risk to their organization. 70% of respondents were categorized as a novice or risk. Last year when the study was conducted, 88% of U.S. workers were rated as a novice or risk. Last year, only 12% of respondents ranked as a hero. This year the percentage increased to 30% – A good sign that some employees have responded to...

Read More
OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals
Oct05

OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals

The recent attack in Las Vegas has prompted the Department of Health and Human Services’ Office for Civil Rights to clarify HIPAA Rules on disclosures to family, friends and other individuals. Following Hurricane Irma and Hurricane Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the disaster areas of both hurricanes. OCR sometimes, but not always, issued such a waiver after a natural disaster when a public health emergency has been declared. However, OCR did not issue a HIPAA Privacy Rule waiver after the attack in Las Vegas, and neither was a waiver issued following the Orlando nightclub shootings in 2016. OCR does not usually issue waivers of HIPAA Rules following shootings and other man-made disasters. Healthcare organizations involved in the treatment of victims of the Las Vegas shootings were required to continue to follow the provisions of the HIPAA Privacy Rule. In its reminder about HIPAA Rules on disclosures to family, friends and other individuals, OCR explained that the HIPAA Privacy Rule allows healthcare organizations to disclose...

Read More
HIPAA Compliance for Home Health Care
Oct05

HIPAA Compliance for Home Health Care

HIPAA compliance for home health care workers can be difficult due to unique challenges they encounter that do not exist in brick and mortar hospitals. Home health care workers provide a valuable service for patients in the community – either visiting patients who are unable to attend hospital in their homes, or checking on their well-being via phone or video. These two scenarios raise unique challenges, and complicate HIPAA compliance for home health care workers – particularly with regard to the permitted disclosure of Protected Health Information. Under the HIPAA Privacy Rule, patients have the right to request details of their illnesses are withheld from some or all third parties. These third parties can include friends, family members and members of the clergy. Even when consent is given, health care workers – wherever they are located – should not disclose more than the minimum necessary Protected Health Information to third parties. This can cause awkward situations – and awkward relationships – in home environments when friends and family...

Read More
NIST Updates its Risk Management Framework for Information Systems and Organizations
Oct03

NIST Updates its Risk Management Framework for Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has updated its Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (SP 800-37) – The first time the Risk Management Framework has been updated in the seven years since it was first published. NIST was called upon to update the Framework by the Defense Science Board, the Office of Management and Budget, and the President’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Because of the importance of information risk management to an organization’s overall risk management strategy, the C-Suite needs to get more involved in the implementation of information risk management processes. Security and privacy need to be taken into account when larger risk management decisions are being made. The Information Risk Management Framework is typically implemented at the system level, the realm of the Chief Information Security Officer (CISO) and Chief Information Officer (CIO). However, NIST found that...

Read More
How Employees Can Help Prevent HIPAA Violations
Oct03

How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be provided regularly to ensure HIPAA Rules are not forgotten. Employees...

Read More
Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement
Oct02

Vermont Attorney General Agrees $264,000 SAManage USA Data Breach Settlement

The 2016 SAManage USA data breach that saw the Social Security numbers of 660 Vermont residents exposed online has resulted in a settlement of $264,000 with the Vermont Attorney General. In 2016, SAManage USA, a technology company that provides business support services, failed to secure an Excel spreadsheet relating to the state health exchange, Vermont Health Connect. The spreadsheet was attached to a job ticket that was part of the firm’s cloud-based IT support system and was assigned a unique URL. The URL could theoretically have been guessed by anyone and accessed via a web browser without any need for authentication. The spreadsheet was also indexed by the Bing search engine and was displayed in the search results. Bing also displayed a preview of the contents of the spreadsheet, which clearly displayed names and Social Security numbers. Vermont Attorney General T.J Donovan said a Vermont resident found the spreadsheet via the search engine listings and reported the breach to his office, triggering an investigation. The Vermont Attorney General’s office contacted AWS and...

Read More
National Cyber Security Awareness Month: What to Expect
Oct02

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens. National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners. Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure. DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month: National Cyber Security Awareness Month Summary Week 1: Simple Steps to Online Safety (Oct. 2-6) Week 2:...

Read More
What Does HIPAA Mean?
Oct01

What Does HIPAA Mean?

What does HIPAA mean? HIPAA is an acronym of the Health Insurance Portability and Accountability Act – A legislative act that was signed into law in the United States by Bill Clinton on August 21, 1996. Initially, HIPAA was introduced to reform the healthcare industry and had two main aims: To ensure that when employees were between jobs, they would still be able to maintain healthcare coverage – The P in HIPAA – Portability. The second aim was to ensure the security and confidentiality of health information – The first A in HIPAA – Accountability. HIPAA includes standards that were intended to simplify healthcare transactions, in particular, with respect to electronic data transmission. These included the use of specific code sets and identifiers. Over the past two decades, HIPAA has been transformed and now includes many new rules that healthcare organizations must follow to ensure the privacy of patients is protected, sensitive data is kept secure at all times, and in the event of a data breach, affected individuals are notified. Major revisions of HIPAA Rules took place in 2003...

Read More
Is OneDrive HIPAA Compliant?
Sep30

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant? Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files. Microsoft Supports HIPAA-Compliance There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules. That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA). Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well...

Read More
Why Dental Offices Should be Worried About HIPAA Compliance
Sep28

Why Dental Offices Should be Worried About HIPAA Compliance

In 2015, Dr. Joseph Beck became the first dentist to be fined for a HIPAA violation, which sent a warning to dental offices about HIPAA compliance.  Until that point, dental offices had avoided fines for noncompliance with HIPAA Rules. The penalty was not issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for the alleged mishandling of the protected health information of 5,600 patients. Since then, many settlements have been reached with covered entities for HIPAA violations. No further penalties have been issued to dental offices, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing to comply with HIPAA Rules and settlements for alleged HIPAA violations are now being reached much more frequently than in 2015. Last year was a record year for settlements and 2017 has continued where 2016 left off. The probability of HIPAA violations being discovered has also increased. OCR has already commenced the much-delayed second phase...

Read More
HIPAA Compliance and Cloud Computing Platforms
Sep27

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure. Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level. It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform...

Read More
The Benefits of Using Blockchain for Medical Records
Sep26

The Benefits of Using Blockchain for Medical Records

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security? The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients. Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems. Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act...

Read More
OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System
Sep25

OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System

The HHS’ Office of Inspector General (OIG) has conducted a review of Alabama’s Medicaid data and information systems to ascertain whether the state was in compliance with federal regulations. The review covered the Medicaid Management Information System (MMIS) and associated policies and procedures. OIG also conducted a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive data. The audit revealed Alabama’s MMIS had multiple vulnerabilities that could potentially be exploited by hackers to gain access to its systems and Medicaid data. Alabama had adopted a security program for its MMIS, although several vulnerabilities had been allowed to persist. OIG said in its report, the vulnerabilities were “collectively and, in some cases, individually significant.” OIG did not uncover any evidence to suggest the vulnerabilities had already been exploited, although the vulnerabilities did place the integrity of the state Medicaid program at risk. By exploiting the...

Read More
HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
Sep22

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands. As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster protocol, and only for specific provisions of the HIPAA Privacy Rule: The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. The patient’s right to request privacy restrictions. See 45 CFR 164.522(a). The patient’s right to request confidential...

Read More
Fall in Healthcare Data Breaches in August: Rise in Breach Severity
Sep21

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day. August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected. The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date. Throughout the year, insider incidents have...

Read More
5 Months to Notify Patients of Augusta University Medical Center Phishing Attack
Sep18

5 Months to Notify Patients of Augusta University Medical Center Phishing Attack

An Augusta University Medical Center phishing attack has resulted in an unauthorized individual gaining access to the email accounts of two employees. It is unclear exactly when the phishing attack was discovered, although an investigation into the breach was concluded on July 18, 2017. That investigation confirmed access to the employees’ email accounts was gained between April 20-21, 2017. Upon discovery of the breach, access to the email accounts was disabled and passwords were reset. The investigation did not confirm whether any of the information in the accounts had been accessed or copied by the attackers. Patients impacted by the breach have now been notified – five months after the breach occurred. Patients have been informed that the compromised email accounts contained sensitive information such as names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers. The amount of information exposed varied for each patient. It is currently...

Read More
Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach
Sep18

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account. Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.” The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address. Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy...

Read More
Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury
Sep15

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks. The patient was admitted to the hospital on December 23, 2016 with a genital injury – a foreign object had been inserted into the patient’s penis and was protruding from the end. The bizarre injury attracted a lot of attention and several staff members not involved with the treatment of the patient were called into the operating room to view the injury. Multiple staff members took photographs and videos of the patient’s genitals while the patient was sedated and unconscious. The privacy breach was reported by one hospital employee who alleged images/videos were being shared with other staff members not involved in the treatment of the patient. The complaint...

Read More
Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone
Sep12

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma. OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act. In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived: 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care 45 CFR 164.510(a) – Honor requests to opt out of the facility directory. 45 CFR 164.520 – Distribute a notice of...

Read More
FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange
Sep12

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems. The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.” Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices. The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely;...

Read More
OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters
Sep08

OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by issuing guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergency situations to help healthcare organizations protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document. Hot on the heels of hurricane Harvey comes hurricane Irma, closely followed by hurricane Jose. Hospitals in other parts of the United States will have to cope with the storm and its aftermath and still comply with HIPAA Rules. OCR has taken the opportunity to remind covered entities of the need to prepare. OCR has explained that the HIPAA Privacy Rule was carefully created to ensure...

Read More
Mailing Error and PHI Breach Underscores Need for Greater Oversight
Sep08

Mailing Error and PHI Breach Underscores Need for Greater Oversight

Healthcare organizations must take care not to expose protected health information in mailings. Recently, there have been two incidents reported that involved sensitive information being disclosed as a result of a lack of oversight when corresponding with patients by mail. A third-party error resulted in details of HIV medications used by Aetna plan members being improperly disclosed. Letters were sent in sealed envelopes, although prescribed HIV medications were clearly visible through the clear plastic windows of the envelopes. Last year, Emblem Health sent a mailing in which patients’ Social Security numbers were accidentally printed on the outside of envelopes and the Ohio Department of Mental Health and Addiction Services sent a survey to patients on a postcard rather than using letters in sealed envelopes. In that case, the fact that the patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard. A similar incident has recently affected patients of University of Wisconsin-Madison’s Department of...

Read More
OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017
Sep06

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations on the dangers of failing to follow HIPAA Rules. When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules. At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.” Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA...

Read More
Alaska DHSS Discovers Malware Infection and Possible PHI Breach
Sep05

Alaska DHSS Discovers Malware Infection and Possible PHI Breach

A Trojan horse virus has been discovered on two computers used by the Alaska Department of Health and Social Services. The virus potentially allowed malicious actors to gain access to the data stored on the devices. Katie Marquette, Communications Director of the Alaska DHSS, issued a statement confirming there was “a potential HIPAA breach of more than 500 individuals.” At present, the exact number of individuals affected has not been disclosed. An analysis of the two malware-infected computers revealed the attackers, who are believed to be located in the Western region, may have been able to obtain sensitive information such as Office of Children’s Services (OCS) documents and reports. Those documents contained details of family case files, medical diagnoses and observations, personal information and other related information. The investigation into the breach is ongoing and the DHSS Information Technology and Security team is currently attempting to determine the exact nature of the breach and whether any sensitive data were accessed or exfiltrated. Individuals impacted by the...

Read More
Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data
Sep05

Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data

The Neurology Foundation in Providence, RI has investigated an employee who had been discovered to be using a company credit card to make unauthorized purchases. The investigation revealed that individual copied and removed a range of sensitive patient information from the organization. In breach of the Neurology Foundation’s policies, the former employee copied data relating to the Foundation’s patients onto an external hard drive which was stored in the employee’s home. The Neurology Foundation discovered the employee had copied data onto the hard drive during an exit interview on May 3, 2017. That revelation prompted the Foundation to retain a computer forensics firm to conduct an investigation into the employee’s activities and determine the types of data copied to the storage device and the number of patients impacted. That investigation also revealed the former employee had breached company policies by copying sensitive data onto his/her desktop computer and several zip drives. The information copied to the external storage device included patients’ names, addresses, phone...

Read More
106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach
Aug31

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised. McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses. McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed. That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised. McLaren Medical Group says its computer system has been reconstructed with additional security protections in place...

Read More
HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone
Aug31

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts. In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need. The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)). In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed. However, disasters often call for a...

Read More
Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients
Aug31

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. Details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses, in a recent mailing. The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed. Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused....

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security. To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator. NIST suggests...

Read More
Healthcare Hacking Incidents Overtook Insider Breaches in July
Aug18

Healthcare Hacking Incidents Overtook Insider Breaches in July

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports. Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents. The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance. In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on Women’s Health Care Group of PA – impacted 300,000 individuals. While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception....

Read More
Want to Prevent Data Breaches? Time to Go Back to Basics
Aug15

Want to Prevent Data Breaches? Time to Go Back to Basics

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes. Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors. The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge. The blog posts are an ideal starting point to ensure all the security basics are...

Read More
Documents Containing PII Discovered in Used Office Furniture
Aug10

Documents Containing PII Discovered in Used Office Furniture

Prior to disposing or selling office furniture, HIPAA-covered entities should ensure that all drawers and compartments are inspected for any stray documents containing sensitive information. The failure to conduct a thorough check could easily result in a HIPAA breach or privacy violation. Such an incident has recently occurred in Branchburg in Somerset County, NJ. As reported by News 12 New Jersey, a printing company in Branchburg purchased used office furniture and discovered one of the cabinets contained hundreds of documents containing highly sensitive information. The owners of printing firm Sublimation 101, found a stack of Employment Eligibility Verification (I-9) forms containing sensitive information such as names, contact telephone numbers, home addresses together with photocopies of Social Security cards, passports, and driver’s licenses – A treasure trove of information that could be used for identity theft and fraud. The documents appear to have come from a health group in New Jersey – Presumably the former owner of the furniture. Michael Kaminsky, owner of the...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months. Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use. The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed...

Read More
HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management
Aug08

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management. The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks. HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry. HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the...

Read More
Medical Device Cybersecurity Act Takes Aim at Medical Device Security
Aug08

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks. The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS). Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase. While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the...

Read More
Protenus Provides Insight into 2017 Healthcare Data Breach Trends
Aug03

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends. The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates. In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review. Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the...

Read More
47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years
Jul31

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years. The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 million in annual revenue. 47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years. Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred. Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach...

Read More
Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms
Jul25

Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians. The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database. Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images. Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems...

Read More
OCR Data Breach Portal Update Highlights Breaches Under Investigation
Jul25

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal. The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules. OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form. For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display...

Read More
U.S. Data Breaches Hit Record High
Jul20

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout. In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches. Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches. ITRC says it is becoming much more common to...

Read More
Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018
Jul18

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought. One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could...

Read More
University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years
Jul14

University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years

University of Iowa Health Care has discovered patient information has been accidentally exposed on the Internet for a period of around 2 years. The exposed data was limited and did not include any clinical data, financial information or Social Security numbers, only patients’ names, admission dates and medical record numbers. 5,292 patients of University of Iowa Hospitals and Clinics have been impacted by the incident. The data were saved in unencrypted files which were inadvertently posted online via an application development website. The data were accessible via the Internet since May 2015, with the error discovered on April 29, 2017. UIHC spokesperson Tom Moore said the tip off came from “An individual who is an expert on online security.” The tip off prompted an immediate and thorough investigation. University of Iowa Health Care acted quickly to mitigate risk, with the files deleted from the website on May 1, 2017. The investigation did not uncover any evidence to suggest any information was misused, and while the exposed data were extremely limited, University of...

Read More
Indiana Senate Passes New Law on Abandoned Medical Records
Jul13

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information. HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely. For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or...

Read More
AMIA Urges HHS to Provide More Information on Common Rule Updates
Jul07

AMIA Urges HHS to Provide More Information on Common Rule Updates

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated. The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use. The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified. Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented. The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication...

Read More
Office of Inspector General Releases Results of VA FISMA Audit
Jul06

Office of Inspector General Releases Results of VA FISMA Audit

The Department of Veteran Affairs’ Office of Inspector General has conducted its annual security review of the VA, the largest healthcare provider in the United States. The aim of the security review is to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act (FISMA). The report reveals there are many ongoing security vulnerabilities that need to be addressed, although this year’s report only adds three new recommendations. In total, OIG made 33 recommendations about how the VA can make improvements to addresses security weaknesses. Those 33 recommendations are spread across 8 areas: The security management program, identity management and access controls, configuration management controls, system development and change management controls, contingency planning, incident response/planning, continuous monitoring and contractor systems oversight. The three new recommendations in this year’s report are: Weaknesses have been identified in the agencywide information and risk management program. OIG recommends processes are...

Read More
Delaware Data Breach Notification Law to be Strengthened
Jul05

Delaware Data Breach Notification Law to be Strengthened

Delaware data breach notification law is likely to be expanded to include medical information in the definition of personal information. The data breach notification law in Delaware has remained unchanged for 12 years so an update is certainly due. The bill was sponsored by Rep. Paul Baumbach (D), with an updated version (House Substitute No. 1 for HB 180) passed by the House on June 28 with a vote of 37-3. The bill will now go before the Senate where it is expected to be passed. Gov. John Carney (D) is in favor of the amendment and is expected to sign the bill. The updated breach notification law will see the definition of personal information expanded to include biometric data, usernames together with passwords, routing numbers to accounts, taxpayer identification numbers, health insurance identifiers, passport numbers and medical information. If passed, the new legislation will apply to all legal and commercial entities that do business in the state of Delaware that collect or use personal information; however, the updated Delaware data breach notification law will still not...

Read More
U.S. Healthcare Providers Affected by Global Ransomware Attack
Jun29

U.S. Healthcare Providers Affected by Global Ransomware Attack

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below. NotPetya Ransomware Attacks Spread to the United States Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems. Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities. While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected The health...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014. After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in...

Read More
Hard Drive Theft Sees Data of 1 Million Individuals Exposed
Jun23

Hard Drive Theft Sees Data of 1 Million Individuals Exposed

Washington State University (WSU) in Seattle is notifying approximately 1 million people that some of their personal information has been exposed following the theft of a computer hard drive. The hard drive was used to store backup information from a server used by the University’s Social & Economic Sciences Research Center (SESRC). The hard drive was stored in an 85lb locked safe. That safe, along with the contents, was stolen. There is a possibility that the safe has been opened and the information on the hard drive has been accessed. The thieves would require some skill to view the information as data were stored in a relational database which is not straightforward to access, although it is possible that the thieves could figure out how to view the information.  WSU says some of the files on the device were password protected and some had been encrypted. The University discovered the safe was missing on April 21, 2017 and immediately conducted an investigation. WSU brought in a leading computer forensics firm to determine which data were backed up on the device and could...

Read More
Google to Remove Personal Medical Information From Its Search Results
Jun23

Google to Remove Personal Medical Information From Its Search Results

There are only a handful of content categories that Google will not display in its search results. Now the list has grown slightly with the addition of personal medical records, specifically, the ‘confidential, personal medical records of private people.’ The update to its policy was made yesterday, with medical records joining national identification numbers such as Social Security numbers, bank account numbers, credit card numbers, images of signatures, sexual abuse images, revenge porn, and material that has been uploaded to the Internet in violation of the Digital Millennium Copyright Act. Google’s indexing system captures all publicly accessible information that has been uploaded to the Internet, although there has been criticism in recent years about the types of information Google allows to be listed. Even so, it is rare for Google to make changes to its algorithms to block certain types of content. The last addition to the list of material that can be removed automatically by Google was revenge porn – nude or sexually explicit images that have been uploaded to the...

Read More
FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products
Jun22

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices. The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk. Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps. In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of...

Read More
Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records
Jun21

Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records

A box of paper forms has been discovered to have been improperly disposed of by the Texas Health and Human Services Commission. The Texas Health and Human Services Commission recently announced that the paperwork was discovered in a box next to a dumpster used by one of its eligibility offices in the E. 40th St. complex in Houston. An investigation into the improper disposal has been launched and steps are being taken to prevent similar incidents from occurring in the future. Those steps will include a review of the processes and procedures for permanently destroying documents containing protected health information. Texas Health and Human Services Commission is in the process of issuing breach notification letters to all affected individuals. The breach summary on the Department of Health and Human Services breach portal indicates 1,842 patients were impacted. Those individuals all reside in the Houston area. The Texas Health and Human Services Commission says the forms contained protected health information such as names, dates of birth, client numbers, case numbers and telephone...

Read More
May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover
Jun20

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported. So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016. In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly. The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom. While April saw a majority of healthcare data breaches caused by...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected. The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches. Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list. Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently...

Read More
Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified
Jun09

Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified

The recent WannaCry ransomware attacks have highlighted the risks from failing to apply patches and update software promptly. BitSight has now published the results of a study that sought to quantify the risk from tardy updates and delayed software upgrades. For the study, BitSight analyzed the correlation between data breaches and the continued to use old operating systems such as Windows 7, Windows Vista and Windows XP and old versions of web browsers. Operating systems and browsers used by approximately 35,000 companies from 20 industries were assessed as part of the study. BitSight checked Apple OS and Microsoft Windows operating systems and Chrome, Internet Explorer, Safari, and Firefox web browsers. 2,000 of the companies studied (6%) had out of date operating systems on more than half of their computers. BitSight said 8,500 companies were discovered to be using out of date web browsers. BitSight used its risk platform to study computer compromises and identified operating system and browser versions at those companies. BitSight was able to determine that organizations...

Read More
North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure
Jun06

North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure

The North Dakota Department of Human Services (NDDHS) is alerting 2,452 Medicaid recipients that some of their protected health information has been exposed. NDDHS discovered documents containing PHI had been disposed of in a dumpster accessible by the public. The HIPAA breach was discovered on May 19, 2017 when a member of the public saw documents containing sensitive information in a dumpster. The citizen contacted NDDHS about the discovery and an investigation was immediately launched. NDDHS arranged to collect the documents the same day. The documents were Medicaid worksheets dated 2015. The worksheets did not contain Social Security numbers, financial information or Medicaid recipients’ addresses; however, detailed on the sheets were Medicaid recipients’ first and last names, the first two characters of their Medicaid provider name, Medicaid provider numbers, Medicaid ID numbers, a two-digit code representing the county of residence, an internal NDDHS ID number, dates of service, amounts covered by insurance, amounts billed and allowed, diagnosis codes, coding modifiers and...

Read More
MDLive Privacy Lawsuit Voluntarily Dismissed
Jun06

MDLive Privacy Lawsuit Voluntarily Dismissed

The MDLive privacy lawsuit filed by law firm Edelson PC on behalf of plaintiff Joan Richards over alleged privacy violations has been voluntarily dropped without any settlement paid. The lawsuit was filed after following an alleged discovery that screenshots were repeatedly taken by MDLive and were passed to third-party Israeli firm Test Fairy. Test Fairy had been contracted to perform quality control checks and debugging services. However, the plaintiff alleged that the sending of screenshots, which contained sensitive information entered by users of MDLive, was a violation of patient privacy. Following the filing of the lawsuit on April 18, 2017, MDLive published a fact sheet explaining its relationship with the Israeli firm, stating the allegations were false, that there had not been a data breach and no HIPAA Rules had been violated. MDLive also said in the fact sheet that no data had been shared with unauthorized third parties. Some data had been disclosed to authorized third parties, although those firms were bound by contractual obligations and had agreed only to use data...

Read More
Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts
Jun02

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization. The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization. If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to...

Read More
Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records
Jun02

Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records

A former employee of a Californian plastic surgery clinic is suspected of stealing the medical records of around 15,000 patients. The employee worked at the Rodeo Drive clinic in Beverly Hills run by Dr. Zain Kadri. The employee had been employed as a driver and translator since September 2016, but had subsequently been given other duties such as data entry. Allegedly, she quit the practice on May 13 after being accused of embezzlement. The employee was later discovered to have taken photographs of patients before and during surgical procedures and uploaded those pictures to the image sharing site Snapchat. Further data theft was uncovered in May while the clinic was transferring paper records to digital files. As part of that process, the clinic checked a company phone used by the former employee. Images were discovered on the device including photographs of patients, but also photographs of patient IDs, usernames and passwords, copies of checks and credit and debit card information. Conversations were also reportedly recorded by the employee. It is unclear how much of that...

Read More
Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers
May31

Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers

Over the past 12 months, security vulnerabilities in implantable medical devices have attracted considerable attention due to the potential threat to patient safety. Last year, MedSec conducted an analysis of pacemaker systems which revealed security vulnerabilities in the Merlin@home transmitter and the associated implantable cardiac devices manufactured by St. Jude Medical. Those vulnerabilities could potentially be exploited to cause device batteries to drain prematurely and the devices to malfunction. A recent study of the pacemaker ecosystem has uncovered a plethora of security flaws in devices made by other major manufacturers. Those flaws could potentially be exploited to gain access to sensitive data and cause devices to malfunction. Billy Rios and Jonathan Butts, PhD., of security research firm WhiteScope has recently published a white paper detailing the findings of the study. The pair conducted an analysis of seven cardiac devices from four major device manufacturers. The researchers evaluated home monitoring devices, implantable cardiac devices and physician...

Read More
Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data
May31

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results. Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication. Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved. It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical...

Read More
Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI
May31

Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI

A website created by a physician at Children’s Mercy Hospital in Kansas City, MO has recently been discovered to lack appropriate security protections, potentially allowing the protected health information of 5,511 patients to be viewed by unauthorized individuals. The physician created the website with good intentions and used the site as an educational resource. Data uploaded to the website was protected with a password to prevent unauthorized access. However, the protections in place to prevent unauthorized ePHI access did not meet the hospital’s security standards. The lack of security controls on the website meant information uploaded to the website could have been accessed by unauthorized individuals. Contact information (addresses and telephone numbers), Social Security numbers, financial information, health insurance details, photos and other images were not uploaded to the site. However, the website did contain information such as patients’ first and last names, gender, age, medical record number, encounter number, dates of service, admission and discharge dates,...

Read More
Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period
May30

Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period

A former Beacon Health System employee has been discovered to have accessed the medical records of approximately 1,200 patients without authorization over a period of three years. The privacy breach was uncovered during a routine audit of ePHI access logs, with the unauthorized access discovered on March 30, 2017. The employee in question was permitted to access patient records to perform work duties, although access rights were abused and the records of other patients were viewed even though there was no legitimate work reason for doing so. Upon discovery of the unauthorized access, Beacon Health conducted a full review with assistance from an external computer forensics firm and determined the inappropriate access started in March 2014. The employee was interviewed and claimed the records were accessed out of curiosity only and confirmed no information was copied or disclosed to other individuals. The medical records were accessed after patients visited the Emergency Room for treatment. The types of information in the records included patients’ names, ages, room numbers, chief...

Read More
Medical Device Security Testing Only Performed by One in Twenty Hospitals
May26

Medical Device Security Testing Only Performed by One in Twenty Hospitals

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data. Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs. Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks. Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security...

Read More
Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health
May25

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO. The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint.  No insurance details, financial information, Social Security numbers or contact information were stored on the device. Due to the limited data stored on the device, patients are not believed to be at risk of experiencing identity theft or fraud. The portable device was stolen from DePaul hospital overnight between April 12 and the morning of April 13, 2017. The theft has been reported to the local police department and an investigation into the incident is ongoing. The device, which resembles a laptop computer, was part of an electromyography (EMG) medical device. Officials at DePaul hospital believe the device was stolen because it resembles a laptop computer, not for the information stored on the device. No evidence has...

Read More
HIPAA Enforcement Update Provided by OCR’s Iliana Peters
May25

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast. OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again. Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed. Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management...

Read More
Security Gaps Found in Virginia Medicaid Claims Processing Systems
May24

Security Gaps Found in Virginia Medicaid Claims Processing Systems

Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements. The report does not detail the specific vulnerabilities OIG discovered, as that would potentially allow those flaws to be exploited, although full details of the findings of the audit have been submitted to the Department of Medical Assistance Services (DMAS) – the entity that administers and supervises the state Medicaid program. OIG has also provided several recommendations for improving the security of its information systems. The audit involved a review of information system general controls, including conducting staff interviews, reviewing policies and procedures and conducting a vulnerability scan of network devices, servers, databases and websites. Even though a security program had...

Read More
HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat. While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat. Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly...

Read More
Rite Aid Announces Breach of Its Online Store
May19

Rite Aid Announces Breach of Its Online Store

Pharmacy chain Rite Aid has discovered unauthorized individuals gained access to the e-commerce platform of its online store and stole sensitive information of its customers over a period of 10 weeks. The attackers gained access to, and stole, personal information and credit/debit card details. An investigation into the breach revealed that access to the platform was first gained on January 30, 2017 and continued until April 11, 2017 when the intrusion was detected and unauthorized access was blocked. During the time that unauthorized individuals had access to its e-commerce platform, they obtained customers names, addresses and payment card information, including card numbers, expiry dates and CVV numbers. The incident impacts all customers who used the online store between the above dates and manually entered their payment card details. A leading cybersecurity firm was called in to help determine how the breach occurred, which individuals were impacted, and to mitigate future risk. Rite Aid is also working closely with payment card companies and assisting in their investigations...

Read More
Medical Device Cybersecurity Gaps Discussed at FDA Workshop
May19

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices. Best practices and cybersecurity tools that can be adopted to improve defenses against cyberattacks are under discussion. This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted. Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks. This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and...

Read More
Guidance on Securing Wireless Infusion Pumps Issued by NIST
May11

Guidance on Securing Wireless Infusion Pumps Issued by NIST

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access. Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm. Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access. The risks introduced by the devices have been widely...

Read More
Patient-Physician Texting to Be Covered at AMA Annual Meeting
May10

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules. SMS texts are unencrypted, potentially allowing unauthorized individuals to access the messages and view the contents. SMS messages may also be stored on the servers of service providers. Those messages may remain on unsecured servers indefinitely. Copies of SMS texts can remain on the sender’s and recipients phone. In the event that either the sender or recipient’s phone is lost or stolen, PHI/PII in messages may be exposed. With SMS messages, there are no HIPAA-compliant controls to verify the identity of the recipient or for the recipient to verify the identity of the sender. The lack of safeguards in place to ensure the confidentiality and integrity of PHI and limited authentication controls means the sending of any...

Read More
New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised
May10

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual. The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed. It is unclear when the attack took place, although the Diamond Institute learned of the cyberattack on February 27, 2017. A full investigation was rapidly initiated and steps taken to secure the server to prevent further unauthorized activity. The investigation involved checking all documents to determine the patients impacted and the types of data that could potentially have been viewed or copied. The documents were found to contain a limited amount of protected health information relating to more than 14,000 patients. Those data included patients’ names, addresses, birth dates, Social Security numbers, sonograms and lab test results. The breach has...

Read More
180,000 Patient Records Dumped Online by The Dark Overlord
May09

180,000 Patient Records Dumped Online by The Dark Overlord

It is a nightmare scenario far worse than a ransomware attack. A hacker infiltrates your network, steals patient data and then threatens to publish those data if you do not pay a ransom. That is the modus operandi of TheDarkOverlord, who conducted numerous attacks on healthcare organizations over the past few months. Sizable ransom demands were issued – which TDO referred to as ‘modest’ – with threats issued to sell or publish the data if the victims refused to pay or ignored the requests. Many healthcare organizations chose not to pay up. TDO has now made good on his/her promise and has published the data of more than 180,000 patients online, several months after the attacks occurred. Aesthetic Dentistry of New York City, OC Gastrocare of Anaheim, CA, and Tampa Bay Surgery Center in Tampa, FL have all had highly sensitive patient data published online last week . The data of 3,496 patients of Aesthetic Dentistry, 34,100 patients of OC Gastrocare, and 134,000 patients of Tampa Bay Surgery Center can now be freely downloaded. A link to the website where the data were dumped was sent...

Read More
Majority of Organizations Failing to Protect Against Mobile Device Security Breaches
May05

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk. Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks. According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred. The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices. 94% of respondents said cyberattacks on mobile devices will become more...

Read More
Rise in Business Email Compromise Scams Prompts IC3 Warning
May05

Rise in Business Email Compromise Scams Prompts IC3 Warning

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3). In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5 billion. U.S. organizations lost more than $1.5 billion to BEC scams between October 2013 and December 2016. The rise in BEC attacks has prompted IC3 to issue a new warning to businesses, urging them to implement a range of defenses to mitigate risk. What are Business Email Compromise Scams and How Do They Work? A business email compromise scam – also known as an email account compromise – involves an attacker gaining access to an email account of an executive and sending an email request to a second employee via the compromised email account. The request can be a bank transfer or a request to email data. Since the email comes from within an organization,...

Read More
Bitglass Publishes 2017 Healthcare Data Security Report
May04

Bitglass Publishes 2017 Healthcare Data Security Report

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm. For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights. The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans. The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set...

Read More
OCR Director Stresses Importance of Keeping Health Data Secure
Apr28

OCR Director Stresses Importance of Keeping Health Data Secure

The new director of the Department of Health and Human Services’ Office for Civil Rights, Roger Severino, has hinted that last year’s increase in settlements for non-compliance with HIPAA Rules was not a blip. OCR started the year with two settlements in January and a further two in February. While there was a break in March, April has seen three settlements announced. Financial penalties will continue to be issued when covered entities are discovered to have committed serious violations of HIPAA Rules. Speaking at the Health Datapalooza yesterday, Severino said he viewed himself as the ‘top cop’ of health IT and confirmed he is taking his new role seriously and that he “came into this job with an enforcement mindset.” Further settlements with covered entities found to have ignored HIPAA Rules are to be expected. Severino highlighted the most recent OCR settlement – the $2.5 million penalty for CardioNet – as an example of just how important it is for healthcare organizations of all types to ensure that reasonable steps are taken to safeguard patient data and ensure ePHI remains...

Read More
MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations
Apr26

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients. App users are required to enter in a range of sensitive information into the MDLive app; however, the complainant alleges that during the first 15 minutes of use, the app takes an average of 60 screenshots and that those screenshots are sent to an Israeli company called Test Fairy, which conducts quality control tests for MDLive. The lawsuit alleges patients are not informed that their information is disclosed to a third-party company, and that all data entered into the app can be viewed by MDLive employees, even though there is no reason for those employees to be able to view the data. Users of the app enter their medical information during setup in order to find local healthcare providers. The types of information entered by users includes sensitive data such as health conditions, recent medical procedures, behavioral health histories,...

Read More
Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen
Apr25

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee. This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week, Lifespan announced that a MacBook had been left in an employee’s vehicle from where it was stolen. The device was not encrypted and neither protected with a password. ePHI was accessible via the employee’s email account. More than 20,000 patients’ ePHI was potentially compromised. The second incident involved a flash drive rather than a laptop. Western Health Screening (WHS), a Billings, MT-based provider of on-site blood screening services, announced that patients’ names, phone numbers, addresses and some Social Security numbers have been exposed. The data on the drive related to individuals who had undergone blood screening tests between 2008 and 2012. A...

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider. While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures. In this case, the settlement relates to a data...

Read More
68% of Healthcare Employees Would Share Regulated Data
Apr21

68% of Healthcare Employees Would Share Regulated Data

The Dell End User Security Survey has revealed that sensitive information, including data covered by HIPAA Rules, would be shared by employees without authorization under certain circumstances. The Dell End User Security Survey sought to uncover how widespread the unauthorized sharing of confidential information has become. The results show that even in heavily regulated industries such as healthcare, unauthorized data sharing is occurring. The survey was conducted on 2,608 individuals whose job duties involve handling confidential information. Across all industries, an alarming 72% of employees said they would willingly share sensitive information. 68% of healthcare employees who took part in the survey also confirmed that they would share PHI without authorization under certain circumstances. Dell explains that in most cases, unauthorized sharing of confidential data is not malicious. It occurs when employees are trying to be more efficient and work as effectively as possible. Unfortunately, however, in an effort to get more work completed in less time, those employees are taking...

Read More
OIG Issues Warning About HHS Agency Phone Scams
Apr19

OIG Issues Warning About HHS Agency Phone Scams

This year has seen numerous email scams conducted to gain access to the tax information of employees; however, recently, criminals have started picking up the phone to conduct their scams. Phone scams have spiked in recent weeks, with criminals impersonating Department of Health and Human Services’ employees, including the Office of Inspector General (OIG). The rise in phone scams has prompted OIG to issue a warning. Scammers have been pretending to be from the OIG claiming individuals are eligible to receive a government grant. While this would likely arouse suspicion, in this case the caller ID displays the number 1-800-447-8477 (1-800-HHS-TIPS). The number is the OIG hotline number for reporting potential incidences of fraud. The scammers tell individuals they are eligible to receive government grant money as a result of paying their taxes on time. However, in order to qualify for the grant, it is first necessary to confirm an individual’s identity. The attackers ask the individual to confirm their name and Social Security number or bank account number and other personal...

Read More
21 Employees Found to Have Accessed PHI Without Authorization
Apr17

21 Employees Found to Have Accessed PHI Without Authorization

A routine audit conducted by Virginia Mason Memorial has revealed employees have been accessing the protected health information of patients without authorization. Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21 employees had deliberately accessed PHI without authorization. Virginia Mason Memorial conducted the audit in January and immediately terminated access to PHI to prevent further privacy breaches. The investigation revealed those 21 employees had accessed the PHI of 419 patients. All of the patients had visited the hospital’s emergency room. The investigation was conducted internally, although the hospital also brought in a third-party cybersecurity firm to conduct a forensic analysis of its systems. That firm has also been searching the darknet to find out if any of the accessed records have made it onto darknet marketplaces. To date, no patient information...

Read More
Protenus Publishes Healthcare Data Breach Report for March 2017
Apr14

Protenus Publishes Healthcare Data Breach Report for March 2017

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen. In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches. 206,151 patients and health plan members had some of their protected health information exposed last month. However, in March the figure jumped to 1,519,521 – more than 2.5 times the number of individuals impacted by healthcare data breaches in January and February combined. Almost half of those individuals had their ePHI exposed in the same incident – a 697,800-record theft incident reported by Commonwealth Health Corporation. The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
AMIA Suggests it’s Time for a HIPAA Update
Apr11

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world. The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology. HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are. The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access. Healthcare...

Read More
918,000 Patients’ Sensitive Information Exposed Online
Apr10

918,000 Patients’ Sensitive Information Exposed Online

The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months. The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root folder on an Amazon Web Service installation owned by a software developer who had previously worked on a database for HealthNow Networks. The project was abandoned long ago although the data provided to the developer were not secured and could be accessed online. The database contained a range of highly sensitive data including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions. The data had been collected by the telemarketing firm and individuals had been offered discounted medical equipment in exchange for providing the firm with their data....

Read More
Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches
Apr06

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches. The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records. 33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches. The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS...

Read More
Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud
Apr04

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed. Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data. When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed. As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security...

Read More
Dr. Donald Rucker Named New National Coordinator for Health IT
Apr03

Dr. Donald Rucker Named New National Coordinator for Health IT

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology. Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator. Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator. Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years. While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician...

Read More
FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks
Mar29

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained. Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password. The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud. Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name...

Read More