HC3 Highlights Trends in Ransomware Attacks on the HPH Sector
May10

HC3 Highlights Trends in Ransomware Attacks on the HPH Sector

The tactics, techniques, and procedures (TTPs) used by ransomware and other cyber threat actors are constantly evolving to evade detection and allow the groups to conduct more successful attacks. The TTPs employed in the first quarter of 2022 by ransomware gangs have been analyzed and shared by the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3). In Q1, 2022, the majority of ransomware attacks on the Healthcare and Public Health Sector (HPH) were conducted by five ransomware-as-a-service groups. LockBit 2.0 and Conti each accounted for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat (11%), and Hive (11%). The financially motivated threat groups FIN7 and FIN12 have also shifted their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 extensively involved in attacks on the HPH sector. FIN12’s involvement has decreased the timescale for conducting attacks from 5 days to 2 days. Ransomware gangs often work with initial access brokers (IABs) that specialize in gaining access to...

Read More
Connecticut Passes Comprehensive Data Privacy Law
May06

Connecticut Passes Comprehensive Data Privacy Law

Connecticut has joined California, Colorado, Utah, and Virginia in passing a comprehensive new data privacy law that establishes responsibilities for businesses that collect and process the personal data of state residents and gives consumers new rights. The Connecticut Data Privacy Act (Senate Bill 6) was passed 35-0 by the Senate and 144-5 in the House of Representatives and awaits the signature of the state Governor, Ned Lamont. The new privacy law comes into effect on July 1, 2023. The new law establishes a framework for controlling and processing the personal data of state residents, sets privacy protection standards for data controllers and data processors, and gives state residents rights over the collection and use of their personal data. Consumers will be given the right to access their personal data held by a company, obtain a copy of that information, and correct any errors. Consumers will also have the right to be forgotten and have their personal data deleted. Consumers can also choose to opt out of the processing of their personal data for targeted advertising,...

Read More
New Framework for Assessing the Privacy, Security, and Safety of Digital Health Technologies
May06

New Framework for Assessing the Privacy, Security, and Safety of Digital Health Technologies

The American College of Physicians (ACP), American Telemedicine Association (ATA), and the Organization for the Review of Care and Health Applications (ORCHA) have collaborated to produce a new framework for assessing the digital health technologies used by healthcare professionals and patients. Currently, more than 86 million Americans use a health or fitness app. These digital health technologies, which include more than 365,000 individual products, can collect, store, process, and transmit personal and health information that would be classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA); however, the majority of these technologies are not covered by HIPAA and fall outside of other regulations, federal laws, and government guidance. The lack of guidance in this area is hindering the adoption of digital health technologies, which have tremendous potential for improving condition management, clinical risk assessment, and decision support. The developers of digital health technologies often share user data collected by...

Read More
NIST Publishes Updated Cybersecurity Supply Chain Risk Management Guidance
May06

NIST Publishes Updated Cybersecurity Supply Chain Risk Management Guidance

On Thursday, the National Institute of Standards and Technology (NIST) published updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program for identifying, assessing, and responding to cybersecurity risks throughout the supply chain. Cyber threat actors are increasingly targeting the supply chain. A successful attack on a single supplier can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. The threat actors exploited a vulnerability in Kaseya VSA software and the attack affected up to 1,500 businesses. The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multiyear process that included the release of two draft versions of the guidance. The updated guidance can be used to identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels of an organization. While...

Read More
HHS Information Security Program Rated ‘Not Effective’
May04

HHS Information Security Program Rated ‘Not Effective’

An audit of the Department of Health and Human Services conducted for the HHS’ Office of Inspector General (OIG) to assess compliance with the Federal Information Security Modernization Act of 2014 (FISMA) in the fiscal year 2021 has seen the agency’s information security program rated ‘not effective’, as was the case in fiscal years 2018, 2019, and 2020. The audit was conducted at five of the 12 operating divisions of the HHS, although OIG did not state which five divisions were audited. In order to receive an effective rating, the HHS is required to reach the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, Respond, and Recover function areas, as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics. OIG said in the report that the HHS has continued to make changes to strengthen the maturity of its enterprise-wide cybersecurity program and is making progress to sustain cybersecurity across all FISMA domains. The HHS security program strengthened the maturity of controls for several individual FISMA metrics,...

Read More
HHS Warns HPH Sector About Insider Threats in Healthcare
Apr25

HHS Warns HPH Sector About Insider Threats in Healthcare

Healthcare data breaches are occurring in record numbers, but not all privacy and security threats come from outside the organization. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has recently issued a warning about the threat from within. Insider Threats in Healthcare Nation-state hacking groups, cybercriminal gangs, and lone hackers have long targeted the healthcare industry, but there is also a significant threat of data breaches due to insiders. Insider threats are those involving individuals within a healthcare organization, such as employees, but also contractors and business associates that have been provided with access to healthcare assets and systems. These individuals may be aware of the security practices employed by the organization and have awareness of the network, computer systems, and the location of sensitive data. Oftentimes they will have been provided with access to sensitive data to complete their work or contracted duties. According to the Verizon 2021 Data Breach Report, there was a decline in external...

Read More
March 2022 Healthcare Data Breach Report
Apr19

March 2022 Healthcare Data Breach Report

For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month. However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months. Largest Healthcare Data Breaches in March 2022 In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals...

Read More
On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%
Apr19

On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%

Immediate intervention following an instance of unauthorized access to protected health information (PHI) by a healthcare employee is 95% effective at preventing repeat offenses, according to a new study published in JAMA Open Network. Healthcare data breaches are occurring at record levels, and while large data breaches are often the result of hacking and other IT incidents, insider breaches such as snooping on medical records are common. According to HHS data, in 2019, 92% of combined small and large breaches were tied to unauthorized access. While many cases of employees snooping on the medical records of VIP patients have been covered in the media, these types of snooping incidents are relatively uncommon. It is much more common for healthcare employees to access the medical records of family members, friends, and colleagues, and those privacy violations can be just as damaging for patients. All cases of unauthorized access start with an employee accessing a single patient record, but they can easily turn into major data breaches if left unchecked. There have been several cases...

Read More
Increase in Class Action Lawsuits Following Healthcare Data Incidents
Apr12

Increase in Class Action Lawsuits Following Healthcare Data Incidents

The law firm BakerHostetler has published its 8th Annual Data Security Incident Response (DSIR) Report, which provides insights based on 1,270 data security incidents managed by the firm in 2021. 23% of those incidents involved data security incidents at healthcare organizations, which was the most targeted sector. Ransomware Attacks Increased in 2021 Ransomware attacks have continued to occur at elevated levels, with them accounting for 37% of all data security incidents handled by the firm in 2021, compared to 27% in 2020 and there are no signs that attacks will decrease in 2022. Attacks on healthcare organizations increased considerably year over year. 35% of healthcare security incidents handled by BakerHostetler in 2021 involved ransomware, up from 20% in 2022. Ransom demands and payments decreased in 2021. In healthcare, the average initial ransom demand was $8,329,520 (median $1,043,480) and the average ransom paid was $875,784 (median $500,846) which is around two-thirds of the amount paid in 2020. Restoration of files took an average of 6.1 days following payment of the...

Read More
Audit of the Connecticut Health Insurance Exchange Uncovers 44 Unreported Data Breaches
Apr06

Audit of the Connecticut Health Insurance Exchange Uncovers 44 Unreported Data Breaches

An audit of Connecticut’s Health Insurance Exchange, Access Health CT, by the state auditor has revealed Access Health CT suffered 44 data breaches over the last 3.5 years that had not been fully reported and that sufficient steps had not been taken to safeguard sensitive data. The Connecticut Health Insurance Exchange acts as a health insurance marketplace to reduce the number of state residents who do not have health insurance and to facilitate applications by low-income individuals for Medicaid coverage, as required under The Affordable Care Act. While Access Health had reported the data breaches to the Department of Health and Human Services, as required by HIPAA, and the state attorney general had been notified, the breaches had not been reported to the state auditor and comptroller. Under state law, the Connecticut Health Insurance Exchange is required to notify the Auditors of Public Accounts and the State Comptroller promptly when a security breach is discovered. The majority of the data breaches were small incidents, with most of the breaches (34) involving a Hampton,...

Read More
OCR Announces 4 Financial Penalties to Resolve HIPAA Violations
Mar29

OCR Announces 4 Financial Penalties to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed. OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients. “Between the rising pace of breaches of unsecured protected health information and continued cyber...

Read More
February 2022 Healthcare Data Breach Report
Mar22

February 2022 Healthcare Data Breach Report

For the third successive month, the number of data breaches reported to the HHS’ Office for Civil Rights (OCR) has fallen. 46 healthcare data breaches of 500 or more records were reported to OCR in February – an 8% fall from January. February saw the lowest number of data breaches in the past 5 months. Even with the reduction in breaches, on average, more than 2 healthcare data breaches have been reported each day over the past 12 months. From March 1, 2021, to February 28, 2022, there have been 723 reported data breaches of 500 or more records. Across February’s 46 incidents, the records of 2,525,023 individuals were exposed or compromised – a 2.28% fall from the previous month – which is considerably lower than the 3,506,400 records that have been breached each month, on average, from March 1, 2021, to February 28, 2022. At least 42,076,805 healthcare records were exposed over that period. In February, the average breach size was 48,957 records and the median breach size was 7,014 records. Largest Healthcare Data Breaches Reported in February 2022 22 HIPAA-regulated entities...

Read More
Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data
Mar18

Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data

Arkansas Attorney General Leslie Rutledge announced this week that legal action is being taken against Country Medical Services Inc., the former operator of Eastern Ozarks Regional Health System in Cherokee Village, and owners Robert Becht of Hartsville, TN, and Theresa Hanson of Deland, FL, for mishandling the sensitive personal and protected information of thousands of individuals. In December 2004, Eastern Ozarks Regional Health’s 40-bed hospital was permanently closed. Country Medical Services had run the hospital for 9 years; however, an investigation by the state Department of Health identified almost 3 dozen potential violations of the Emergency Medical Treatment and Labor Act, as the hospital was unable to provide emergency services. Rather than face the financial penalties, the hospital immediately terminated its hospital license in 2004. 6 years later, the property was transferred to the state after the owners failed to pay their taxes. An inspection of the property by the office of the Attorney General identified boxes of files in the property that contained...

Read More
OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks
Mar18

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule. The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities. Prevention of...

Read More
DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty
Mar16

DOJ Settles Civil Cyber Fraud Initiative Case with CHS and Imposes a $930,000 Penalty

The U.S. Department of Justice (DOJ) has announced a settlement has been reached with the Cape Canaveral, FL-based healthcare services contractor, Comprehensive Health Services (CHS), to resolve alleged False Claims Act violations. This is the first settlement to be reached under the DOJ Civil Cyber Fraud Initiative, which was launched in 2021. The Civil Cyber Fraud Initiative was launched to pursue cases against government contractors that knowingly used deficient cybersecurity products and services which put information systems at risk, as well as failures to report cybersecurity incidents. CHS and its subsidiaries had contracts with the U.S. Department of State and the U.S. Air Force to operate medical services at U.S. military facilities in Afghanistan and Iraq. Two actions were filed under the whistleblower provisions of the False Claims Act that alleged CHS received payment for operating those medical facilities but failed to operate them in a manner consistent with U.S. standards. CHS was alleged to have failed to maintain appropriate staffing levels, allowed unqualified...

Read More
Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021
Mar11

Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021

Protenus has released its 2022 Breach Barometer Report which confirms 2021 was a particularly bad year for healthcare industry data breaches, with more than 50 million healthcare records exposed or compromised in 2021. The report includes healthcare data breaches reported to regulators, as well as data breaches that have been reported in the media, incidents that have not been disclosed by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated entities. The data for the report was provided by databreaches.net. Protenus has been releasing annual Breach Barometer reports since 2016, and the number of healthcare data breaches has increased every year, with the number of breached records increasing every year since 2017. In 2021, it has been confirmed that at least 50,406,838 individuals were affected by healthcare data breaches, a 24% increase from the previous year. 905 incidents are included in the report, which is a 19% increase from 2020. The largest healthcare data breach of the year occurred affected Florida Healthy Kids Corporation, a...

Read More
Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices
Mar09

Warning Issued About Access:7 Vulnerabilities Affecting IoT and Medical Devices

7 vulnerabilities dubbed Access:7 have been identified in the web-based technologies PTC Axeda and Axeda Desktop Server, which are used to allow one or more people to securely view and operate the same remote desktop via the Internet. If exploited, an attacker could gain full system access, remotely execute code, trigger a denial-of-service condition, read and change configurations, and obtain file system read access and log information access. Three of the vulnerabilities are rated critical and have a CVSS severity score of 9.8 out of 10. PTC Axeda and Axeda Desktop Server are remote asset connectivity software solutions that are used as part of a cloud-based IoT platform. The software is extensively used in medical and Internet-of-Things (IoT) devices to manage and remotely access connected devices, including multiple medical imaging and laboratory devices. At present, none of the vulnerabilities are believed to have been exploited in the wild. The vulnerabilities affect all versions of the software. They are: CVE-2022-25246 – Hard-coded credentials – CVSS Severity Score 9.8/10...

Read More
HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity
Mar08

HC3 Report Reveals Cyberattack Trends and Provides Insights to Improve Healthcare Cybersecurity

The HHS’ Health Sector Cybersecurity Coordination Center has released a new report – Health Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead – that provides a retrospective look at healthcare cybersecurity over the past 3 decades, detailing some of the major cyberattacks to hit the healthcare industry starting with the first-ever ransomware attack in 1989. That incident saw Biologist Joseph Popp distribute 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. When used, the disks installed malicious code which tracked reboots. After 90 reboots, a ransom note was displayed that claimed the software lease had expired and a payment of $189 was required to regain access to the system. The report shows how adversaries stepped up their attacks on the healthcare industry from 2014 through 2017. In 2014, Boston Children’s Hospital suffered a major distributed Denial of Service (DDoS) attack, there was a massive cyberattack on Anthem Inc. in 2015 that resulted in the unauthorized accessing of the records of 80 million health plan...

Read More
Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk
Mar07

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised. Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering. The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a...

Read More
OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture
Mar01

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry. 2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached. The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled. Pino also drew attention to the critical vulnerability...

Read More
NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance
Feb23

NCCoE Releases Final Version of NIST Securing Telehealth Remote Patient Monitoring Ecosystem Guidance

The National Cybersecurity Center of Excellence (NCCoE) has published the final version of NIST guidance on Securing Telehealth Remote Patient Monitoring Ecosystem (SP 1800-30). Healthcare delivery organizations have been increasingly adopting telehealth and remote patient monitoring (RPM) systems to improve the care they provide to patients while reducing costs. Patient monitoring systems have traditionally only been used in healthcare facilities but there are advantages to using these solutions in patients’ homes. Many patients prefer to receive care at home, the cost of receiving that care is reduced, and healthcare delivery organizations benefit from freeing up bed space and being able to treat more patients. While there are advantages to be gained from the provision of virtual care and the remote monitoring of patients in their homes, telehealth and RPM systems can introduce vulnerabilities that could put sensitive patient data at risk and if RPM systems are not adequately protected, they could be vulnerable to cyberattacks that could disrupt patient monitoring services....

Read More
January 2022 Healthcare Data Breach Report
Feb22

January 2022 Healthcare Data Breach Report

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020. The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.   Largest Healthcare Data Breaches in January 2022 18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients. Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach...

Read More
Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws
Feb14

Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws

Healthcare privacy laws in the United States are due an update to bring them into the modern age to ensure individually identifiable health information is protected no matter how it is collected and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now more than 2 decades old, and while the Department of Health and Human Services (HHS) has proposed updates to the HIPAA Privacy Rule that are due to be finalized this year, even if the proposed HIPAA Privacy Rule changes are signed into law, there will still be regulatory gaps that place health data at risk. The use of technology for healthcare and health information has grown in a way that could not be envisaged when the Privacy Rule was signed into law. Health information is now being collected by health apps and other technologies, and individuals’ sensitive health information is being shared with and sold by technology companies. The HIPAA Privacy and Security Rules introduced requirements to ensure the privacy and security of health data, but HIPAA only applies to HIPAA-covered entities –...

Read More
What Does HIPAA Stand For?
Feb10

What Does HIPAA Stand For?

Many articles discussing what does HIPAA stand for fail to give a complete answer. Most state that HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 and that it led to the development of standards for the privacy of Protected Health Information. However, few articles discussing what does HIPAA stand for explain how a bill with the objective of reforming the health insurance industry evolved into an act of legislation that now controls how healthcare data is safeguarded. To best fully explain what does HIPAA stand for, it is a necessary to look at the state of the health insurance industry prior to 1996. The industry had grown from a handful of companies offering accident insurance in the 1850s – and employer-sponsored disability insurance from 1911 onwards – into a multi-billion dollar business by the end of the twentieth century. However, at the time, the healthcare insurance industry was governed by a hotchpotch of federal and state legislation. The reason for the hotchpotch of legislation was that, in the early days, many...

Read More
RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach
Feb04

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals. The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA. RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals....

Read More
Technologies Supporting Telehealth Have Placed Healthcare Data at Risk
Feb02

Technologies Supporting Telehealth Have Placed Healthcare Data at Risk

A new report from Kaspersky shows the massive increase in telehealth has placed healthcare data at risk. Vulnerabilities have been found in the technologies that support telemedicine, many of which have not yet been addressed. Massive Increase in the Use of Telehealth The COVID-19 pandemic has led to an increase in virtual visits, with healthcare providers increasing access to telehealth care to help curb infections and cut costs. Virtual visits are conducted via the telephone, video-conferencing apps, and other platforms, and a host of new technologies and products such as wearable devices for measuring vital signs, implanted sensors, and cloud services are also being used to support telehealth. Data from McKinsey shows telemedicine usage has increased by 38% since before the emergence of SARS-Cov-2 and COVID-19, and the CDC reports that between June 26, 2020, and November 6, 2020, around 30% of all consultations with doctors were taking place virtually.  Kaspersky says that its own data indicate 91% of healthcare providers around the world have implemented the technology to give...

Read More
What is Considered PHI Under HIPAA?
Jan28

What is Considered PHI Under HIPAA?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? What is Considered PHI Under HIPAA Rules? Under HIPAA PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual...

Read More
Florida County Drug Screening Lab Exposed Sensitive Data Online for 4 Years
Jan28

Florida County Drug Screening Lab Exposed Sensitive Data Online for 4 Years

A misconfiguration of an internal website portal used by a Florida county drug screening lab exposed sensitive information online for a period of more than four years. St. Lucie County’s drug screening lab (SLC Lab) provides drug testing services for employment, court cases, and other purposes. The configuration error was discovered on October 13, 2021, and the issue was immediately corrected. Assisted by third-party cybersecurity professionals, the country determined on December 28, 2021, that the configuration error occurred on June 2, 2017. From June 2, 2017, to October 13, 2021, sensitive data were accessible to certain portal users, including full names, dates of birth, Social Security numbers, and limited information related to the type of drug test performed and the result of the lab test. While sensitive data were exposed via the web portal for 4 years, SLC Lab said it has not been notified about any cases of improper use of any of the exposed information and is unaware of any cases of identity theft or fraud as a result of the portal misconfiguration. SLC Lab did not...

Read More
New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach
Jan25

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents. The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers,...

Read More
More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability
Jan24

More Than Half of All Healthcare IoT Devices Have a Known, Unpatched Critical Vulnerability

A recent study by the healthcare IoT security platform provider Cynerio has revealed 53% of connected medical devices and other healthcare IoT devices have at least one unaddressed critical vulnerability that could potentially be exploited to gain access to networks and sensitive data or affect the availability of the devices. The researchers also found a third of bedside healthcare IoT devices have at least one unpatched critical vulnerability that could affect service availability, data confidentiality, or place patient safety in jeopardy. The researchers analyzed the connected device footprints at more than 300 hospitals to identify risks and vulnerabilities in their Internet of Medical Things (IoMT) and IoT devices. IV pumps are the most commonly used healthcare IoT device, making up around 38% of a hospital’s IoT footprint. It is these devices that were found to be the most vulnerable to attack, with 73% having a vulnerability that could threaten patient safety, service availability, or result in data theft. 50% of VOIP systems contained vulnerabilities, with ultrasound...

Read More
HHS Releases Final Trusted Exchange Framework and Common Agreement
Jan19

HHS Releases Final Trusted Exchange Framework and Common Agreement

The Department of Health and Human Services’ Office of the National Coordinator for Health IT has released the final version of its Trusted Exchange Framework and the Common Agreement (TEFCA) – a governance framework for nationwide health information exchange. Two previous versions of TEFCA have been released, the first in 2018 and the second in 2019, with the final version taking into consideration feedback provided by healthcare industry stakeholders. TEFCA was a requirement of the 21st Century Cures Act and has been 5 years in the making. The announcement this week sees the HHS finally move into the implementation phase of TEFCA. The Trusted Exchange Framework is a set of non-binding foundational principles for health information exchange and outlines propositions for standardization, cooperation, privacy, security, access, equity, openness and transparency, and public health. The second component is the common agreement, which is a legal contract that a Qualified Health Information Network (QHIN) enters into with the ONC’s Recognized Coordinating Entity (RCE). The RCE, the...

Read More
December 2021 Healthcare Data Breach Report
Jan18

December 2021 Healthcare Data Breach Report

56 data breaches of 500 or more healthcare records were reported to the HHS’ Office for Civil Rights (OCR) in December 2021, which is a 17.64% decrease from the previous month. In 2021, an average of 59 data breaches were reported each month and 712 healthcare data breaches were reported between January 1 and December 31, 2021. That sets a new record for healthcare data breaches, exceeding last year’s total by 70 – An 10.9% increase from 2020. Across December’s 56 data breaches, 2,951,901 records were exposed or impermissibly disclosed – a 24.52% increase from the previous month. At the time of posting, the OCR breach portal shows 45,706,882 healthcare records were breached in 2021 – The second-highest total since OCR started publishing summaries of healthcare data breaches in 2009. Largest Healthcare Data Breaches in December 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause Oregon Anesthesiology Group, P.C. OR Healthcare Provider 750,500 Ransomware Texas ENT Specialists TX Healthcare Provider 535,489 Ransomware Monongalia Health System, Inc....

Read More
What is a HIPAA Violation?
Jan14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
New HIPAA Regulations in 2022
Jan14

New HIPAA Regulations in 2022

It has been several years since new HIPAA regulations have been signed into law, but HIPAA changes in 2022 are expected. The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable. Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. There have been calls from many...

Read More
Is it a HIPAA Violation to Email Patient Names?
Jan14

Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information. Is it a HIPAA Violation to Email Patient Names? Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data. It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected...

Read More
HIPAA Social Media Rules
Jan12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook and Instagram were launched, so there are no specific HIPAA social media rules. However, as with all healthcare-related communications, the HIPAA Privacy Rule still applies whenever covered entities or business associates – or employees of either – use social media networks. There are many benefits to be gained from using social media. Social media networks allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media networks. However, there is also considerable potential for HIPAA rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media Healthcare organizations must implement a HIPAA social media policy to reduce the risk of...

Read More
Possible HIPAA Updates and HIPAA Changes in 2022
Jan10

Possible HIPAA Updates and HIPAA Changes in 2022

The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Updates to HIPAA are long overdue but steps were finally made to update HIPAA in December 2020, when the HHS issued a notice of Proposed Rulemaking that detailed several proposed changes to the HIPAA Privacy Rule, and a Final Rule is now due which will likely see many HIPAA changes in 2022. Major HIPAA Updates in the Past 20 Years Since HIPAA was signed into law there have been a few major HIPAA updates. The HIPAA Privacy and Security Rules were introduced which limited uses and disclosures of protected health information, gave patients new rights over their healthcare data, and introduced a set of minimum security standards. Those HIPAA updates were followed by the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach...

Read More
2020-2021 HIPAA Violation Cases and Penalties
Jan04

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for...

Read More
What is HIPAA Certification?
Jan03

What is HIPAA Certification?

HIPAA certification has two meanings. It can either be a point in time accreditation demonstrating an organization has passed a HIPAA compliance audit, or a recognition that members of the organization´s workforce have achieved the level of HIPAA knowledge required to comply with the organization´s policies and procedures. Both are useful accreditations to have. There are two things organizations and their workforces should be aware of before undertaking a HIPAA certification program. There are no requirements in HIPAA for organizations and/or their workforces to certify compliance, and certification is not a “get out of jail free card” that will absolve negligent parties from HIPAA violations. So why get certified? Why Get Certified as being HIPAA Compliant? The first reason for getting certified is that, in order to achieve an accreditation, organizations will have to adopt best privacy practices and implement the administrative, technical, and physical safeguards of the HIPAA Security Rule. This in itself will reduce the likelihood of HIPAA violations and data breaches – leading...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Jan02

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity
Dec31

Healthcare Supply Chain Association Issues Guidance on Medical Device and Service Cybersecurity

The Healthcare Supply Chain Association (HSCA) has issued guidance for healthcare delivery organizations, medical device manufacturers, and service suppliers on securing medical devices to make them more resilient to cyberattacks. The use of medical devices in healthcare has grown at an incredible rate and they are now relied upon to provide vital clinical functions that cannot be compromised without diminishing patient care. Medical devices are, however, often vulnerable to cyber threats and could be attacked to cause harm to patients, be taken out of service to pressure healthcare providers into meeting attackers’ extortion demands, or could be accessed remotely to obtain sensitive patient data. Medical devices are often connected to the Internet and can easily be attacked, so it is essential for proactive steps to be taken to improve security. The HSCA represents healthcare group purchasing organizations (GPOs) and advocates for fair procurement practices and education to improve the efficiency of purchases of healthcare goods and services and, as such, has a unique line of...

Read More
HIPAA Enforcement by State Attorneys General
Dec28

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases...

Read More
November 2021 Healthcare Data Breach Report
Dec21

November 2021 Healthcare Data Breach Report

The number of reported healthcare data breaches has increased for the third successive month, with November seeing 68 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – a 15.25% increase from October and well above the 12-month average of 56 data breaches a month. From January 1 to November 30, 614 data breaches were reported to the Office for Civil Rights. It is looking increasingly likely that this year will be the worst ever year for healthcare data breaches. The number of data breaches increased, but there was a sizable reduction in the number of breached records. Across the 68 reported breaches, 2,370,600 healthcare records were exposed, stolen, or impermissibly disclosed – a 33.95% decrease from the previous month and well below the 12-month average of 3,430,822 breached records per month. Largest Healthcare Data Breaches Reported in November 2021 In November, 30 data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights, and 4 of those breaches resulted in the exposure/theft of more than 100,000 records. The...

Read More
Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information
Dec17

Most Patients Don’t Trust Their Healthcare Providers to Securely Store PII and Payment Information

In 2019, it was alarming that healthcare data breaches were being reported at a rate of more than 1 a day. In 2021, there have been several months where healthcare data breaches have been occurring at a rate of more than 2 per day. With data breaches occurring so regularly and ransomware attacks disrupting healthcare services, it is no surprise that many patients do not have much trust in their healthcare providers to protect sensitive personally identifiable information (PII). That has been confirmed by a recent survey conducted by Dynata on behalf of Semafone. 56% of patients at private practices said they do not trust their healthcare providers to protect PII and payment information. Smaller healthcare providers have smaller budgets for cybersecurity than larger healthcare networks, but trust in large hospital networks is far lower. Only 33% of patients of large hospital networks trusted them to be able to safeguard their PII. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, has stepped up enforcement of compliance with the HIPAA Rules in recent years and...

Read More
New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations
Dec16

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA) Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC. Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details. In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the...

Read More
How to Make Your Email HIPAA Compliant
Dec07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access
Dec06

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act. New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties. The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to...

Read More
Does HIPAA Apply to Employers?
Dec06

Does HIPAA Apply to Employers?

The question “Does HIPAA Apply to Employers” is one that has provoked many different responses due to the complicated nature of the HIPAA Privacy Rule. The HIPAA Privacy Rule is one of the most complicated pieces of legislation affecting the healthcare and health insurance industries. Because of its objectives to standardize how individually identifiable personal information is protected across many different use cases, the language of the HIPAA Privacy Rule is “non-specific” and therefore open to a number of interpretations. Many attempts have been made to summarize the HIPAA Privacy Rule in a format that clearly outlines who is covered by the legislation and how it should be applied. Unfortunately, because of its complicated nature, most summaries fail to adequately answer the question how does HIPAA apply to employers? This article aims to answer that question as adequately as possible. Let´s First Discuss HIPAA-Covered Transactions The HIPAA Privacy Rule defines the eighteen elements of individually identifiable health information that required protecting from unauthorized...

Read More
HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats
Dec03

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats. The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use. More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and...

Read More
Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information
Dec02

Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information

An Ohio-based DNA testing company has recently disclosed a hacking incident that involved the sensitive data of 2,102,436 individuals. DNA Diagnostics Center (DDC) said it detected suspicious activity in its network on August 6, 2021, and confirmed unauthorized individuals had accessed and acquired files from an archived database between May 24, 2021, and July 28, 2021. The data breach investigation confirmed that the files exfiltrated by the attackers contained full names, credit/debit card numbers and CVV codes, financial account numbers, Social Security numbers, and platform account passwords. The company said genetic testing data were stored on a separate system that was not accessed by the hackers and no data related to its current operations were stolen in the cyberattack. The database contained backups made between 2004 and 2012 that were associated with a national genetic testing organization that DDC acquired in 2012. DDC said the legacy system that was accessed had never been used in DDC’s operations and that the system has been inactive since 2012. DDC did not disclose...

Read More
Who Does HIPAA Apply To?
Nov28

Who Does HIPAA Apply To?

Who Does HIPAA Apply To? Confusion sometimes exists over the question of who does HIPAA apply to because the requirement to protect individually identifiable health information is covered in only a small section of a very substantial Act. Even when this small section is extracted and analyzed, it is still not always clear who does HIPAA apply to and which organizations need to implement HIPAA compliance programs. Does HIPAA Apply to Everybody? The Health Insurance Portability and Accountability Act (PDF) is a substantial body of legislation passed by Congress in 1996. As the title of the Act suggests, it addresses the portability of health insurance and the accountability of group health plans to provide benefits when members of group health plans have pre-existing conditions. In this respect, HIPAA applies to the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans. However, HIPAA consists of four further titles covering topics from medical liability reform to taxes on expatriates who give up U.S....

Read More
October 2021 Healthcare Data Breach Report
Nov22

October 2021 Healthcare Data Breach Report

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021. The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021. Largest Healthcare Data Breaches in October 2021 There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below. Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause Eskenazi Health IN...

Read More
Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft
Nov16

Patients Unaware of the Extent of Healthcare Cyberattacks and Data Theft

A recent survey conducted by the unified asset visibility and security platform provider Armis has explored the state of cybersecurity in healthcare and the security risks that are now faced by healthcare organizations. The survey was conducted by Censuswide on 400 IT professionals at healthcare organizations across the United States, and 2,000 U.S. patients to obtain their views on cybersecurity and data breaches in healthcare. The survey confirmed cyber risk is increasing, with 85% of respondents saying cyber risk has increased over the past 12 months. Ransomware gangs have targeted the healthcare industry over the past 12 months, and many of those attacks have succeeded. 58% of the surveyed IT professionals said their organization had experienced a ransomware attack in the past 12 months. Ransomware attacks were viewed as a cause of concern by 13% of IT security pros, indicating most are confident that they will be able to recover data in the event of an attack. However, data breaches that result in the loss of patient data were a major worry, with 52% of IT pros rating data...

Read More
HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations
Nov10

HC3: Cobalt Strike Penetration Testing Framework Increasingly Used in Cyberattacks on Healthcare Organizations

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a threat brief for the healthcare industry warning about the use of the Cobalt Strike penetration testing tool by cyber threat actors. Cobalt Strike is a powerful red team tool used by penetration testers when conducting risk and vulnerability assessments, but it can also be abused and is increasingly being used by cyber threat actors in attacks on the healthcare and public health sector. Cobalt Strike can be used for reconnaissance to gain valuable information about the target infrastructure to allow threat actors to determine the best use of their time when attacking healthcare networks. The system profiler function can be used to discover client-side applications used by a target and provides version information. The system profiler starts a local web server, fingerprints visitors, identifies internal IP addresses behind a proxy, and obtains reconnaissance data from the weblog, applications, and provides information on targets. Cobalt Strike includes a spear phish tool that can be used to create and send...

Read More
What is a Limited Data Set Under HIPAA?
Nov07

What is a Limited Data Set Under HIPAA?

A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. In contrast to de-identified protected health information, which is no longer classed as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still subject to HIPAA Privacy Rule regulations. A HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific purposes, that the PHI will not be disclosed by the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be followed. The data use agreement, which must be accepted prior to the limited data set being shared, should outline the following:...

Read More
Can A Patient Sue for A HIPAA Violation?
Nov07

Can A Patient Sue for A HIPAA Violation?

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules. So, if it is not possible for a patient to sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws. In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information....

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
42% of Healthcare Organizations Have Not Developed an Incident Response Plan
Nov02

42% of Healthcare Organizations Have Not Developed an Incident Response Plan

Hacks, ransomware attacks, and other IT security incidents account for the majority of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, but data breaches involving physical records are also commonplace. According to the Verizon Data Breach Investigations Report, disclosed physical records accounted for 43% of all breaches in 2021, which highlights the need for data security measures to be implemented covering all forms of data. The healthcare industry is extensively targeted by cybercriminals and cyberattacks increased during the pandemic. There was a 73% increase in healthcare cyberattacks in 2020, with those breaches resulting in the exposure of 12 billion pieces of protected health information, according to the 2021 Data Protection Report recently published by Shred-It. The report is based on an in-depth survey of C-level executives, small- and medium-sized business owners, and consumers across North America and identifies several areas where organizations could improve their defenses against external and internal threats....

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps
Oct22

Vulnerabilities Identified in B. Braun Infusomat Space and Perfusor Space Infusion Pumps

B. Braun has released software updates to fix five vulnerabilities in its Infusomat Space and Perfusor Space Infusion Pumps. The vulnerabilities could be exploited remotely in a low complexity attack. In North America, the flaws affect Battery pack SP with WiFi (All software Versions 028U000061 and earlier) that have been installed in an Infusomat Space Infusion Pump or a Perfusor Space Infusion pump, and SpaceStation with SpaceCom 2 (All software Versions 012U000061 and earlier). The vulnerabilities were identified by Douglas McKee and Philippe Laulheret of McAfee, who reported them to B. Braun. The most serious vulnerability is a critical flaw in B. Braun SpaceCom2 that has been assigned a CVSS severity score of 9 out of 10. The flaw – tracked as CVE-2021-33885 – is due to insufficient verification of data authenticity and could be exploited by a remote attacker to send malicious data to the device, which would be used in place of the correct data. An improper input validation flaw – CVE-2021-33886 – would allow a remote unauthenticated attacker to gain user-level command-line...

Read More
UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence
Oct21

UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence

The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail. Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums. In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela. Three of...

Read More
September 2021 Healthcare Data Breach Report
Oct20

September 2021 Healthcare Data Breach Report

There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months. While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months. Largest Healthcare Data Breaches Reported in September 2021 16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records. The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was...

Read More
De-identification of Protected Health Information: How to Anonymize PHI
Oct18

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions no longer apply. HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed. HIPAA-Compliant De-identification of Protected Health Information HIPAA-compliant de-identification of protected health information is possible...

Read More
What Are Covered Entities Under HIPAA?
Oct18

What Are Covered Entities Under HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-covered entities and their business associates, but what are covered entities under HIPAA, and what sort of companies are classed as business associates? Covered Entities Under HIPAA Covered entities under HIPAA are individuals or entities that transmit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). Transactions include transmission of healthcare claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs. Healthcare clearinghouses are organizations that...

Read More
American Osteopathic Association Notifies 27,500 Individuals About June 2020 Data Theft Incident
Oct15

American Osteopathic Association Notifies 27,500 Individuals About June 2020 Data Theft Incident

Approximately 27,500 individuals are being notified that some of their personal information was stolen in a cyberattack on the American Osteopathic Association (AOA). AOA is a Chicago-based professional organization that represents around 151,000 osteopathic physicians and medical students across the United States. On June 25, 2020, the AOA identified suspicious activity within some of its systems. Its network was taken offline, and forensic investigators were engaged to determine the nature and scope of the incident. The investigation confirmed the attackers gained access to systems that contained personally identifiable information and exfiltrated data from those systems. A comprehensive review of the files was conducted to determine which individuals had been affected. That review determined names, addresses, dates of birth, Social Security numbers, financial account information, and email addresses/usernames and passwords were in the exfiltrated data. The AOA said its investigation did not uncover any evidence of actual or attempted misuse of the stolen data, but as a...

Read More
New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty
Oct14

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty. Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI). Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents. As a HIPAA-covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access. Diamond Investigated for...

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Why is HIPAA Important?
Oct12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
Cybersecurity Awareness Month: Fight the Phish!
Oct12

Cybersecurity Awareness Month: Fight the Phish!

According to the Verizon Data Breach Investigations Report, phishing accounted for around 80% of all reported phishing attacks in 2019 and since the pandemic began in 2020 phishing attacks and associated scams have been thriving. In 2020, 74% of US organizations experienced a successful phishing attack. Phishing attacks typically use emails or malicious websites – or both – to obtain sensitive information such as login credentials or to infect devices with malware and viruses. Phishing attacks involve a lure to get the recipient to take a certain action, such as clicking on a hyperlink in an email or opening a malicious email attachment. Email addresses, sender names, phone numbers, and website URLs are often spoofed to trick people into believing they are interacting with a familiar and trusted source. The 2021 Cost of Phishing Study conducted by the Ponemon Institute/Proofpoint suggests the cost of phishing attacks has quadrupled over the past 6 years, with large U.S. firms now losing an average of $14.83 million a year to phishing attacks. An average-sized U.S. company employing...

Read More
How to Report a HIPAA Violation Anonymously
Oct06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
Is WhatsApp HIPAA Compliant?
Oct06

Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant? Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI). However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, we believe WhatsApp is not a HIPAA compliant messaging platform. Why Isn’t WhatsApp HIPAA Compliant? First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users. HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is...

Read More
What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity
Oct06

What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity? What Are HIPAA Covered Entities? HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information for transactions covered by HHS standards. Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare, and HMO’s. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information. Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be...

Read More
Insider Threat Self-Assessment Tool Released by CISA
Oct06

Insider Threat Self-Assessment Tool Released by CISA

Public and private sector organizations have a new tool to help them assess their level of vulnerability to insider threats. The new Insider Threat Risk Mitigation Self-Assessment Tool has been created by the Cybersecurity and Infrastructure Security Agency (CISA) to help users further their understanding of insider threats and develop prevention and mitigation programs. In healthcare, security efforts often focus on the network perimeter and implementing measures to block external threats, but insider threats can be just as damaging, if not more so. Insiders can steal sensitive information for financial gain, can take information to provide to their next employer, or can abuse their privileged access to cause significant harm. Insider breaches can have major consequences for businesses, with may include reputation damage, loss of revenue, theft of intellectual property, reduced market share, and even physical harm. CISA says insider threats can include current and former employers, contractors, or other individuals with inside knowledge about a business. The threat posed by...

Read More
National Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart
Oct04

National Cybersecurity Awareness Month: Do Your Part, #BeCyberSmart

October is National Cybersecurity Awareness Month. Throughout October, the importance of cybersecurity is highlighted and resources are made available to raise awareness of cyber threats and encourage individuals and organizations to adopt cybersecurity best practices and better protect accounts and sensitive data. Cybersecurity Awareness Month was launched by the National Cyber Security Alliance and the United States Department of Homeland Security in 2004 to raise awareness of the importance of cybersecurity. Each year has a different theme, although the overall aim is the same – To empower individuals and the organizations they work for to improve cybersecurity and make it harder for hackers and scammers to succeed. The month is focused on improving education about cybersecurity best practices, raising awareness of the digital threats to privacy, encouraging organizations and individuals to put stronger safeguards in place to protect sensitive data, and highlighting the importance of security awareness training. This year has the overall theme – “Do Your Part,...

Read More
How Employees Can Help Prevent HIPAA Violations
Oct03

How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations.  Employers can help employees by providing regular HIPAA training. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be...

Read More
What is Texas HB 300?
Oct03

What is Texas HB 300?

What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This article answers these and other important questions about Texas HB 300. What is Texas HB 300? The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in the Texas Health and Safety Code. In June 2011, Texas HB 300 was passed by the Texas legislature. HB 300 amended four areas of Texas legislature: The Texas Health and Safety Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA. Who is Required to Comply with Texas HB 300? Compliance with Texas HB 300 is...

Read More
Is OneDrive HIPAA Compliant?
Sep30

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant? Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files. Microsoft Supports HIPAA-Compliance There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules. That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA). Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well...

Read More
Lisa J. Pino Named New Director of HHS’ Office for Civil Rights
Sep27

Lisa J. Pino Named New Director of HHS’ Office for Civil Rights

Lisa J. Pino has been named Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) and replaces Robinsue Frohboese, who has served as acting OCR Director since President Trump-appointed Roger Severino resigned from the post in mid-January. OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Patient Safety and Quality Improvement Act, and Patient Safety Rule, as well as enforcing federal civil rights, conscience and religious freedom laws. Pino is from New York City, a fluent Spanish speaker, and the first-generation daughter of immigrant parents. She completed a B.A., M.A., and J.D. at Arizona State University with honors, and Harvard Kennedy School leadership program as a National Hispana Leadership Institute Fellow. Pino has served as legal aid attorney in the Southwest, fighting to protect the rights of migrant farm workers. Her civil rights activities carried on while working for the United States Department of Agriculture (USDA) where...

Read More
August 2021 Healthcare Data Breach Report
Sep21

August 2021 Healthcare Data Breach Report

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021. While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined. Largest Healthcare Data Breaches Reported in August 2021 Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks...

Read More
FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches
Sep16

FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches

Developers of health apps and wearable devices such as fitness trackers that collect health data have been warned by the Federal Trade Commission (FTC) that they are required to comply with the FTC Health Breach Notification Rule and must notify consumers about data breaches. The FTC Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009, and requires individuals to be notified if there is a breach of their health data. The Health Breach Notification Rule applies to vendors of personal health records and associated companies, but in a policy statement issued on September 16, 2021, the FTC said health apps and other connected devices that collect or use the health information of U.S. consumers are also covered by Rule. The policy statement was approved during an open meeting on Wednesday by a vote of 3-2. The FTC Health Breach Notification Rule applies to health apps and wearable devices that collect health information from a consumer and can draw information from multiple sources, such as through an API that allows...

Read More
Walgreens Covid-19 Test Registration System Has Been Exposing Patient Data
Sep16

Walgreens Covid-19 Test Registration System Has Been Exposing Patient Data

The personal data of individuals who took a COVID-19 test at a Walgreens pharmacy has been exposed over the Internet due to vulnerabilities in its COVID-19 test registration system. It is currently unclear how many individuals have been affected, although they could well number in the millions given the number of COVID-19 tests Walgreens has performed since April 2020. It is unclear when the vulnerabilities were introduced on the website, but they date back to at least March 2021 when they were discovered by Interstitial Technology PBC consultant Alejandro Ruiz. He identified a security error when a member of his family had a COVID-19 test performed at Walgreens. Ruiz contacted Walgreens to alert them to the data exposure, but claimed the company was not responsive. Ruiz spoke to Recode about the issue, which had the security flaws confirmed by two security experts. Recorde reported the issue to Walgreens, and the company said, “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate.” However, as of September 13, 2021 the...

Read More
NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders
Sep08

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has recently released the final version of the NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders. Public safety and first responder (PSFR) personnel require on-demand access to public safety data in order to provide proper support and emergency care. In order to access the necessary data, PSFR personnel are heavily reliant on mobile platforms. Through these platforms, PSFR personnel can access the personal and protected health information of patients and sensitive law enforcement information; however, in order to keep sensitive information secure and to prevent unauthorized access, strong authentication mechanisms are required. Those authentication mechanisms are needed to keep data secure and to protect privacy, but they have potential to hinder PSFR personnel and get in the way of them providing emergency services. While authentication may only take a matter of seconds, any...

Read More
July 2021 Healthcare Data Breach Report
Aug23

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day. The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records. Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month! Largest Healthcare Data Breaches in July 2021 Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the...

Read More
Future of HIPAA: Reflections at the 25th Anniversary of HIPAA
Aug21

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA? It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today. It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially due to the considerable administrative burden it initially placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives. The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes...

Read More
Scripps Health Ransomware Attack Cost Increases to Almost $113 Million
Aug18

Scripps Health Ransomware Attack Cost Increases to Almost $113 Million

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack. While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected. Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four...

Read More
NCSC Password Recommendations
Aug10

NCSC Password Recommendations

The UK’s NCSC password recommendations have been updated and a new strategy is being promoted that meets password strength requirements but improves usability.  There are multiple schools of thought when it comes to the creation of passwords, but all are based on the premise that passwords need to be sufficiently complex to ensure they cannot be easily guessed, not only by humans, but also the algorithms used by hackers in brute force attacks. Each year lists of the worst passwords are published that are compiled from credentials exposed in data breaches. These worst password lists clearly demonstrate that some people are very poor at choosing passwords. Passwords such as “password,” “12345678,” and “qwertyuiop” all feature highly in the lists. Due to the risk of end users creating these weak passwords, many organizations now have minimum requirements for password complexity, but that does not always mean end users will set strong passwords. The Problem with Password Complexity Requirements The minimum requirements for password complexity are typically to have at least one lower-...

Read More
Healthcare Industry has Highest Number of Reported Data Breaches in 2021
Aug05

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security. Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets. The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked...

Read More
Report: The State of Privacy and Security in Healthcare
Jul28

Report: The State of Privacy and Security in Healthcare

2020 was a particularly bad year for the healthcare industry with record numbers of data breaches reported. Ransomware was a major threat, with Emsisoft identifying 560 ransomware attacks on healthcare providers in 2020. Those attacks cost the healthcare industry dearly. $20.8 billion was lost in downtime in 2020, according to Comparitech, which is more than twice the ransomware downtime cost to the healthcare industry in 2019. With the healthcare industry facing such high numbers of cyberattacks, the risk of a security breach is considerable, yet many healthcare organizations are still not fully conforming with the NIST Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule, according to the 2021 Annual State of Healthcare Privacy and Security Report published today by healthcare cybersecurity consulting firm CynergisTek. To compile the report – The State of Healthcare Privacy and Security – Maturity Paradox: New World, New Threats, New Focus – CynergisTek used annual risk assessments at 100 healthcare organizations and measured progress alongside overall NIST CSF...

Read More
June 2021 Healthcare Data Breach Report
Jul21

June 2021 Healthcare Data Breach Report

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year. While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June. More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month. Largest Healthcare Data Breaches in June 2021 There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare...

Read More
Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies
Jul05

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide. The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure. It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed. Fast Response Limited Extent of the Attack...

Read More
CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated
Jul01

CISA Publishes Catalog of Cybersecurity Bad Practices That Must Be Eradicated

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has published a new resource that lists cybersecurity bad practices that are exceptionally dangerous and significantly increase risk to critical infrastructure. There are many published resources that provide information about cybersecurity best practices that should be adopted to improve security, but CISA felt an additional perspective was required as it is equally, if not more, important to ensure that bad cybersecurity practices are eliminated. “Ending the most egregious risks requires organizations to make a concerted effort to stop bad practices,” explained CISA. CISA is urging leaders of all organizations to engage in urgent conversations to address technology bad practices, especially organizations that support national critical functions. One of the foundational elements of risk management is “focus on the critical few”, explained CISA Executive Assistant Director Eric Goldstein in a blog post announcing the launch of the new website resource. Organizations may have limited resources to identify and mitigate...

Read More
Is Google Voice HIPAA Compliant?
Jun30

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Is Google Voice HIPAA Compliant? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use. In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way. That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule. As with SMS, faxing, and email, Google Voice is not...

Read More
The HIPAA Minimum Necessary Standard
Jun23

The HIPAA Minimum Necessary Standard

The HIPAA minimum necessary standard applies to uses and disclosures of PHI that are permitted under the HIPAA Privacy Rule, including the accessing of ePHI by healthcare professionals and disclosures to business associates and other covered entities. The standard also applies to requests for protected health information from other HIPAA covered entities. Under the HIPAA minimum necessary standard, HIPAA-covered entities are required to make reasonable efforts to ensure that access to PHI is limited to the minimum necessary information to accomplish the intended purpose of a particular use, disclosure, or request. The terms ‘reasonable’ and ‘necessary’ are open to interpretation which can cause some confusion. The use of these terms leaves it up to the judgement of the covered entity as to what information is disclosed and the efforts that should be made to restrict access to the information.  Any decisions that are made with respect to the minimum necessary standard should be supported by a rational justification, should reflect the technical capabilities...

Read More
1 Billion-Record Database of Searches of CVS Website Exposed Online
Jun23

1 Billion-Record Database of Searches of CVS Website Exposed Online

A database belonging to CVS Pharmacy that included approximately 1 billion search records has been exposed online. The database included information about searches performed by visitors to CVS.com and CVSHealth.com, typically for information about medications an COVID-19 vaccines. It is common for databases such as these to be maintained by companies. The search information can be used for analytics, customer management, marketing, and other purposes to improve the services provided to customers. These searches can sometimes be tied to an individual by their IP address, or in this case by the searcher’s email address. The colossal database was discovered by security researcher Jeremiah Fowler. Fowler found that the email addresses of some visitors to the websites was also included in the database. Due to the size of the database, it was not possible to perform searches of all data but searching a sample of data in the database confirmed many email addresses were present. It is not clear why email addresses were recorded. Fowler suggests it could have been people mistakenly...

Read More
May 2021 Healthcare Data Breach Report
Jun18

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67. May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months. Largest Healthcare Data Breaches Reported in April 2021 As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by...

Read More
Best Password Manager for the Healthcare Industry
Jun01

Best Password Manager for the Healthcare Industry

In this post we explore some of the leading solutions to find the best password manager for the healthcare industry – One that is easy to use, reasonably priced and, most importantly considering the extent to which the industry is targeted by hackers, has excellent security. HIPAA and Password Management The HIPAA Security Rule was signed into law at a time when the requirements for password complexity were far lower, fewer passwords had to be created and remembered, and cracking passwords was a long and slow process. In the 18 years since the HIPAA Security Rule took effect, a lot has changed. The changes to best practices over time is the reason why the HIPAA Security rule is not technology specific. The Security Rule was written to be flexible to allow for changes to best practices. What was perfectly acceptable in 2003 for passwords, is no where near enough in 2021. The HIPAA Security Rule has provisions covering passwords. The technical safeguards of the HIPAA Security Rule (45 CFR § 164.312), require covered entities to implement technical procedures for systems that maintain...

Read More
Compliance Training for Medical Staff
May27

Compliance Training for Medical Staff

Because of the many different roles in the healthcare industry, there is no one-size-fits-all compliance training for medical staff. Furthermore, the nature of healthcare compliance training modules can vary according to location, specialty, or responsibility. Nonetheless, it is a legal requirement that all medical staff undergo HIPAA compliance training. If a Covered Entity is located in Texas, the nature of the privacy and data security training provided for medical staff will be a lot different from the training provided for medical staff located in New York. This is due to the Texas Medical Record Privacy Act (and subsequent amendments in Texas HB 300) which has tougher privacy protections for health data than HIPAA. Similarly, if a medical professional works in an area of healthcare in which they are likely to be exposed to HIV, HBV, or HCV, their compliance training will include compliance with the OSHA Bloodborne Pathogens Standard, while a person with responsibility for health and safety on a general ward should be trained on OSHA´s Incident Reporting procedures. Despite...

Read More
Ransomware Gangs Adopt Triple Extortion Tactics
May19

Ransomware Gangs Adopt Triple Extortion Tactics

Following on from the DarkSide ransomware attack on Colonial Pipeline, several ransomware threat actors have ceased activity or have implemented rules that their affiliates must follow, including banning all attacks on critical infrastructure firms, healthcare organizations, and government organizations.  Some popular hacking forums are distancing themselves from ransomware and have banned ransomware groups from advertising their RaaS programs. However, there are many threat actors conducting attacks and not all are curbing their activities. It remains to be seen whether there will be any reduction in attacks, even in the short term. So far in 2021, attacks have been occurring at record levels, with the healthcare and utility sectors the most targeted. An analysis of attacks by Check Point Research found that since the start of April 2021, ransomware attacks have been occurring at a rate of around 1,000 per week, with a 21% increase in impacted organizations in the first trimester of 2021 and 7% more in April. The number of attacked organizations is up 102% from the corresponding...

Read More
April 2021 Healthcare Data Breach Report
May18

April 2021 Healthcare Data Breach Report

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month. High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021. Largest Healthcare Data Breaches Reported in April 2021 There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents. Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies,...

Read More
Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall
May14

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data. In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic. To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR. 2020 saw an 11% increase in phishing attacks, with cases of misrepresentation...

Read More
Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes
May13

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule. There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks. Another area...

Read More
Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause
May06

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years. In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware. This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors. Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption,...

Read More
March 2021 Healthcare Data Breach Report
Apr19

March 2021 Healthcare Data Breach Report

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates. The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February. Largest Healthcare Data Breaches Reported in March 2021 The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates. Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server Health Net of California Health Plan 523,709 Hacking/IT...

Read More
Survey Reveals Sharing EHR Passwords is Commonplace
Apr06

Survey Reveals Sharing EHR Passwords is Commonplace

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses. The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research. The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password or alternate – but equally effective – authentication method. Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for...

Read More
HIPAA Compliance for Pharmacies
Apr06

HIPAA Compliance for Pharmacies

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI), sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The penalties for failing to comply with HIPAA can be severe. Key Elements of HIPAA Compliance for Pharmacies The combined text of HIPAA Rules published by the Department of Health and Human Services’ Office for Civil Rights is 115 pages, so covering all elements of HIPAA compliance for pharmacies is beyond the scope of this post; however, some of the key elements of HIPAA compliance for pharmacies have been outlined below. Conduct risk analyses – A comprehensive, organization wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks identified must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox item. Risk analyses must be conducted regularly, such as when there is a change...

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and led to the development of the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives...

Read More
Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms
Apr01

Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms

Security firm Proofpoint reports that the Advanced Persistent Threat (APT) group Charming Kitten was behind a spear phishing campaign in late 2020 targeting senior professionals at medical research organizations in the United States and Israel. Charming Kitting, aka Phosphorus, Ajax, and TA453, is an APT group with links to the Islamic Revolutionary Guard Corps (IRCG) in Iran. Charming Kitting has been active since at least 2014 and is primarily involved in espionage campaigns involving spear phishing attacks and custom malware. The attacks previously linked to the APT group have been on dissidents, academics, and journalists, so the latest spear phishing campaign targeting medical research organizations is a departure from the group’s usual targets. The phishing campaign, dubbed BadBlood, attempted to steal Microsoft Office credentials and coincided with growing tensions between Iran, the United States, and Israel. It is unclear at this stage whether the targeting of very senior professionals in medical research firms is part of a wider campaign or was simply an outlier event. The...

Read More
February 2021 Healthcare Data Breach Report
Mar19

February 2021 Healthcare Data Breach Report

There was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents. After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches. Largest Healthcare Data Breaches Reported in February 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware Gore Medical Management, LLC GA Healthcare Provider...

Read More
2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches
Mar16

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks. The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net. The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised. Healthcare Hacking Incidents Increased...

Read More
When Did HIPAA Take Effect?
Mar16

When Did HIPAA Take Effect?

The Health Insurance Portability and Accountability Act was a landmark piece of legislation that was originally intended to simplify the administration of healthcare, eliminate wastage and prevent healthcare fraud, and to ensure insurance coverage was not lost when employees were between jobs. When Did HIPAA Take Effect? HIPAA was signed into law by President Clinton on August 21, 1996, although HIPAA has been updated several times over the past 20 years and many new provisions have been incorporated to improve privacy protections and security to ensure health information remains confidential. The main updates to HIPAA are summarized below. The HIPAA Privacy Rule The HIPAA Privacy Rule was a major update to HIPAA and introduced many of the aspects for which HIPAA is known today. The HIPAA Privacy Rule defined ‘Protected Health Information (PHI), patients were given the right to obtain copies of their protected health information from HIPAA covered entities, and strict rules were introduced on the allowable uses and disclosures of PHI. When did the Privacy Rule of HIPAA Take...

Read More
Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras
Mar12

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and viewed live feeds and archived footage from cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals. As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information. Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes. Till Kottmann, one of the...

Read More
Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation
Mar12

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of at least 21 million Americans. Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities. From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019. AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for...

Read More
Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days
Mar10

Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days

Changes to the HIPAA Rules are infrequent, so when updates are proposed they tend to include a slew of new requirements and updates to existing provisions. Before any updates are made, a request for information (RFI) is issued to allow the HHS to obtain feedback on aspects of the HIPAA Rules that are causing problems, and areas where improvements could be made. Following the RFI, a notice of proposed rulemaking is issued by the HHS followed by a comment period. The comment period is the last chance for industry stakeholder, including patients and their families, to voice their opinions about the proposed changes before they are signed into law. After issuing an RFI, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking on December 10, 2020, along with the standard 60-day comment period from the date of publication in the Federal Register (January 21, 2021). The comment period was due to expire on March 22, 2021. Since the proposed changes include updates to the HIPAA Privacy Rule that will impact virtually everyone in the healthcare industry, the HHS has taken...

Read More
FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent
Mar09

FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent

On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Bonnie Watson Coleman (D-New Jersey) and Mikie Sherrill (D-New Jersey) wrote a letter urging the Federal Trade Commission (FTC) to start enforcing the Health Breach Notification Rule. The Federal Trade Commission (FTC) has a mandate to protect Americans from bad actors that betray consumer trust and misuse consumers’ healthcare data and has the authority to take enforcement action but is not enforcing compliance with the Health Breach Notification Rule. The Health Breach Notification Rule was introduced as part of the American Recovery and Reinvestment Act of 2009 and requires vendors of personal health records, PHR related entities, and third-party service providers to inform consumers about unauthorized disclosures of personal health information. The Health Breach Notification Rule applies to entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), and has similar provisions to the HIPAA Breach Notification Rule. While the HHS’ Office for Civil Rights has enforced compliance with...

Read More
Why is HIPAA Important to Patients?
Mar08

Why is HIPAA Important to Patients?

Most Americans have heard of HIPAA and know that the legislation applies to healthcare organizations, but many do not understand why HIPAA is important to patients. The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – is a federal law that applies to healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically. HIPAA also applies to vendors – business associates – that perform functions on behalf of HIPAA-covered entities that requires them to have access to protected health information (PHI) or be provided with copies of PHI. (See What is Protected Health Information). HIPAA was signed into law by Bill Clinton in 1996, although the legislation has had some significant updates over the years, notably the HIPAA Privacy Rule in 2000, the Security Rule in 2003, and the Breach Notification Rule in 2009. (See our HIPAA History page for more information) Initially HIPAA was intended to improve the health insurance system and simplify the administration of...

Read More
Is a HIPAA Violation Grounds for Termination?
Mar07

Is a HIPAA Violation Grounds for Termination?

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules? Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy? Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination? Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations. When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for...

Read More
What Happens if a Nurse Violates HIPAA?
Mar03

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?   The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules? What are the Penalties if a Nurse Violates HIPAA? Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA...

Read More
CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities
Feb25

CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities Australia, New Zealand, Singapore, and the United Kingdom have issued an alert for users of the Accellion File Transfer Appliance (FTA) about 4 vulnerabilities which are being actively exploited by a threat actor to gain access to sensitive data. The Accellion FTA is a legacy file transfer appliance used to share large files. Accellion identified a zero-day vulnerability in the product in mid-December and released a patch to address the flaw, although further vulnerabilities have since been identified. The vulnerabilities are tracked as: CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header CVE-2021-27102 – Operating system command execution vulnerability via a local web service CVE-2021-27103 – Server-side request forgery via a crafted POST request CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request The SQL injection flaw (CVE-2021-27011) allows unauthorized individual to run remote commands on targeted devices. An exploit for the...

Read More
January 2021 Healthcare Data Breach Report
Feb19

January 2021 Healthcare Data Breach Report

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day. There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records. Largest Healthcare Data Breaches Reported in January 2021 The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply...

Read More
100% of Tested mHealth Apps Vulnerable to API Attacks
Feb16

100% of Tested mHealth Apps Vulnerable to API Attacks

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov. Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic. mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user...

Read More
Hospital Researchers Jailed for Stealing and Selling Research Data to China
Feb04

Hospital Researchers Jailed for Stealing and Selling Research Data to China

A woman who worked in a medical research lab at the Nationwide Children’s Hospital in Columbus, OH has been jailed for stealing sensitive research data and selling the information to the People’s Republic of China. Li Chen, 47, and her husband Yu Zhou, 50, were both employed as medical researchers and worked in separate labs at the hospital’s Research Institute for more than 10 years. The former Dublin, OH residents were arrested in California in July 2019 and were subsequently charged over the alleged theft of cutting-edge scientific research. Zhou was working on a novel technique that allowed exosomes to be isolated from small quantities of blood. Exosomes are used in the research, identification, and treatment of several medical conditions, such as necrotizing enterocolitis. The novel exosome isolation method was a vital process in the research into necrotizing enterocolitis, as the condition affects premature babies and only small blood samples can be taken safely. The couple set up a company in China, stole at least five trade secrets related to exosome isolation, and...

Read More
Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data
Feb03

Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data

On January 28, 2021, Democratic senators introduced the Public Health Emergency Privacy Act to protect the privacy of Americans and ensure data security measures are applied to safeguard COVID-19 related health data collected for public health purposes. The Public Health Emergency Privacy Act was introduced by Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn. and U.S. representatives Anna Eshoo, D-CA., Jan Schakowsky, D-IL., and Suzan DelBene, D-WA and requires strong and enforceable privacy and data security rights for health information to be set. “Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” said Sen. Blumenthal. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.” The Public Health Emergency Privacy Act will ensure strict privacy protections are implemented to ensure any health data collected...

Read More
Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent
Feb03

Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent

A lawsuit has been filed against Burr Ridge, IL-based Easy Healthcare Corp. over the alleged sharing of sensitive user data with third-party firms based in China without user consent. Easy Healthcare Corp is the developer of Premom, a popular smartphone fertility app for tracking users’ ovulation cycles to identify their most fertile days. The lawsuit alleges a range of sensitive user data has been shared with at least three Chinese companies without obtaining users’ consent. Since the data is stored on servers in China, the lawsuit alleges sensitive information could potentially be accessed or seized by the Chinese government. The data transmitted to the Chinese companies includes sensitive healthcare information, geolocation data, user and advertiser IDs, device activity data, and device hardware identifiers. Since the identifiers do not change, combining them with information where it was observed would allow data collectors to reconstruct app users’ activities. Identifiers shared with the Chinese firms include Wi-Fi media access controls or MAC addresses, which are unique...

Read More
OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project
Feb02

OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project

Two members of the Department of Veteran Affairs’ (VA) information technology staff are alleged to have made false representations about the privacy and security risks of a big data AI project between the VA and a private company that would have seen the private and confidential health data of tens of millions of veterans fed into the AI system. An administrative investigation was conducted by the VA Office of Inspector General (OIG) into a potential conflict of interest related to a cooperative research and development agreement (CRADA) between the VA and a private company in 2016. The purpose of the collaboration was to improve the health and wellness of veterans using AI and deep learning technology developed by Flow Health. The project aimed to identify common elements that make people susceptible to disease, identify potential treatments and possible side effects to inform care decisions and to improve the accuracy of diagnoses. The CRADA would have resulted in the private and confidential health data, including genomic data, of all veterans who had received medical treatment...

Read More
Philadelphia Department of Public Health Terminates Vaccine Distribution Contract Over Alleged Privacy Violations
Jan29

Philadelphia Department of Public Health Terminates Vaccine Distribution Contract Over Alleged Privacy Violations

Philly Fighting COVID, a company tasked with distributing COVID-19 vaccinations to the city of Philadelphia, has had its contract with the Philadelphia Department of Public Health terminated after allegations were made that the company’s privacy policies may have allowed the sale of individuals’ data to third parties. Philly Fighting COVID started out as a nonprofit that was initially focused on coronavirus testing before pivoting to administering COVID-19 vaccinations. The startup won the contract to run Philadelphia’s first community vaccine clinic, which was launched by the Department for Public Health on January 8, 2021. Philly Fighting COVID created a website where Philadelphians were encouraged to pre-register for the vaccines and were required to provide information such as names, contact information, date of birth, zip code, and other data, with the data intended to be provided to the Health Department and used to improve vaccination efforts, such as identifying the best locations to open further vaccine clinics. More than 60,000 individuals used the website and...

Read More
Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack
Jan26

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients. One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution. The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence. Blackbaud discovered the ransomware...

Read More
2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020
Jan19

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. Key Takeaways 25% year-over-year increase in healthcare data breaches. Healthcare data breaches have doubled since 2014. 642 healthcare data breaches of 500 or more records were reported in 2020. 1.76 data breaches of 500 or more healthcare records were reported each day in 2020. 2020 saw more than 29 million healthcare records breached. One breach involved more than 10...

Read More
December 2020 Healthcare Data Breach Report
Jan18

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.   December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...

Read More
Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty
Jan18

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals. The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties. Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015. The hackers installed malware on its systems,...

Read More
Clarifying the HIPAA Retention Requirements
Jan15

Clarifying the HIPAA Retention Requirements

The subtle distinction between HIPAA medical records retention and HIPAA record retention can cause confusion when discussing HIPAA retention requirements. This article aims to clarify what records need to be retained under HIPAA, and what other retention requirements Covered Entities should consider. The HIPAA retention requirements are actually quite straightforward. What can cause confusion for some Covered Entities and Business Associates is the stipulation within the Privacy Rule that appropriate administrative, technical and physical safeguards must implemented to “protect the privacy of Protected Health Information for whatever period such information is maintained”. There is No HIPAA Medical Records Retention Period The reason the Privacy Rule does not stipulate how long medical records should be retained is because there is no HIPAA medical records retention period. Each state has its own laws governing the retention of medical records, and – unlike in other areas of the Healthcare Insurance, Portability and Accountability Act – HIPAA does not pre-empt them....

Read More
Hackers Leak Data Stolen in European Medicines Agency Cyberattack
Jan14

Hackers Leak Data Stolen in European Medicines Agency Cyberattack

In December, the European Medicines Agency (EMA) suffered a cyberattack and hackers gained access to third party documents. Some of the data stolen in the attack has now been leaked online. The EMA is the agency responsible for regulating the assessments and approvals of COVID-19 vaccines, treatments, and research in the EU. The EMA had previously issued an update on investigation into the cyberattack and said only one IT application had been compromised. The EMA said all third parties had been notified about the attack, although those companies were not named. In the updates on the investigation, the EMA said the primary goal of the attackers was to gain access to COVID-19 medicine and vaccine information. While it was clear that documents had been accessed, the EMA has only just confirmed that data was exfiltrated by the attackers. Prior to the cyberattack, BioNTech and Pfizer submitted their vaccine data to the EMA as part of the approval process and the server accessed by the hackers contained documents related to the regulatory submissions by Pfizer and BioNTech. Pfizer and...

Read More
What is Individually Identifiable Health Information?
Jan11

What is Individually Identifiable Health Information?

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule? What is Individually Identifiable Health Information? Before answering the question, what is individually identifiable health information, it is necessary to define health information. HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity. Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual. Individually identifiable health information is a subset of health information, and as the name suggests, is health information...

Read More
Jail Terms for HIPAA Violations by Employees
Jan10

Jail Terms for HIPAA Violations by Employees

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft. Jail terms for HIPAA violations are relatively rare, but there have been several cases where HIPAA violations by employees have been referred to the Department of Justice and have resulted in financial penalties and jail time. Some cases that have resulted in jail terms for HIPAA violations by employees are listed below, along with cases where jail terms have only narrowly been avoided. Jail Term for Former Transformations Autism Treatment Center Employee In February 2017, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination. Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and...

Read More
Largest Healthcare Data Breaches in 2020
Jan01

Largest Healthcare Data Breaches in 2020

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records. The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years. The Largest Healthcare Data Breaches in 2020 When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom...

Read More
NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem
Dec22

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem. PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location. PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for...

Read More
OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA
Dec21

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA). An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis. HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in...

Read More
OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules
Dec18

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their...

Read More
Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers
Dec14

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product. The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been...

Read More
HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights
Dec10

HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights

The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI). OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data. “Our proposed...

Read More
Xavier Becerra Named Secretary of the Department of Health and Human Services
Dec07

Xavier Becerra Named Secretary of the Department of Health and Human Services

President-elect Joe Biden has named California Attorney General Xavier Becerra as Secretary of the Department of Health and Human Services. While the decision has been made according to The New York Times, the appointment has yet to be announced by his transition team. Biden is committed to building the most diverse administration in history and while progress has been made so far, Biden has faced criticism over the number of Latinos appointed to date. If the appointment of Becerra is confirmed by the senate, he will become the first ever Latino Secretary of the Department of Health and Human Services. The news of his selection has drawn praise from the Congressional Hispanic Caucus. Becerra has a long record of supporting the Affordable Care Act and helped steer the legislation through Congress in 2009 and 2010. The former Los Angeles area congressman also led the coalition of Democratic states that defended the Affordable Care Act and resisted attempts by the Trump Administration to overturn it. Becerra will be responsible for expanding the Affordable Care Act and is likely to...

Read More
AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks
Dec04

AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks

The American Medical Association has warned hospitals, health systems, and medical practices about the increase in cyber risks targeting the healthcare sector and has provided recommendations on the steps that can be taken to ensure threats are mitigated and network security is improved. Laura Hoffman, AMA assistant director of federal affairs, explained the current threats in a recent AMA COVID-19 Update and announced a new resource has been developed by the AMA and American Hospital Association (AHA) on technology considerations for healthcare organizations for the remainder of 2020 to improve network security and bolster patient privacy efforts. The COVID-19 pandemic has created many new challenges for healthcare organizations which are having to treat increased numbers of patients while working in ways that may be unfamiliar. The pandemic has seen a major expansion of telehealth services, with many patients now receiving care virtually using new technology platforms. These new technologies and platforms have introduced vulnerabilities and broadened the attack surface and...

Read More
Vendor Access and HIPAA Compliance: Are you Secured?
Nov17

Vendor Access and HIPAA Compliance: Are you Secured?

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine. Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage. A hacker can quickly access hundreds of patient files and cause widespread damage, including a...

Read More
September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised
Oct22

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020. Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records. Causes of September 2020 Healthcare Data Breaches The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers. Blackbaud was able to contain the breach; however, prior...

Read More
Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data
Oct19

Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data

Comparitech security researcher Bob Diachenko has discovered an exposed cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice that contained the records of more than 350 million customers. The exposed Elasticsearch cluster was discovered on October 1, 2020, the day the database cluster was indexed by the Shodan.io search engine. The Elasticsearch cluster was found to contain 10 collections of data, the largest of which consisted of 275 million records and included information such as caller names, phone numbers, and caller locations, along with other sensitive data. One database in the cluster was found to contain transcribed voicemail messages which included a range of sensitive data such as information about financial loans and medical prescriptions. More than 2 million voicemail records were included in that subset of data, 200,000 of which had been transcribed. The voicemails included caller names, phone numbers, voicemail box identifiers, internal identifiers, and the transcripts included personal information such as full names, phone...

Read More
Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation
Oct09

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million. A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information. The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during...

Read More
August 2020 Healthcare Data Breach Report
Sep22

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average. The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.     Largest Healthcare Data Breaches Reported in August 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud...

Read More
Senators Demand Answers from VA on 46,000-Record Data Breach
Sep21

Senators Demand Answers from VA on 46,000-Record Data Breach

On September 14, 2020, the U.S. Department of Veteran Affairs announced it had suffered a data breach that had impacted 46,000 veterans. Several Senate Democrats are now demanding answers from the VA on the breach and the cybersecurity measures the VA has put in place to prevent data breaches. Hackers gained access to an application used by the VA’s Financial Services Center to send payments to community healthcare providers to pay for veterans’ medical care. Six payments intended for community care providers were redirected to bank accounts under the control of the hackers and veterans’ data in the system was exposed and potentially stolen. When the breach was discovered, the application was taken offline and will remain down until a full review has been conducted by the VA’s Office of Information and Technology. Affected veterans have been offered complimentary credit monitoring services and the VA is currently working on compensating the community care providers whose payments were redirected. Officials at the VA Office of Information and Technology told Senate and House...

Read More
Privacy Risks Found on Almost All Websites Offering COVID-19 Information
Sep10

Privacy Risks Found on Almost All Websites Offering COVID-19 Information

A recent study published in JAMA found almost all websites offering information on COVID-19 have third-party tracking code that poses a privacy risk. Many web pages include tracking code that collects information about website visitors and transfers the data to third parties. Code is loaded on websites that initiates a data transfer that often includes details of the URLs that have been visited and the user’s IP address.  Other information may also be collected, and that information allows detailed profiles to be built up on people’s browsing habits and interests. Since IP addresses are collected, that information can easily be tied to a specific individual. Researchers at the University of Pennsylvania Perelman School of Medicine and Carnegie Mellon University’s School of Computer Science had previously conducted a study of 1 million web pages, including health-related websites, and found that 91% of those websites included a third party data request and 70% had third-party cookies. The researchers turned their attention to websites offering information on COVID-19, such sites...

Read More
Poll Shows Consumers Unaware of the Extent Health Insurers Gather and Use Consumer-Generated Data
Sep09

Poll Shows Consumers Unaware of the Extent Health Insurers Gather and Use Consumer-Generated Data

Health insurers are collecting online data about consumers and using the information to predict an individual’s likely healthcare costs. Consumer-generated data are collected and used to create profiles, which could be used to determine appropriate premiums. Consumer-generated data is distinct from protected health information (PHI) and relates to an individual’s lifestyle, interests and behavior and come from many different public and private sources. Health insurers may scour online sources for information or obtain data from data brokers. Some data brokers are actively marketing their data to insurers and claim the information includes social determinants of health, such as online shopping habits, memberships to organizations, TV streaming habits, and information posted to social media networks. Data are amalgamated and algorithms can be used to predict the likely cost of providing insurance. The collection and analysis of consumer-generated data by health insurers and their business associates was highlighted by ProPublica in 2018, but the public is largely unaware of the...

Read More
Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats
Sep08

Resources to Help Healthcare Organizations Improve Resilience Against Insider Threats

September 2020 is the second annual National Insider Threat Awareness Month (NITAM). Throughout the month, resources are being made available to emphasize the importance of detecting, deterring, and reporting insider threats. NITAM is a collaborative effort between several U.S. government agencies including the National Counterintelligence and Security Center (NCSC), Office of the Under Secretary of Defense Intelligence and Security (USD(I&S)), National Insider Threat Task Force (NITTF), Department of Homeland Security (DHS), and the Defense Counterintelligence and Security Agency (DCSA). NITAM was devised last year to raise awareness of the risks posed by insiders and to encourage organizations to take action to manage those risks. Security teams often concentrate on protecting their networks, data, and resources from hackers and other external threat actors, but it is also important to protect against insider threats. An insider is an individual within an organization who has been granted access to hardware, software, data, or knowledge about an organization. Insiders include...

Read More