Dedicated to providing the latest
HIPAA compliance news

Electronic Records and HIPAA Compliance
Nov24

Electronic Records and HIPAA Compliance

Make sure you understand the relationship between electronic records and HIPAA compliance. It can be more complicated than many Covered Entities believe. Security Officers in the healthcare industry with a responsibility for electronic records and HIPAA compliance have plenty to keep themselves occupied. In the majority of healthcare-related organizations across the country, thousands of electronic health records (ePHI) are being created every day before being used, transmitted and stored. Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rule; yet, when you look at the big picture, the scale of the requirement is staggering. Not only does ePHI created and used within an organization have to be safeguarded, but also ePHI transmitted outside of an organization´s network, and ePHI stored in the cloud. Start by Conducting a Risk Analysis One of the primary issues with electronic records and HIPAA compliance is that the technical, physical and administrative safeguards of the HIPAA Security Rule were published three years before...

Read More
President Trump Nominates Alex Azar for HHS Secretary
Nov13

President Trump Nominates Alex Azar for HHS Secretary

Former Deputy Secretary of the Department of Health and Human Services, Alex Azar, is tipped to take over from former Secretary Tom Price after receiving the presidential nomination for the role. Azar previously served as general counsel to the HHS and Deputy Secretary during the George W. Bush administration. President Trump confirmed on Twitter that he believes Azar is the man for the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!” The position of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September, following revelations about his controversial use of military aircraft and expensive charter flights to travel around the country. While there were several potential candidates tipped to receive the nomination, including commissioner of the Food and Drug Administration, Scott Gottlieb, and administrator of the Centers for Medicare and Medicaid Services, Seema Verma, President Trump has made a controversial choice. Alex...

Read More
In What Year Was HIPAA Passed into Legislature?
Nov13

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill. Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced. There have been several important dates in the past...

Read More
FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients
Nov02

FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients

The U.S. Food and Drug Administration (FDA) has released final guidance for medical device manufacturers sharing information with patients at their request. Legally marketed medical devices collect, store, process, and transmit medical information. When patients request copies of the information recorded by or stored on the devices, manufacturers may share patient-specific information with the patient that makes the request. The FDA encourages information sharing as it can help patients be more engaged with their healthcare providers. When patients give their healthcare providers data collected by medical devices, it can help them make sound medical decisions. While information sharing is not a requirement of the Federal Food, Drug, and Cosmetic Act (FD&C Act), the FDA felt it necessary to provide medical device manufacturers with recommendations about sharing patient-specific information with patients. The guidelines are intended to help manufacturers share information appropriately and responsibly. The FDA explains that in many cases, patient-specific information recorded by...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Why is HIPAA Important?
Oct12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity
Oct10

New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity

A new partnership has been announced between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS). The aim of the new collaboration is to help advance medical device cybersecurity and improve patient safety. The two organizations will work together to help members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, educating about the threats to device security, training members, and promoting information sharing. For the past three years, AEHIS has been helping healthcare organizations improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have benefited from the education and networking opportunities provided by AEHIS. AEHIS helps its members protect patients from cyber threats, including cyberattacks on their medical devices, though its educational efforts, sharing best practices, and many other activities. MDISS now consists of...

Read More
What Does HIPAA Stand For?
Oct10

What Does HIPAA Stand For?

What does HIPAA stand for? HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 – a legislative act that had the primary aim of improving portability and accountability of healthcare coverage for employees between jobs. HIPAA also helped to ensure employees with pre-existing health conditions were provided with health insurance coverage. HIPAA also introduced standards that healthcare organizations were required to follow to reduce the paperwork burden and simplify the administration of health insurance. The HIPAA administrative simplification regulations streamlined billing, sending and receiving payments, and verifying eligibility. They also helped to ensure the smooth transition from paper to electronic health records and transitions. Since 1996, there have been several major updates to HIPAA, notably the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Enforcement Rule, the inclusion of the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (The HIPAA Omnibus Final Rule), and the Breach Notification...

Read More
Internet of Medical Things Resilience Partnership Act Bill Introduced
Oct09

Internet of Medical Things Resilience Partnership Act Bill Introduced

The Internet of Medical Things Resilience Partnership Act has been introduced in the U.S. House of Representatives. The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks. The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors. If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
Amazon Alexa is Not HIPAA Compliant – But That Could Soon Change
Oct03

Amazon Alexa is Not HIPAA Compliant – But That Could Soon Change

Amazon Alexa is not HIPAA compliant, which limits its use in healthcare, although that could be about to change. Amazon already supports HIPAA compliance for its cloud platform AWS and is keen to see its voice recognition technology used more extensively in healthcare. However, before the true potential of Alexa can be realized, Amazon must first make Alexa HIPAA compliant. Alexa certainly has considerable potential in healthcare. Alexa could be used by physicians to transcribe medical notes or as a virtual assistant in physicians’ offices. Alexa is currently used in around 30 million U.S. homes, and the technology could easily be used to remotely monitor patients. The technology could also help to engage patients more in their own healthcare. Some healthcare organizations have already started experimenting with Alexa. WebMD has developed an Alexa skill to deliver some of its web content to consumers via their Alexa devices at home. Beth Israel Deaconess Medical Center (BIDMC) has run a pilot scheme to test Alexa’s capabilities in an inpatient setting, although not using real...

Read More
National Cyber Security Awareness Month: What to Expect
Oct02

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens. National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners. Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure. DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month: National Cyber Security Awareness Month Summary Week 1: Simple Steps to Online Safety (Oct. 2-6) Week 2:...

Read More
The Benefits of Using Blockchain for Medical Records
Sep26

The Benefits of Using Blockchain for Medical Records

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security? The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients. Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems. Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act...

Read More
FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange
Sep12

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems. The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.” Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices. The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely;...

Read More
Researchers Call for Updates to Guidelines for Emailing Patients
Aug30

Researchers Call for Updates to Guidelines for Emailing Patients

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients. There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners. The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed. The...

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security. To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator. NIST suggests...

Read More
Phillips Ships DoseWise Portal with Serious Vulnerabilities
Aug22

Phillips Ships DoseWise Portal with Serious Vulnerabilities

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data. Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10. The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS...

Read More
Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere
Aug17

Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere

A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year. Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators. When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge. Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device...

Read More
HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs
Aug11

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization. The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas. The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months. While these results are...

Read More
HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management
Aug08

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management. The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks. HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry. HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the...

Read More
Medical Device Cybersecurity Act Takes Aim at Medical Device Security
Aug08

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks. The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS). Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase. While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the...

Read More
Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available
Aug07

Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available

Warnings have been issued about four vulnerabilities in Siemens PET/CT scanner systems. Siemens is currently developing patches to address the vulnerabilities.  Exploits for the vulnerabilities are already publicly available. The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7. The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied....

Read More
Only One Third of Patients Use Patient Portals to View Health Data
Jul27

Only One Third of Patients Use Patient Portals to View Health Data

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information. GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource. Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information...

Read More
Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms
Jul25

Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians. The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database. Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images. Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
ONC Offers Help for Covered Entities on Medical Record Access for Patients
Jul13

ONC Offers Help for Covered Entities on Medical Record Access for Patients

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case. Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other...

Read More
Mayo Clinic Investing $1.5 Billion in HIPAA Compliant EHR System
Jul13

Mayo Clinic Investing $1.5 Billion in HIPAA Compliant EHR System

The Rochester, MN-based Mayo Clinic – the world’s first and largest integrated not-for-profit medical group practice – has invested $1.5 billion in a new HIPAA compliant EHR system. The Mayo Clinic chose Epic, a leading EHR provider whose systems are used to store and maintain the electronic health records of more than 190 million patients. Up until recently, the Mayo Clinic has been using three EHR systems, provided by General Electric and Cerner Corp. The new EHR system – An integrated electronic medical record and billing system – will see those three systems combined into one. $1.5 billion is a sizable investment, but it was necessary. Operating three separate EHR systems is far from ideal. It means staff need to learn how to use multiple systems, inefficiencies are introduced that are difficult to resolve, and multiple systems inevitably lead to interoperability issues that have potential to hamper collaboration. The new single HIPAA compliant EHR system will help the Mayo Clinic store, use, and share patient health information more efficiently and better serve its...

Read More
AMIA Urges HHS to Provide More Information on Common Rule Updates
Jul07

AMIA Urges HHS to Provide More Information on Common Rule Updates

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated. The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use. The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified. Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented. The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication...

Read More
U.S. Healthcare Providers Affected by Global Ransomware Attack
Jun29

U.S. Healthcare Providers Affected by Global Ransomware Attack

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below. NotPetya Ransomware Attacks Spread to the United States Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems. Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities. While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected The health...

Read More
FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products
Jun22

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices. The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk. Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps. In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of...

Read More
Study: 1 in 5 Enterprise Users Have Set Weak Passwords
Jun15

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice. Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling. The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals. An analysis of data from enterprises that downloaded...

Read More
ONC Announces Winners of Move Data Forward and Privacy Policy Snapshot Challenges
Jun08

ONC Announces Winners of Move Data Forward and Privacy Policy Snapshot Challenges

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has announced the winners of its Privacy Policy Snapshot Challenge. Participants in the challenge were required to develop a Model Privacy Notice (MPN) generator capable of generating customizable MPNs for healthIT developers. While resources are available to help HIPAA covered entities, many technology companies are not subject to HIPAA requirements. It was therefore important for a resource to be developed for those businesses to help them adhere to other federal regulations. While a MPN had already been released by ONC in 2011, since then the range of digital health technologies has increased considerably. One MPN would not be suitable for all organizations that collect consumer information. On March 1, 2016, ONC issued a request for information to find out more from the public about the practices that should be disclosed to consumers and how that information should be presented. The challenge to develop a MPN generator was issued in December 2016, with participants leveraging an updated MPN that...

Read More
VA Chooses Cerner to Provide Replacement for VistA EHR
Jun07

VA Chooses Cerner to Provide Replacement for VistA EHR

The U.S. Department of Veteran Affairs (VA) has selected Cerner Corp., to provide a replacement for the outdated self-developed VistA EHR system.  Earlier this year, United States Secretary of Veterans Affairs David Shulkin said a decision needed to be made about the VA EHR system, suggesting an off-the-shelf EHR system was the best choice and that a final decision would be made by July 1. Shulkin said, “Seamless care is fundamentally constrained by ever-changing information sharing standards, separate chains of command, complex governance, separate implementation schedules that must be coordinated to accommodate those changes from separate program offices that have separate funding appropriations, and a host of related complexities requiring constant lifecycle maintenance.” The cost of continued development of VistA was considered to be too great, especially with the prospect of ongoing interoperability problems.  The VA has already invested hundreds of millions of dollars into VistA, yet the EHR is still only semi-interoperable with the system used by the Department of Defense...

Read More
Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts
Jun02

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization. The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization. If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to...

Read More
Medical Device Security Testing Only Performed by One in Twenty Hospitals
May26

Medical Device Security Testing Only Performed by One in Twenty Hospitals

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data. Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs. Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks. Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security...

Read More
Purple Move on WiFi Security Sets Example for All Public WiFi Deployments
May25

Purple Move on WiFi Security Sets Example for All Public WiFi Deployments

Wireless networks offer many benefits to healthcare organizations. Healthcare professionals can access networks and data from any location using portable devices, without the need to plug in to the network. Many medical devices connect wirelessly to WiFi networks improving clinical workflows. However wireless networks can also introduce risks. If any PHI is transmitted over wireless networks, HIPAA requires appropriate controls to be applied to safeguard the confidentiality, integrity and availability of PHI. If WiFi networks lack appropriate security, unauthorized individuals could intercept WiFi packets and view sensitive data, including protected health information. Securing internal WiFi networks is therefore essential. The failure to secure WiFi networks would place an organization at risk of a HIPAA penalty. The risk of a HIPAA violation or data breach is a real concern for healthcare organizations. Security concerns have prevented many hospitals from offering WiFi access to patients, even though offering WiFi can improve the patient experience. Many healthcare organizations...

Read More
Medical Device Cybersecurity Gaps Discussed at FDA Workshop
May19

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices. Best practices and cybersecurity tools that can be adopted to improve defenses against cyberattacks are under discussion. This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted. Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks. This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and...

Read More
Guidance on Securing Wireless Infusion Pumps Issued by NIST
May11

Guidance on Securing Wireless Infusion Pumps Issued by NIST

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access. Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm. Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access. The risks introduced by the devices have been widely...

Read More
Majority of Organizations Failing to Protect Against Mobile Device Security Breaches
May05

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk. Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks. According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred. The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices. 94% of respondents said cyberattacks on mobile devices will become more...

Read More
Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure
May04

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and revealed the impact healthcare data breaches have had on consumers. The survey showed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust. Trust in Healthcare Providers and Insurers is High In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents. Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%)...

Read More
HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape
May03

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk. More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management. The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch. George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access...

Read More
Webroot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined
Apr24

Webroot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined

A Webroot AV update failure has caused havoc for thousands of customers. An April 24 update saw swathes of critical files miscategorized as malicious. While occasional false positives can be expected on occasion, in this case the error was severe. The Webroot AV update failure resulted in hundreds of Windows system files being miscategorized, resulting in serious stability issues. Many users’ servers and PCs were crippled after the automatic update occurred. The problem did not only affect Windows files. Scores of signed executables and third-party apps were blocked and prevented from running. The error affected all Windows versions and saw critical system files categorized as W32.Trojan.Gen. Those files were moved to Webroot’s quarantine folder after the April 24 update. Once the files were moved, users’ computers started to experience severe problems with many displaying errors. In some cases, the moving of system files to the quarantine folder caused computers to crash. In other cases, apps were prevented from running causing major disruption to businesses. Webroot AV also...

Read More
Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA
Apr18

Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA

Abbot Labs, which acquired St. Jude Medical in January 2017, has been warned by the Food and Drug Administration (FDA) that previously identified cybersecurity vulnerabilities in some of its products may not have been corrected. Those vulnerabilities have potential to jeopardize the safety of patients. The investigation of Abbot Labs was conducted February 7-14 at St. Jude Medical facilities in Sylmar, CA, following the public disclosure of potential vulnerabilities in certain St. Jude Medical devices. Those vulnerabilities could potentially be exploited by malicious actors to cause the devices to malfunction and patients to come to harm.  Flaws in the devices were uncovered by MedSec Holdings and were passed to Muddy Waters Capital, which announced the findings in a research report published in August last year. Multiple vulnerabilities were discovered in certain implantable pacemakers and defibrillators manufactured by St. Jude Medical, including the susceptibility to man-in-the-middle attacks that could cause the batteries in the products to be prematurely drained and the...

Read More
Healthcare Providers Are Wasting Millions on Cloud Hosting
Apr12

Healthcare Providers Are Wasting Millions on Cloud Hosting

A study by Communications for Research showed that healthcare organizations are now spending $40 billion a year on IT programs, while MarketsandMarkets research indicates $3.73 billion of that budget is spent on cloud services. By 2020, cloud spending is expected to triple and reach $9.5 billion. MedGadget healthcare market research suggests there will be a 21.95 percent CAGR for spending on cloud computing by the healthcare industry by 2019. More and more healthcare organizations are seeing the benefits that can be gained from switching to cloud computing, especially as a way of reducing IT spending. The public cloud is elastic and capacity can be increased or decreased on demand, but the reality is most organizations use of the cloud involves considerable wastage. Organizations are paying for the public cloud and are ensuring their instances have sufficient capacity, yet for a lot of the time much of the capacity that is paid for is redundant. The 2017 Rightscale State of the Cloud Report suggests 46% of enterprises are carefully monitoring cloud use and are rightsizing their...

Read More
AMIA Suggests it’s Time for a HIPAA Update
Apr11

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world. The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology. HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are. The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access. Healthcare...

Read More
Small Business Cybersecurity Bill Heads to Senate
Apr06

Small Business Cybersecurity Bill Heads to Senate

New legislation to help small businesses protect their data and digital assets has been approved by the Senate Commerce, Science and Transportation Committee this week. The new bill, which was introduced by Sen. Brian Schatz (D-Hawaii) last week, will now head to the U.S Senate. The legislation – the MAIN STREET (Making Information Available Now to Strengthen Trust and Resilience and Enhance Enterprise Technology) Cybersecurity Act will require the National Institute of Standards and Technology (NIST) to develop new guidance specifically for small businesses to help them protect themselves against cyberattacks. New NIST guidance should include basic cybersecurity measures that can be adopted to improve resilience against cyberattacks and mitigate basic security risks. Guidance and security frameworks have been developed by NIST to help larger organizations protect their assets and data, although for smaller businesses with limited knowledge of cybersecurity and a lack of trained staff and resources they can be difficult to adopt. What is needed is specific guidance for small...

Read More
Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing
Apr06

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation. The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited. Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information. At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity. At the hearing, Denise Anderson, president of the National Health...

Read More
Dr. Donald Rucker Named New National Coordinator for Health IT
Apr03

Dr. Donald Rucker Named New National Coordinator for Health IT

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology. Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator. Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator. Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years. While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician...

Read More
WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks
Mar22

WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks

WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information. The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a cyberattack. WEDI points out the seriousness of the threat faced by the healthcare industry. Cyberattacks are costing the healthcare industry around $6.2 billion each year, with the average cost of a healthcare data breach around $2.2 million. Cyberattacks and other security incidents having risen sharply in recent years. More records are now being exposed than at any other time in history and the number of healthcare data incidents being reported reached record levels last year. The Department of Health and Human Services’ Office for Civil Rights received 315 reports of major healthcare data breaches last year and recent research by Fortinet showed that in the...

Read More
NY State HIE Improves Care Quality and Operational Efficiency of Emergency Departments
Mar17

NY State HIE Improves Care Quality and Operational Efficiency of Emergency Departments

A recent study of the Health Information Exchange adopted in New York State has shown the value of investing in an HIE and the positive impact it has on patient outcomes and operational efficiency. Following considerable investment in the New York State HIE, patient stays have been reduced, the likelihood of readmission has fallen, as have the number of physicians needed to examine patients in emergency departments. The study has shown that quality of care has been improved along with operational efficiency, resulting in considerable cost savings and improved patient outcomes. The study examined almost 86,000 emergency department encounters over a period of 19 months between July 1, 2012 and January 31, 2014 at four emergency departments linked to the HealthLinkNY Health Information Exchange. During that time, there were 46,270 patient visits which were attended by 326 physicians. Emergency departments were selected for the study as they are high pressure environments where physicians are required to treat patients with a wide range of medical conditions and must gather information...

Read More
VA to Abandon EHR In Favor of Commercial EHR System
Mar15

VA to Abandon EHR In Favor of Commercial EHR System

The challenges of developing and maintaining a custom EHR system have proved too great for the Department of Veteran Affairs. The VA developed its EHR system – VistA – in house; however, it was labor intensive, costly and time consuming to maintain and use. According to VA secretary, David Shulkin, the system is “too complex and too difficult to maneuver”. A decision needed to be taken on whether to continue to plough money and resources into getting VistA to work as it should, or to call it quits and opt for a new, commercially available system. The VA has more important priorities than software development and has opted for the latter. Shulkin wants veterans to have more choice about where they receive care. Having an EHR that allows data to be easily shared is essential to ensure veterans get the best medical treatment possible. Yet the VistA system often resulted in care being delayed which had a negative effect on patient outcomes. The decision to ditch VistA has been a long time coming. The system has been extensively discussed at hearings and last year feedback was sought on...

Read More
87% of Healthcare Organizations Will Adopt Internet of Things Technology by 2019
Mar01

87% of Healthcare Organizations Will Adopt Internet of Things Technology by 2019

The healthcare industry is embracing Internet of Things technology. 60% of healthcare organizations have already introduced IoT into their infrastructure – The third highest adoption rate of any industry. According to a recent study by Hewlett Packard subsidiary Aruba, in just two years, 87% of healthcare organizations will have adopted Internet of Things technology. The study revealed that the most common area where IoT is being utilized is for patient monitoring and maintenance. 73% of surveyed healthcare executives said they used IoT in this area, while 42% said this was the main use for IoT. The healthcare industry leads the way in this area with the highest adoption rate of any industry sector. 64% of respondents said they use IoT for patient monitors, 56% use IoT for energy meters, and 33% use IoT for imaging devices. Remote operation and control was the second most common use of IoT, used by 50% of providers, while the third most common use is for location-based services, with adoption at 47%. The benefits of IoT are clear. 80% of healthcare executives said IoT has improved...

Read More
Healthcare Industry Threat Landscape Explored by Trend Micro
Feb22

Healthcare Industry Threat Landscape Explored by Trend Micro

Trend Micro has issued a new report that explores the healthcare industry threat landscape, the new risks that have been introduced by the inclusion of a swathe of IoT devices, and how cybercriminals are stealing and monetizing health data. Cybercriminals are attacking healthcare organizations with increased vigor. More attacks occurred last year than any other year, while 2015 saw a massive increase in stolen healthcare records. While the health data of patients is an attractive target, health records are not always being sold for big bucks on underground marketplaces. Health insurance cards can cost as little as $1, while EHR records start at around $5 per record set. However, cybercriminals are now increasing their profits by processing and packaging the stolen data.  Data are used to obtain government-issued iDs such as driver’s licenses, passwords and birth certificates. Farmed identities of individuals who have died are being sold, which can see prices of more than $1,000 charged per identity, or even more if IDs are also supplied. A large haul of health data from an EHR...

Read More
Majority of Healthcare Organizations Struggling with EHR Interoperability
Feb13

Majority of Healthcare Organizations Struggling with EHR Interoperability

A recent survey from Black Book Market Research has highlighted what hospital administrators and physicians know all too well. Great strides may have been made toward a fully interoperable healthcare system, but important medical data is still not accessible. There are still many problems getting hold of electronic health record data and making it accessible to the people who need it most. Many EHR systems do not have the required connectivity. Even when data from healthcare providers’ EHR systems does get sent to other providers, the data are often in an unusable or difficult to use format. 3,391 users of EHRs were surveyed for the Black Book survey. 25% of respondents said they are unable to use any data sent by other healthcare providers, while 22% of surveyed hospital administrators said they receive medical record data from other healthcare organizations in a format that does not allow data to be easily incorporated into their own EHR systems. 70% of hospitals were not using external EHR information because the data were missing from their systems’ workflow. Receiving data in...

Read More
IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed
Jan31

IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed

Organizations around the world are taking advantage of IoT and mobile applications to improve efficiency, yet too little is being done to ensure the applications are secure.  A key lesson from a recent Ponemon Institute survey is application usability and not just data security should always be factored into application development and cloud cost management or users will resist security measures and find workarounds. Organizations can benefit greatly from IoT and mobile technology, yet it is all too easy for major security risks to be introduced. Hackers are well aware of vulnerabilities in mobile and IoT applications and leverage those vulnerabilities to gain access to networks and sensitive data. IoT infrastructure is vulnerable to attack, although the greatest risks are introduced by embedded software in gateways and the cloud. Many IT security practitioners are well aware of the security risks that can potentially be introduced, yet according to a recent survey conducted by the Ponemon Institute, little is being done to mitigate risk. 593 IT and IT security professionals were...

Read More
L.A. Care Health Plan Information Exchange Platform Links 21 Hospitals
Jan06

L.A. Care Health Plan Information Exchange Platform Links 21 Hospitals

Members covered by the L.A. Care Health Plan in Los Angeles are now benefiting from improved health information sharing with healthcare providers following the launch of a new health information exchange platform. L.A. Care Health Plan (formerly known as Local Initiative Health Authority of Los Angeles County) is a public entity providing an accountable care program and other health plans (such as L.A. Care Covered, L.A. Care’s Healthy Kids and PASC-SEIU Homecare Workers Health Care Plan) for Los Angeles residents. Through its 6 health care plans, L.A. Care Health Plan provides coverage for more than 2 million individuals including some of the most vulnerable populations in the County, and is now the largest publicly operated health plan in the United States. Last year, the health plan conducted a pilot with the eConnect information exchange platform supplied by Safety Net Connect. The eConnect platform enables users to provide real-time alerts on admissions, discharges, and transfers using the HL7 Admit Discharge Transfer Protocol. The pilot was a success and in August 2015, L.A....

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited. Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider. Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data. Important Medical Information is Being Withheld by Patients The extent to...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data. The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure. If a wearable device is provided to a patient by a HIPAA-covered entity, the...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure. The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm. Earlier this year, short-selling...

Read More
ONC Publishes Final 2017 Interoperability Standards Advisory
Dec21

ONC Publishes Final 2017 Interoperability Standards Advisory

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA). The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs. The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used. The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online...

Read More
Security Cameras Could Be Your Biggest Security Weakness
Dec09

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility. Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients. The past few weeks have clearly shown the need for better security controls to be incorporated into these IoT devices. Hackers have taken advantage of scant security controls to gain access to cameras (and other IoT devices) and have used them for massive Distributed Denial of Service (DDoS) attacks. Many device manufacturers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have installed the devices, yet have failed to change default passwords. Weak passwords can easily be guessed by hackers, and in many cases, the default passwords are readily available...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action. Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable. The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen...

Read More
Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices
Nov09

Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices

Concern about the security of medical devices has been growing in recent weeks following the potential discovery of security vulnerabilities in St. Jude Medical devices. While vulnerabilities in medical devices do not appear to have been exploited by cybercriminals, the potential for networked medical devices to be used to attack healthcare organizations and patients cannot be ignored. Currently, around 10-15 million medical devices are in use in the United States, with that number expected to grow considerably over the next few years. With so many connected devices, many of which are approaching end of life and use technology that could potentially be exploited buy cybercriminals, there is naturally concern about device security and how it can be improved. The threat to patients may currently be low, but if action is not taken to improve device security patients could be harmed and vulnerabilities may be exploited to gain access to healthcare data. Last week, Congresswomen Diana DeGette (D-CO) and Susan Brooks (R-IN) sought clarification from the Food and Drug Administration (FDA)...

Read More
Physicians Not Getting Full Benefits from EHR Systems
Nov08

Physicians Not Getting Full Benefits from EHR Systems

Incentive payments for transitioning from paper records to electronic health records has prompted many physicians to purchase electronic health record systems. By 2015, 77.9% of office-based physicians had installed and were using EHRs. However, while EHRs are now in use in most physicians’ offices, the vast majority of physicians are not getting the full benefits of their EHR systems, according to a recent report from the U.S. Department of Health and Human Services’ Centers for Disease Control and Prevention (CDC). CDC took data from the 2015 National Electronic Health Records Survey (NEHRS) for the report: State Variation in Electronic Sharing of Information in Physician Offices: United States. 2015. Survey data were used to describe the extent to which EHR systems were being used by physicians and the report provides a snapshot of the interoperability of medical records. While the systems are now in place to allow the sharing of health information with other healthcare providers, there are still many barriers which are preventing data sharing and consequently, physicians and...

Read More
A NICE New Framework for Developing A Skilled Cybersecurity Workforce
Nov04

A NICE New Framework for Developing A Skilled Cybersecurity Workforce

On Tuesday this week at the NICE conference and Expo in Kansas City, Missouri, the Department of Commerce’s National Institute of Standards and Technology (NIST) announced the release of a new draft version of its NICE Cybersecurity Workforce Framework (NCWF). According to NIST, the new Framework “will allow our nation to more effectively identify, recruit, develop and maintain its cybersecurity talent,” and help U.S. organizations develop a well-trained cybersecurity workforce. The Framework has been developed by the National Initiative for Cybersecurity Education (NICE) and is the product of extensive collaboration between academic institutions, private sector organizations, and government agencies including the U.S. Department of Defense and Department of Homeland Security. The new framework provides common language to categorize different cybersecurity roles and describes job titles and responsibilities in detail. The Framework serves as a workforce dictionary that can be used by organizations to define and share information about the cybersecurity workforce in a detailed,...

Read More
ONC Draws Attention to New Resources to Help Providers Maintain Access to ePHI
Nov02

ONC Draws Attention to New Resources to Help Providers Maintain Access to ePHI

The majority of healthcare providers have now transitioned to electronic health records, yet ensuring ePHI is always accessible when it is needed is sometimes a challenge. Should providers not be able to access ePHI, the health and safety of patients may be put at risk. To prevent harm to patients and HIPAA violations, the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has drawn attention to a number of new resources that have been made available to providers to help ensure ePHI access is maintained. The ONC has drawn attention to a new FAQ that was recently published by Department of Health and Human Services’ Office for Civil Rights (OCR) which explains how Health Insurance Portability and Accountability Act (HIPAA) Rules apply to health IT vendors, such as EHR vendors. Health IT vendors are classed as business associates of HIPAA-covered entities, and as such they are required to abide by the HIPAA Privacy, Security, and Breach Notification Rules. The FAQ explains that under the HIPAA Privacy Rule, EHR vendors must ensure that the...

Read More
$1.5 Million in Grants Awarded by HHS to Improve the Flow of Health Data
Sep30

$1.5 Million in Grants Awarded by HHS to Improve the Flow of Health Data

Grants totaling $1.5 million have recently been awarded to seven organizations by the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) to develop standards-based solutions to improve the exchange of health information. New approaches to health information exchange will be developed and tested, and the results of the Cooperative Agreement programs will help to improve medication management, data exchange, and the coordination of care. According to the ONC, more than 35 applications were received for the High Impact Pilot and Standards Exploration Award grants, which were announced at the Health Datapalooza Conference in May. The $1.5 million will be shared between the seven winning applicants. As Vindell Washington, MD, national coordinator for health information technology explained, “These programs will serve as key building blocks for improving the patient and provider experience with the flow of health information.” Announcing the winners of the awards, Washington said the aim is to “advance the use of common...

Read More
ONC Issues Guidance for Negotiating EHR Contracts
Sep27

ONC Issues Guidance for Negotiating EHR Contracts

The Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has issued guidance for HIPAA covered entities to assist them when negotiating EHR contracts. The guidance offers advice on how to select and negotiate terms with EHR vendors, and helps covered entities understanding the fine print of contracts. The benefits of EHR systems are clear; however, in practice those systems do not always live up to expectations. If mistakes are made in the selection of EHR systems, or errors made negotiating contracts, the systems can result in unexpected costs being incurred, business efficiency can be disrupted, and covered entities may even be prevented from accessing patient records. Many healthcare organizations fail to appreciate that while an EHR system includes the data repository and software for creating, maintaining, and accessing data, the EHR will need to be interoperable with other healthcare IT systems. Compatibility issues with those systems can prove extremely costly. Many of the implementation, maintenance, and access problems that...

Read More
Sharing of Health Data with Patients: 95% of Hospitals Now Offer ePHI Access
Sep16

Sharing of Health Data with Patients: 95% of Hospitals Now Offer ePHI Access

The Department of Health and Human Services has been encouraging patients to take a more active role in their own healthcare and to engage more with their healthcare providers. Not only will this help to improve patient outcomes, it will also help to reduce healthcare costs. Healthcare organizations have also been encouraged to improve patient engagement, in part by ensuring that patients can easily access their ePHI. Under the Shared Nationwide Interoperability Roadmap, healthcare providers should allow patients not only to view their health data, but also to download copies and transmit those data to any healthcare provider of their choosing. This week, the Office of the National Coordinator for Health IT has released statistics showing the progress that has been made and the extent to which electronic capabilities for patient engagement have been implemented by U.S. hospitals. According to the data brief, significant progress has been made. The vast majority of U.S. Non-Federal Acute Care Hospitals are now allowing patients online access to their ePHI. There has also been a...

Read More
Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?
Sep08

Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?

If you use a Cisco Adaptive Security Appliance (ASA) in your organization and have not patched the device to remediate the EXTRABACON vulnerability, the flaw could be exploited by hackers and used to steal ePHI. On August 13, 2016, a group operating under the name Shadow Brokers released an exploit for EXTRABACON. The vulnerability affects a number of Cisco ASA network security devices and could potentially be used by hackers to gain full control of the devices. Should that happen, it would be possible for a hacker to decrypt VPN traffic, or access internal systems, including those used to store ePHI. The EXTRABACON vulnerability affects versions 1, 2c, and 3 of the Simple Network Management Protocol (SNMP) in a number of Cisco devices including its ASA, ASAv, Firepower, and PIX Firewall products. The vulnerability could allow attackers to create a buffer overflow and run arbitrary code by sending specially crafted SNMP packets to an SNMP-enabled interface. In order to exploit the EXTRABACON vulnerability, the attacker would need to have knowledge of a configured SNMP community...

Read More
Muddy Waters Device Hacking Claims Questioned by Researchers
Sep01

Muddy Waters Device Hacking Claims Questioned by Researchers

Last week, Carson Block – founder of short-selling firm Muddy Waters – released a report saying St. Jude Medical’s Merlin@home device for monitoring pacemakers contained critical security flaws that could be remotely exploited. Those exploits could be used to disrupt the function of the devices and cause them to fail. The research for the report was conducted by security firm MedSec. MedSec had been testing a range of devices from multiple manufacturers as part of an 18-month study of device security. MedSec chose not to present the findings to St. Jude, instead the research was offered to Muddy Waters. The two companies entered into a partnership with MedSec being paid a consultancy fee. MedSec will also benefit financially from any shorting of St. Jude Stock. Block was able to short St. Jude’s stock, with the value of shares falling by 5% last Thursday following the publication of the report. However, leading medical device security researchers from the University of Michigan have conducted their own experiments to test St. Jude devices for security vulnerabilities. Their...

Read More
ONC Announces Winners of the Healthcare Blockchain Challenge
Aug31

ONC Announces Winners of the Healthcare Blockchain Challenge

Last month, the US Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) launched a challenge to explore the potential uses of Blockchain technology in healthcare and health-related research. While Blockchain is best known for its use in the digital currency Bitcoin, Blockchain technology has tremendous potential to benefit the healthcare industry, in particular to improve data privacy, security, and interoperability. Blockchain certainly shows great potential and is attracting considerable investment. In 2014, $299 million was invested in Blockchain by VC-backed companies and that figure rose to $474 million in 2015. Critics of Blockchain have expressed concern about the level of computing power needed and the cost of implementing Blockchain technology, claiming the use of the technology would therefore be extremely limited in healthcare. However, even though there are potential stumbling blocks, there was no shortage of potential applications submitted to the ONC. The ONC received more than 70 whitepapers from research...

Read More
St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws
Aug26

St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws

When security researchers at MedSec discovered flaws in a suite of medical products, instead of contacting the manufacturer of the devices – St. Jude Medical – the company divulged the information to Carson Block, a short seller who runs investment capital firm Muddy Waters Capital LLC. MedSec will receive payment from Muddy Waters for the disclosure. Block has taken a short position against the manufacturer and the bigger the fall in stock prices, the more MedSec stands to make. St. Jude Medical was the second most popular stock with large hedge funds in Q2, 2016. Block recently issued a report through Muddy Waters explaining the flaws which sent stock prices tumbling. After the report was published, St. Jude Medical stock lost 8% of its value and closed the day 5% down. In the report, Block predicted that St. Jude Medical could end up losing half of its annual revenue for at least the next two years while the flaws are remediated. The revelation also threatens to derail the recent $25 billion acquisition of the company by Abbot Technologies. The security...

Read More
Locky Ransomware Attacks on Hospitals Increase
Aug22

Locky Ransomware Attacks on Hospitals Increase

According to a new report from security firm FireEye, Locky ransomware attacks on hospitals have surged this month. Criminal gangs that have previously used the Dridex banking Trojan for attacks appear to have switched to Locky and the healthcare sector is being targeted. Hospitals now face an increased risk of experiencing Locky crypto-ransomware attacks. FireEye discovered a number of “massive” email campaigns were launched this month. Each of those campaigns has been unique. The attackers have used different text for the phishing emails, one-off code for each campaign, different malicious URLs, and unique encoding functions and keys for each campaign. The Rise of Locky Locky ransomware was first discovered in early 2016 and has been used in a number of attacks on healthcare organizations. Most notably, the attack on Hollywood Presbyterian Medical Center in February. That attack resulted in a ransom of $17,000 being paid in order to obtain keys to decrypt locked data. Early Locky campaigns have used JavaScript downloaders to install the crypto-ransomware, with the malicious files...

Read More
Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges
Aug19

Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges

The response from the healthcare industry to current cybersecurity threats has not been fast enough and basic IT security measures are still not being adopted, according to a Nashville-based FBI Supervisory Special Agent. Speaking at last week’s CHIME/AEHIS LEAD Forum Event at Sheraton Downtown Nashville, Scott Augenbaum – an FBI Supervisory Special Agent in the Memphis Division – explained the attendees that too little is being done to keep healthcare data secure. He also pointed out that in the majority of cases, healthcare data breaches could easily have been prevented. When Augenbaum is called upon to visit healthcare organizations following breaches of protected health information, he usually discovers that simple data security measures could have prevented the exposure or theft of PHI. “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated.” He also said that while investment in cybersecurity has increased in the healthcare industry, the situation is not getting better....

Read More
HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations
Aug17

HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations

Large healthcare organizations have the budgets and resources for complex cybersecurity solutions to prevent intrusions and keep the protected health information of patients secure. However, smaller healthcare organizations, in particular physician groups with fewer than 75 employees, face considerable challenges. Many cybersecurity solutions are not ideal for the small business environment and the cost of implementing appropriate defenses against cyberattacks can be prohibitively expensive. However, effective cybersecurity solutions must be deployed. Healthcare organizations are now being targeted by cybercriminals and smaller organizations face a high risk of attack. Hackers are well aware that the defenses of small healthcare organizations can lack sophistication. This can make small practices a target for hackers. If a successful cyberattack occurs it can be catastrophic for small practices. The cost of mitigating risk after a cyberattack is considerable. Many healthcare organizations lack the funds to deal with cyberattacks. This was clearly demonstrated by the cyberattack on...

Read More
13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats
Aug12

13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats

Over the next five to six years, growth in the healthcare cybersecurity solution market is expected to increase by 13.6%, according to a new Frost & Sullivan report. Healthcare organizations now have to protect a much broader attack surface now that the vast majority of organizations have transitioned from paper to digital PHI formats. Keeping data protected from attacks by malicious actors is now a major concern for healthcare organizations. The threat landscape has changed considerably and traditional cybersecurity solutions are failing to prevent increasingly sophisticated attacks. The increase in cybersecurity threats will fuel considerable growth in the hospital cybersecurity market. As we have seen in the past few weeks, the Department of Health and Human Services’ Office for Civil Rights has stepped up enforcement of HIPAA regulations and has issued a number of multi-million dollar files to companies that have failed to protect adequately protect the ePHI of patients. The FTC and state attorneys general have also taken action against healthcare organizations that have...

Read More
Karen DeSalvo Leaves ONC: Vindell Washington Takes Over
Aug12

Karen DeSalvo Leaves ONC: Vindell Washington Takes Over

For the past two years, Karen DeSalvo has served as the National Coordinator for Health Information Technology of the Office of the National Coordinator for Health Information Technology (ONC). That role has now come to an end, as today, DeSalvo will be stepping down. The new ONC head will be the former deputy national coordinator, Dr. Vindell Washington. DeSalvo will not be leaving the Department of Health and Human Services (HHS) as she will continue in her role as acting assistant secretary for health, a position she has held since October 2014. DeSalvo took on that post to oversee the nation’s response to the Ebola crisis. Leaving the position of national coordinator will allow DeSalvo to concentrate on that position. Before DeSalvo joined the ONC, one of the ONC’s main roles was to oversee the adoption of electronic health records by the healthcare industry. When DeSalvo took over as head the ONC was becoming increasingly involved with promoting interoperability. DeSalvo played an important part in driving the meaningful use EHR incentive program forward and advancing...

Read More
TigerText Receives HITRUST CSF Certification
Jul28

TigerText Receives HITRUST CSF Certification

Secure healthcare messaging platform provider TigerText has achieved CSF Certification from the Health Information Trust Alliance (HITRUST). TigerText is the first vendor in its class to earn HITRUST CSF certification. HITRUST CSF was developed to help organizations in the healthcare sector certify that they have implemented the necessary privacy and security controls in compliance HIPAA and HITECH legislation, in addition to globally recognized standards and frameworks developed by NIST, ISO, PCI, FTC, and COBIT. Since the HITRUST CSF was developed it has fast become the most widely-adopted security framework in the U.S. healthcare industry. In order for organizations to earn HITRUST CSF certification they must be able to demonstrate that they meet key healthcare regulations covering the protection of sensitive healthcare information and that they are effectively managing risk. As Ken Vander Wal, Chief Compliance Officer at HITRUST, explains “The HITRUST CSF has become the information protection framework for the healthcare industry, and the CSF Assurance program is bringing a new...

Read More
Could New Database Methodology End Massive Healthcare Data Breaches?
Jul22

Could New Database Methodology End Massive Healthcare Data Breaches?

If a hacker succeeds in breaking through network security defenses and gains access to patient data, hundreds of thousands of healthcare records can be stolen in an instant. In the case of Anthem, tens of millions of records were obtained by data thieves. However, a new methodology for protecting relational databases has been devised by Washington D.C-based MD and computer scientist, William Yasnoff M.D. Yasnoff, a managing partner of the National Health Information Infrastructure (NHII) Advisors, believes that the new architecture could help healthcare organizations avoid large-scale data breaches. In a paper published in the Journal of Biomedical Informatics, Yasnoff explains that he has developed a new health record storage architecture that allows healthcare organizations to store and encrypt individual patient’s data separately. By using Yasnoff’s “personal grid” methodology, healthcare organizations can greatly reduce the risk to patients in the event of a data breach. The technique is not being sold by Yasnoff, but can be used free of charge by healthcare organizations and...

Read More
Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report
Jul20

Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report

Consumers’ health data is potentially being placed at risk by entities that are not covered by HIPAA Rules, according to a recent report issued by the ONC. The report – Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA – was produced following a study of the application of privacy and security requirements to non-HIPAA covered entities and business associates.  The report also draws on work conducted by the FTC, National Committee on Vital and Health Statistics (NCVHS), and OCR. The ONC explains in the report that a large number of organizations are now collecting, storing, and transmitting health data, yet many of those organizations are not subject to the same rules concerning the protection of ePHI as traditional healthcare organizations. Data and privacy protections at non-HIPAA-covered entities are not always robust and numerous gaps exist that place the health data of individuals at risk. The Scope of HIPAA is Limited HIPAA covers traditional healthcare organizations that perform electronic transactions –...

Read More
Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall
Jul18

Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall

The lifting of the Joint Commission ban on secure text orders was welcomed by healthcare organizations and secure messaging providers; however, the ban is now back in place. Text orders cannot currently be sent, even if a secure messaging platform is used. Joint Commission Ban on Secure Text Orders Lifted Only for a Month The lifting of the Joint Commission ban on secure text orders was announced in the May Perspectives newsletter, although the June Newsletter explained that organizations wishing to use a secure messaging platform must first be provided with further guidance to help them incorporate the texting of orders into their policies and procedures. The May Perspectives newsletter explained that “effective immediately” the Joint Commission ban on secure text orders was lifted. The newsletter explained that in order for healthcare organizations to start using text messages to transmit orders a number of conditions needed to be satisfied. Standard text messaging platforms could not be used due to the risk of data being intercepted. The texting of orders would only be permitted...

Read More
Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits
Jun28

Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits

Cybercriminals are using increasingly sophisticated methods to gain access to healthcare networks, although according to a recent report – MEDJACK.2 Hospitals Under Siege – from Trap X Research Labs, old school malware and ancient exploits can still be effective. Three hospitals have been discovered to have been infected with malware via medical devices running on legacy systems. The researchers discovered “a multitude of backdoors and botnet connections,” that had been installed using ancient exploits of the unsupported Windows XP platform. Hackers had succeeded in compromising the machines even though the hospitals had modern, sophisticated cybersecurity defenses in place. The initial attacks used old malware which was not detected by advanced security software. The malware was not deemed to pose a threat as the vulnerabilities that the malware exploited had been addressed in Windows 7 and did not exist in later Windows versions. Sophisticated Cybersecurity Defenses Failed to Identify Windows XP Malware Infections One of the hospitals tested by TrapX researchers had a...

Read More
Healthcare Organizations Need to Be Proactive and Hunt for Security Threats
Jun22

Healthcare Organizations Need to Be Proactive and Hunt for Security Threats

Many organizations are now opting to outsource cybersecurity to managed security services providers (MSSPs) due to a lack of internal resources and expertise. However, many MSSPs are unable to offer the advanced threat detection services necessary to significantly improve cybersecurity posture. Raytheon Foreground Security recently commissioned a Ponemon Institute study to investigate how MSSPs were being used by organizations.  Raytheon surveyed 1,784 information security leaders from a range of organizations – including healthcare providers – in North America, the Middle East, Europe, and the Asia-Pacific region. Respondents were asked about the role of MSSPs, how important their services are, and how MSSPs fit in to business strategies. 80% of organizations that have enlisted the services of MSSPs say that they are an important element of their IT overall security strategy and provide a range of services that cannot be managed in house. Many organizations do not have sufficient IT personnel to make their cybersecurity strategies more effective, and when staff are available they...

Read More
VA Implements New Measures to Improve Medical Device Cybersecurity
Jun21

VA Implements New Measures to Improve Medical Device Cybersecurity

In May, a top official at the Veteran’s administration said that the risk of medical devices being hacked to give patients’ overdoses or otherwise cause them to come to harm is relatively unlikely; however, VA deputy director of health information security Lynette Sherrill did point out that medical devices could be a weak link that cyberattackers attempt to exploit. One of the problems is medical devices are not always patched promptly. The devices connect to networks via traditional operating systems such as Windows. When patches are released by Microsoft, medical devices are often the last devices to have the updates applied. The Information Security Monthly Activity Report sent by the VA to congress often shows that medical devices have been infected with malware. In January, the VA discovered three medical devices had been infected, with a further case in February and two more in April. Since malware infections started to be tracked by the VA in 2009, 181 medical device infections have been discovered. These infections have all been contained and are not believed to have...

Read More
NIST Cybersecurity Framework to be Updated
Jun15

NIST Cybersecurity Framework to be Updated

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. The Framework details a set of standards, procedures, and processes that can be adopted by organizations to help them align their policy, business, and technological approaches to deal with cybersecurity risks. In December 2015, NIST issued a request for information (RFI) seeking feedback on use of the Cybersecurity Framework. NIST also asked for comments regarding long-term governance of the Framework and suggestions on how best practices for use should be shared. 105 responses were received. Further feedback was sought from stakeholders at an April 6-7 workshop in Gaithersburg, MD, specifically on best practice sharing, case studies, further development of the Framework, and comment on the NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The feedback received from the RFI and the workshop indicated the Framework had proved to be a useful organization and system level tool, and that it has proved to be valuable for coordinating cybersecurity. Organizations...

Read More
FDA Issues Guidance for Medical Device Makers to Facilitate Data Sharing with Patients
Jun14

FDA Issues Guidance for Medical Device Makers to Facilitate Data Sharing with Patients

The Food and Drug Administration (FDA) has issued new draft guidance for medical device manufacturers offering recommendations to facilitate the sharing of medical device data with patients. The FDA believes that sharing medical data such as oximetry data, heart electrical activity, and cardiac rhythms with patients will help to empower them to become more engaged in their own healthcare, and will help them to make sound medical decisions. In the guidance, the FDA explains that while the data recorded by these devices is primarily for physicians and hospitals, device manufacturers should make the data recorded by their devices available to patients. The data included in the FDA’s definition of patient-specific information include, but is not limited to, healthcare provider inputs, device usage/output statistics, incidences of alarms, records of device malfunctions or failures, or any data recorded by the devices. Device manufacturers have previously suggested that FDA approval would be necessary before they provided medical device data to patients. The FDA has issued the guidance...

Read More
ONC Releases Videos Explaining Patients’ HIPAA Rights
Jun03

ONC Releases Videos Explaining Patients’ HIPAA Rights

Earlier this year, the HHS’ Office for Civil Right (OCR) released guidance for healthcare organizations on patients’ HIPAA rights in an attempt to clear up confusion over access and ensure that covered entities were aware of their obligations under the HIPAA Privacy Rule. The guidance covered many of the questions commonly asked by healthcare organizations, including the models that can be adopted by healthcare organizations for charging for PHI copies. Now that covered entities are prepared, efforts have shifted to advising patients of their access rights under HIPAA. This week, the Office of the National Coordinator for Health Information Technology (ONC) -in conjunction with the OCR – released a series of educational videos to improve understanding of patients’ HIPAA rights. The ONC wants to improve patient engagement and get patients to take greater interest in their health. Encouraging patients to obtain copies of their ePHI can help in this regard. Having access to medical records allows patients to check for errors, provide their data to other healthcare providers or...

Read More
Verity Health System Victim of Phishing Attack
Jun03

Verity Health System Victim of Phishing Attack

Verity Health System has fallen victim to a phishing attack resulting in sensitive employee data being emailed outside the company. Employee names, addresses, Social Security numbers, amount earned in the financial year, and details of tax withheld have been disclosed to the attacker. The breach only affected past and present employees who would have received a W-2 for the past financial year. No patient data was compromised in the breach. An email was received on April 27, 2016., which appeared to have been sent from an individual inside the organization. The email asked for information on Verity employees, which was sent as requested. The scam was discovered just over three weeks later. The Oregon-based healthcare provider is one of a large number of companies that have fallen victim to this kind of scam this year. These phishing attacks are often referred to as business email compromise scams, although internal email accounts are not always compromised. Oftentimes, attackers purchase a similar domain to that used by the targeted organization. The letter ‘I’ could be replaced...

Read More
TigerText Announces Collaboration with Honeywell
Jun02

TigerText Announces Collaboration with Honeywell

TigerText, the leading provider of secure text messaging solutions for the healthcare industry, has announced that users of the Honeywell’s new Dolphin™ CT50h smartphone can now use the TigerText secure messaging app. TigerText has been working closely with Honeywell to develop a customized version of its app which can be downloaded onto the Dolphin smartphone. The new version of the TigerText app works with the next-generation scanner on Honeywell’s Dolphin™ CT50h smartphone, which can be used to verify patients’ identities. TigerText has incorporated its bot technology which allows healthcare data to be pulled directly from healthcare providers’ electronic medical record systems. Physicians can use the app to retrieve critical up-to-date health information about patients’ medications by scanning barcodes with the Dolphin smartphone. The TigerText app allows physicians to obtain EMR data in real time, ensuring they can access all patient data including recent procedures and notes entered by all members of the care team. Having access to the most up-to-date patient information will...

Read More
CHIME Launches New Cybersecurity Center and Program Office
May31

CHIME Launches New Cybersecurity Center and Program Office

The College of Healthcare Information Executives (CHIME) has announced the opening of a new Cybersecurity Center and Program Office which will help healthcare organizations deal with cyber threats and better protect patient data and information systems. Announcing the opening of the new office, CHIME President and CEO Russell Branzell explained the need for better collaboration within the healthcare industry. “Cyber threats are becoming more sophisticated and more dangerous every day.” He went on to say, “Today the focus is ransomware, tomorrow it will be something else. As an industry, we need to pull together and share what’s working so that we can effectively safeguard our systems and protect patients.” The new office will be manned by CHIME staff, although assistance will be sought from Association for Executives in Healthcare Information Security (AEHIS) members, who will serve as security advisors to the center as well as to the healthcare industry. The Cybersecurity Center and Program Office will develop a range of resources to help healthcare organizations develop better...

Read More
HHS Announces Release of the Final Data Security Policy Principles Framework
May27

HHS Announces Release of the Final Data Security Policy Principles Framework

HHS Secretary Sylvia Matthews Burwell has announced the release of the final Data Security Policy Principles Framework for the Precision Medicine Initiative (PMI) which was launched by President Obama in early 2015. The Security Principles Framework was developed to help healthcare organizations that participate in the PMI understand the security measures that must be adopted to protect sensitive health, genetic, and environmental information. According to the HHS, the PMI will help to “enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care,” The PMI is intended to help “deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.” In February, the Obama Administration announced that great progress has been made so far, and that more than 40 commitments have been made by the private sector to advance precision medicine. Those commitments include a promise by leading EHR...

Read More
Cybersecurity Training Failing to Tackle Insider Threat
May27

Cybersecurity Training Failing to Tackle Insider Threat

A recent Ponemon Institute/Experian study – Managing Insider Risk Through Training & Culture – has shown that companies are failing to provide adequate cybersecurity training to prevent negligent behavior by employees and to reduce the risk of an insider data breach. For the latest study, over 600 individuals from a wide range of organizations were questioned about their cybersecurity training programs. Respondents included C-suite executives, managers, and IT professionals from companies that had a data protection and privacy training (DPPT) program in place. The study revealed that 55% of companies have experienced a data breach in the past that was caused by employee negligence or human error. When asked about the risk of a data breach as a result of negligence or employee error the majority of companies were aware of the risk. 66% of respondents said they believed employees are the weakest link in the security chain, yet more than half of respondents said their cybersecurity training programs were not effective. When asked about training programs and employees...

Read More
Apple to Recruit HIPAA Expert as Privacy Counsel
May25

Apple to Recruit HIPAA Expert as Privacy Counsel

Apple is seeking a Privacy Counsel with extensive experience in healthcare privacy and a thorough understanding of HIPAA regulations. The new position confirms that Apple is planning on developing its products to be more valuable to healthcare professionals and patients, and that the company is intent on making more of a mark in the healthcare sector. The new recruit will be required to work on cutting edge projects, providing essential input on privacy and security, working on privacy by design reviews, supporting compliance and auditing frameworks, drafting policies and procedures to ensure compliance with privacy laws, and assisting with privacy complaints and breaches. The individual will also play a major part in designing privacy solutions for Apple products. The new position could indicate Apple is intent on developing HIPAA-compliant apps or may be working on a HIPAA-compliant backend for its frameworks to enable patient data to be stored and transmitted securely, in accordance with HIPAA Rules. Apple has already developed products and frameworks for monitoring patient...

Read More
Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued
May23

Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued

As last week’s Kansas Heart Hospital ransomware attack clearly demonstrates, paying a ransom may not necessarily result in decryption keys being supplied by attackers to allow files to be unlocked. Ransomware Claims Another Healthcare Victim This year a number of healthcare organizations have had vital data locked by malicious file-encrypting software. In February, Hollywood Presbyterian Medical Center felt there was little alternative but to pay a ransom to attackers to obtain decryption keys to unlock files that had been locked with ransomware. The attackers issued a Bitcoin ransom demand of approximately $17,000. Upon paying the ransom, the medical center was provided with a security key for each of the devices that had been infected. Other healthcare providers have also been attacked this year. MedStar Health was reportedly issued a 45 Bitcoin ($19,000) ransom demand, although the ransom was not paid, instead files were recovered from backups. Other attacked healthcare providers were also able to avoid paying a ransom and recovered their locked files by restoring their systems...

Read More
Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies
May20

Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies

The United States Department of Justice has charged an engineer with the theft and possession of trade secrets belonging to two medical device manufacturers. 43-year old Wenfeng Lu of Irvine, California, was indicted on 12 charges by a grand jury on Wednesday this week. Lu is alleged to have stolen proprietary trade secures from EV3 Covidien while employed at the company between January 2009 and October 2011, and from Edwards Lifesciences Corp., where he was employed between November, 2011 and November, 2012. Lu is alleged to have stolen information and emailed the confidential data to his personal email account. It has also been alleged that Lu took photographs of equipment and copied company reports, presentations, emails, and test results. Lu visited the People’s Republic of China (PRC) on multiple occasions after obtaining data. It is alleged that Lu was attempting to set up his own company with associates in PRC and planned to use the trade secrets to manufacture medical devices in PRC. Lu was arrested by the FBI in 2012 while preparing to board a plane bound for PRC. Lu was...

Read More
Department of Veteran Affairs Seeks Vendors to Search for Stolen Data
May17

Department of Veteran Affairs Seeks Vendors to Search for Stolen Data

Even when appropriate controls are implemented to secure electronic protected health information (ePHI), data breaches can still occur. Mistakes are made with the configuration of firewalls, ePHI is accidentally disclosed to unauthorized individuals, and phishing attacks and malware allow criminals to gain access to ePHI. Healthcare data breaches have now become as inevitable as death and taxes despite the best efforts of healthcare organizations to keep ePHI secured. The Department of Veteran Affairs is the largest integrated health system in the United States, with more than 1,700 locations providing healthcare services to more than 8.76 million veterans. The VA stores a considerable volume of ePHI which makes it a large target for cyberattackers. In April alone, the VA blocked 77.69 million intrusion attempts, blocked and/or contained almost 460 million malware samples, as well as more than 105 million malicious emails. With so many attempted attacks, occasional data breaches are to be expected. When breaches occur, lessons are learned, systems are improved, and security...

Read More
TigerText Launches HealthBot Capable of Automating the Provision of Healthcare Information to Patients
May13

TigerText Launches HealthBot Capable of Automating the Provision of Healthcare Information to Patients

TigerText has launched a new secure, HIPAA-compliant, messenger service for web portals and mobile applications which automates a wide range of tasks that previously required the time of support staff. All too often patients face extended wait times when calling hospitals and other healthcare facilities and hold times in excess of 30 minutes are far from uncommon. Obtaining answers to questions and making routine appointments is rarely a quick process, causing considerable frustration for patients. Patient web portals are a convenient way of communicating with patients more efficiently, yet healthcare staff are still required to man the web portals. Many of the questions asked by patients via web portals can be easily handled by a messenger bot. Automating these services can reduce patient waiting times and provide patients with instant answers to their questions. With the cost of healthcare expected to increase by 5.8% each year, healthcare organizations need to find new ways to improve efficiency and lower operational costs. Messenger bots can allow patients to receive...

Read More
Anti-Malware Scan Stops Cardiac Catheterization Procedure
May12

Anti-Malware Scan Stops Cardiac Catheterization Procedure

It is important for anti-malware solutions to be used to protect medical devices, although care must be taken when configuring software. As was recently highlighted at a U.S. hospital, a software misconfiguration has the potential to have an adverse effect on patients. Earlier this year, a cardiac catheterization procedure had to be halted when a hemo monitor PC was prevented from communicating with the hemo monitor. This resulted in the hemo monitor screen going black, preventing the operating room staff from viewing the patient’s physiological data. There was a delay to the procedure of around five minutes while the application was rebooted, during which time the patient was sedated. The procedure continued after the application was brought back online and was completed successfully, although the delay could potentially have caused the patient to come to harm. The Food and Drug Administration (FDA) has recently issued a report on the incident, which occurred on February 8, 2016. The FDA investigation revealed that the temporary failure of the equipment – Merge Hemo V9.40.1...

Read More
Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations
May11

Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations

A recent report issued by the Brookings Institution delves into the problems faced by the healthcare industry now that so much patient data is being collected, stored, and transmitted by healthcare institutions. In its report, Brookings offers advice to healthcare organizations and the Department of Health and Human Services’ Office for Civil Rights (OCR) about how patient privacy can be better protected, and strategies that can be adopted to prevent data breaches. 23% of All Data Breaches Affect the Healthcare Industry Over the past two years, the number of breaches suffered by healthcare organizations has increased significantly. 23% of all data breaches now affect the healthcare industry. Since OCR started publishing details of data breaches reported by healthcare organizations six years ago, almost 1,500 separate data breaches have occurred. Those breaches have exposed the healthcare data of over 155 million Americans. To investigate the problem, the Brookings Institution conducted a study to find out more about why healthcare data breaches are occurring with such regularity,...

Read More
HIPAA Incident Highlights Importance of Using a Secure Messaging Platform
May11

HIPAA Incident Highlights Importance of Using a Secure Messaging Platform

Earlier this year, BioReference Laboratories Inc., (BRLI) discovered that a number of phlebotomists had adopted the practice of using their smartphones to take photographs of laboratory test requests in order to transmit them to BLRI. The practice was drawn to the attention of BRLI on February 9 this year. An investigation was conducted which revealed smartphones had been used by some of the company’s phlebotomists in Florida for this purpose since January 2013. The practice continued until February 10, 2016. Over the course of four years, the lab test requests relating to 3,563 individuals had been photographed and transmitted over an unsecured network. The data typically photographed included full names of patients, birth dates, addresses, medical record numbers, admission/discharge dates, health insurance information, details of the laboratory tests that were ordered, diagnosis codes, and Social Security numbers. BRLI has no reason to believe that any of the photographs were intercepted, obtained, or viewed by unauthorized individuals or that any data have been used in...

Read More
OIG Report: Veterans Benefits Administration Not Tracking Information Security Violations
May11

OIG Report: Veterans Benefits Administration Not Tracking Information Security Violations

In April last year, the Office of Inspector General received an anonymous tip-off alleging the Veterans Benefits Administration (VBA) had not integrated appropriate audit logs into the Veterans Benefits Management System. The subsequent investigation substantiated the allegation and revealed that the VBA had not been identifying and logging all security violations accurately. OIG checked for the existence of audit logs and tested their accuracy by having 17 employees try to access same-station veteran employee compensation claims in the Veterans Benefits Management System (VBMS). Those that were logged were identified as existing in the Share application used by VA Regional Offices (VAROs) or said to have occurred in an unknown system. The actions of two of the 17 employees were not tracked and recorded in the audit logs. The tests were conducted at two VAROs in Texas (Houston and Waco) and one in Washington (Seattle). OIG was unable to determine why two employees’ audit logs were not recorded, although OIG did conclude that the Office of Business Process Integration (OBPI) had not...

Read More
23K Patients of Mayfield Clinic Sent Malware-Infected Email
May10

23K Patients of Mayfield Clinic Sent Malware-Infected Email

In February, patients of the Mayfield Clinic of Cincinnati, Ohio were sent an email containing a malicious attachment which downloaded ransomware onto their devices. The entry on the HHS’ Office for Civil Rights breach portal indicates 23,341 patients were sent the email, although it is unclear how many email recipients opened the malicious attachment and infected their computers. The email was sent by an individual who gained access to a database held by one of Mayfield’s vendors. That vendor was contracted to send out newsletters, invitations, announcements, and educational information via email to patients, event attendees, business associates, website contacts, and other friends of Mayfield. The emails were sent out on February 23, 2016 and had the subject line “Important Information: invoice 11471.” Opening the attached file triggered the download of ransomware – malware that encrypts files preventing them from being accessed. The victims are then told they must pay a ransom to obtain the key to unlock the encryption. The individual who gained access to the email database was...

Read More
FDA Must do More to Improve Medical Device Interoperability, says CHIME
May05

FDA Must do More to Improve Medical Device Interoperability, says CHIME

In January, the Food and Drug Administration (FDA) released draft guidance for manufacturers to help with the development of interoperable medical devices. Late last month, The College of Healthcare Information Management Executives (CHIME) submitted comments to the FDA on the proposed guidance – Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices. In a letter sent to Food and Drug Administration (FDA) Commissioner Robert M. Califf, MD, CHIME expressed concern that the draft guidance represents a set of suggested principles, yet what CHIME members require is assurance that medical devices are interoperable. At present, manufacturers are claiming their devices are interoperable, when the reality is that they are not. CHIME explained that medical devices are being purchased from manufacturers who claim that the devices are interoperable, yet once the devices have been purchased, clinicians discover that the data generated by the devices cannot be loaded to their EHR systems directly without the use of third party software. That...

Read More
Verizon: Human Error the Main Cause of Security Incidents
Apr29

Verizon: Human Error the Main Cause of Security Incidents

The Verizon 2016 Data Breach Investigations Report was released this week. The biggest cause of security incidents over the past 12 months has been what Verizon calls “miscellaneous errors,” a category which includes misconfigured IT systems, improper disposal of company data, lost and stolen devices and email errors. In the case of the latter, 26% of breaches were caused by individuals emailing data to incorrect individuals. Weak passwords continue to cause organizations problems. 63% of confirmed data breaches were attributed to either poor passwords, default login credentials that had not been changed, or the use of stolen login credentials. Cyberattacks are often made possible due to the failure to install patches promptly. In the majority of cases, hackers exploit vulnerabilities that have existed for months, even though patches have been made available. Verizon reports that 85% of successful exploits of took advantage of the top 10 known vulnerabilities. The biggest cause of data breaches this year is web application attacks, which have increased by 33% since the 2015 report....

Read More
American Dental Association Mails Malware-Infected USB Drives to Members
Apr29

American Dental Association Mails Malware-Infected USB Drives to Members

A recent mailing sent to American Dental Association (ADA) members included a USB stick containing malware. The USB drive contained a file with code that directed users to a domain which could enable cybercriminals to install malware, potentially allowing them to gain control of computers. The USB stick sent by the ADA was a credit card-sized drive that can be plugged into a laptop computer or a desktop. The device was used to send an electronic copy of the 2016 CDT manual containing dental procedure codes. One recipient of the device decided to check the contents of the USB stick on a spare machine as he was wary of using the device on a machine that contained sensitive data. He discovered the drive contained an HTML launcher in a hidden iframe that contained a potentially malicious URL with a Chinese ccTLD. An autorun file was also included on the device according to his DLS Reports post. ADA was informed about the malware infection and an investigation was launched. ADA informed Krebs on Security that the infection was introduced on certain devices during production in China....

Read More
Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data
Apr28

Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data

A lawsuit has been filed against Sandlot Solutions, Inc., and its parent company Santa Rosa Consulting by the MCHC-Chicago Hospital Council in an attempt to prevent the deletion of more than 2 million patient records from Sandlot’s servers. The MCHC-Chicago Hospital Council (MCHC), which includes over 30 area hospitals, operates the MetroChicago Health Information Exchange (HIE). The HIE was formed to allow all participating hospitals to quickly and easily share patient health information and ensure that up-to-date medical records of patients could always be obtained by doctors and healthcare professionals. The HIE contains patient data collected over the past seven years. The HIE is hosted by healthcare information technology company Sandlot Solutions, Inc. On March 28, 2016., Sandlot notified MCHC that it would be winding down its operations and would soon be going out of business. Sandlot is alleged to have shut down access to the HIE a day later. MCHC was also advised that Sandlot would be deleting all HIE data from its servers within 24 hours of providing the council with a...

Read More
California Ransomware Bill Passed by State Senate Committee
Apr15

California Ransomware Bill Passed by State Senate Committee

Californian Senator Bob Hertzberg introduced a new bill (Senate Bill 1137) in February which proposes an amendment to the penal code in California to make it a crime to knowingly install ransomware on a computer. The bill has now been passed by the senate’s Committee on Public Safety, taking it a step closer to being introduced into the state legislature. The bill must now go before the state Senate Appropriations Committee; after which it will be considered by both houses. Currently, state law in California covers crimes relating to computer services including “knowingly introducing a computer contaminant,” as well as extortion, the latter being defined as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.” Under existing laws, extortion is punishable with a prison term of 2,3, or 4 years. Ransomware is covered under current laws, although Senator Hertzberg believed an update was necessary given the extent to which ransomware is now being used to extort money from businesses. FBI figures suggest that in the first 3 months of...

Read More
Unpatched 2007 Vulnerability Exploited in MedStar Ransomware Attack, Says AP
Apr07

Unpatched 2007 Vulnerability Exploited in MedStar Ransomware Attack, Says AP

The ransomware attack on MedStar Health could easily have been avoided had its software been patched according to a recent AP article, although this has been denied by MedStar Health. The vulnerability in the Red Hat-supported JBoss application server was first uncovered in 2007. A further warning about the problem was issued by Red Hat in 2010, with another warning issued earlier this month. A patch to correct the vulnerability has existed for almost a decade. The patch removes two lines of code that enables the JBoss system to be accessed remotely. The flaw existed as a result of a common JBoss application server misconfiguration. According to an Ars Technica report, more than 2.1 million installations around the world are vulnerable to this type of attack. The failure to implement the 2007/2010 patches allows attackers to exploit the vulnerability and gain access to Internet facing servers. Once access has been gained attackers are able to use a host of security tools to gain access to other parts of a network and deploy ransomware. As media reports circulate claiming it was...

Read More
One In Five Companies Has Suffered a Data Breach Involving Mobile Devices
Apr03

One In Five Companies Has Suffered a Data Breach Involving Mobile Devices

One in five companies has suffered a data breach involving mobile devices according to a study recently published by Crowd Research Partners. 39% of respondents said malware had been downloaded onto devices supplied to employees by their company or used under BYOD schemes, and almost a quarter of respondents said devices had connected to malicious Wi-Fi networks. The number of devices that had been compromised is a concern; however, what is more worrying is the extent to which organizations are monitoring the devices that are allowed to connect to their networks. When asked whether devices had connected to malicious networks, 48% of respondents said they were not sure. When asked whether malware had been downloaded onto mobile devices, 35% said they were not sure, and 37% could not say whether mobile devices were involved in security breaches at their organizations. These results suggest that while mobile devices are allowed to connect to work networks, the controls put in place to keep those devices secure were insufficient in many organizations. When asked about the risk control...

Read More
Ransomware and HIPAA: Are Attacks Reportable?
Apr01

Ransomware and HIPAA: Are Attacks Reportable?

Following a number of high-profile ransomware attacks on hospitals, the issue of whether ransomware attacks are reportable under HIPAA has been raised by a number of privacy experts. So far attacks on hospitals, including the Hollywood Presbyterian Medical Center attack in February, have not been added to the HHS breach portal and are unlikely to appear. The healthcare organizations that have announced they have been hit with ransomware infections claim that while files were encrypted, patient data were unaffected. But what about situations when malicious file-encrypting software does lock files containing the PHI of patients? Would those ransomware attacks be reportable under HIPAA? The Department of Health and Human Services’ Office for Civil Rights must be informed of malware attacks that result in hackers gaining access to PHI, but with ransomware the situation is less clear. If ransomware encrypts the Protected Health Information of patients, the attackers are the only individuals with a security key to unlock the data. That does not mean that PHI has been viewed or acquired...

Read More
Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH
Mar31

Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH

On Wednesday this week, the 2015 CAQH Index was released. The data show that many healthcare organizations are continuing to rely on manual administrative processes for basic transactions such as verifying patient coverage, submitting claims, prior authorization, and referral certification, even though these tasks can easily be performed electronically. The CAQH Index is released once a year and is a measure of the adoption of electronic transactions for routine business processes in the healthcare industry. The aim of the report is to raise awareness of the potential cost savings that can be made by switching to electronic HIPAA transactions. The data used for the CAQH Index in 2015 represents some 440 million transactions relating to 92 million patients. The reliance on manual processes rather than HIPAA electronic administrative transactions is costing the healthcare industry dearly. CAQH believes the continued reliance on resource-intensive manual processes is costing the healthcare industry $8 billion each year. Each time health plans and healthcare providers perform a manual...

Read More
1,400 Vulnerabilities Found in Popular Drug Cabinet System
Mar31

1,400 Vulnerabilities Found in Popular Drug Cabinet System

According to an advisory issued by the Department of Homeland Security, a popular drug cabinet system has been found to have over 1,400 vulnerabilities, many of which could be exploited remotely using publically available exploits. Furthermore, the exploits could be executed by an attacker with a low level of skill. The drug cabinet discovered to contain these vulnerabilities is version 8.1.3 of the Pyxis SupplyStation by CareFusion, which has not been updated since April 2010. However, vulnerabilities exist with a number of older versions of the system, many of which are still in operation and are used in a number of facilities in the United States. The automated drug cabinets dispense products and maintain an accurate stock inventory in real time. Two independent security researchers, Billy Rios and Mike Ahmadi, obtained a decommissioned Pyxis SupplyStation and conducted a static binary analysis against the system’s firmware to search for vulnerabilities. The researchers discovered 1,418 vulnerabilities existed in the version they tested. The vulnerabilities do not exist in the...

Read More
Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws
Mar29

Government Accountability Office Report Identifies Many HealthCare.Gov Security Flaws

A new report published by the Government Accountability Office has highlighted a number of security weaknesses with the HealthCare.gov website “that could place sensitive information at risk of unauthorized disclosure, modification or loss.” Under the Patient Protection and Affordable Care Act, the Centers for Medicare and Medicaid Services is responsible for overseeing state-based marketplaces that allow consumers to compare and purchase health insurance and for securing federal systems to which marketplaces connect, which include its data hub. GAO was requested to conduct a review of security issues relating to the data hub, in addition to assessing CMS oversight of state-based marketplaces. The review included describing security incidents reported by CMS, assessing incident data, analyzing security controls, and reviewing its policies and procedures. The report indicates there were 316 security incidents involving the HealthCare.gov web portal between October 2013 and March 2015. In one instance a hacker was able to break through security defenses and succeeded in...

Read More
Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network
Mar29

Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network

On Monday March 28, 2016, Medstar Health System discovered a computer virus had been installed on its computer network. The Columbia-based health system, which runs 10 hospitals and more than 250 outpatient facilities throughout Maryland and Washington D.C., was forced to shut down its electronic health record (EHR) and email systems to prevent the spread of the virus. The virus was discovered on Monday morning and the health system acted rapidly to contain the infection and prevent its spread throughout the organization. The security breach was reported to the FBI and an investigation into the attack has been launched. The health system is currently working with its IT and security partners to determine the exact nature of the cyberattack, the extent to which data and systems have been compromised, and how best to deal with the virus. Medical services are still being provided to patients and all of the health system’s facilities remain operational; however, the decision to take the EHR and email systems offline will have an impact on patients. Medstar Health employs around 30,000...

Read More
Two More Californian Hospital Ransomware Attacks Reported
Mar23

Two More Californian Hospital Ransomware Attacks Reported

Two more hospitals in Southern California have reported being attacked with ransomware. The Chino Valley Medical Center and Victorville’s Desert Valley Hospital, which are both operated by Prime Healthcare, were attacked on Friday last week. A number of computers had data locked with the file-encrypting malware and the attackers managed to infiltrate some of the hospitals’ servers before the attack was discovered and contained. As soon as the ransomware attacks were discovered, IT systems were taken offline to prevent the spread of the infections. While some computers and servers were taken out of action, patient health records were not compromised and the attack did not affect patient safety. Healthcare services are still being provided to patients at both hospitals, although the attack did cause significant disruption to the hospitals’ IT systems on Friday last week. Prime Healthcare Spokesperson, Fred Ortega, said “most of the systems and critical infrastructure has been brought back online.” A ransom demand was received by Prime Healthcare, although no details have been...

Read More
HHS Effort to Address Confusion over Mobile Apps is Disappointing, Say Federal Legislators
Mar23

HHS Effort to Address Confusion over Mobile Apps is Disappointing, Say Federal Legislators

Last month the Department of Health and Human Services issued new guidance to clear up confusion about HIPAA Regulations and how they apply to mobile health apps. The four-page document explained how HIPAA Rules apply to health information that is created by patients and entered into health apps, and set out to explain when developers of health apps needed to comply with HIPAA Rules. The guidance covered six scenarios and explained how and when HIPAA Rules applied. The guidance has helped to explain some of the obligations mobile health app developers have under HIPAA Rules, but according to one bipartisan group of congressmen, the guidance only covered a very narrow set of circumstances, and has “led to more questions than answers.” Reps Tom Marino (R-Pa.), Peter DeFazio (D-Ore.), Earl Blumenauer (D-Ore.), Blake Farenthold (R-Texas), Ted Lieu (D-Calif.), Suzanne Bonamici (D-Ore.), Renee Ellmers (R-N.C.), and Rep. Will Hurd (R-Texas) signed a letter sent to HHS Secretary Sylvia Mathews Burwell earlier this month in which the efforts of the HHS to address the confusion over HIPAA...

Read More
TigerText´s Latest Update Will Help Deliver Faster, High Quality Healthcare
Mar23

TigerText´s Latest Update Will Help Deliver Faster, High Quality Healthcare

TigerText has released a number of new features on its secure messaging solution that will help deliver faster, high quality healthcare in compliance with HIPAA. According to Brad Brooks – the company´s co-founder and president – the new features in the latest Spring 16 TigerText release are the result of listening to and translating customer feedback into useful and relevant updates. He explained that through TigerText´s “voice of the customer” program, requests for new features were shared regularly with the product development team, who prioritized the most relevant requests and brought them to market. Among the innovative features in the latest TigerText release: • A new self-updating desktop app with built-in alerts will allow any authorized user to access TigerText from a PC or Mac. • Messages will automatically be auto-forwarded to a colleague when a user´s app is in “Do Not Disturb” mode. • Priority messages will now remain at the top of the recipient´s inbox and emit a distinctive ring for instant differentiation. • TigerText users will now be able to set up...

Read More
VA Information Security Weaknesses Will Take Further 22 Months To Remediate
Mar22

VA Information Security Weaknesses Will Take Further 22 Months To Remediate

Last week, the VA Office of Inspector General issued a report of a 2015 Department of Veteran Affairs (VA) audit conducted to determine whether the VA’s Security Program complied with Federal Information Security Modernization Act (FISMA) requirements and NIST guidelines. The audit report indicates progress has been made to improve cybersecurity protections at the VA, but there is still a long way to go before the VA’s InfoSec program raises standards to the level required by FISMA. Auditors discovered a number of significant security deficiencies in the VA’s identity management and access controls, configuration management controls, contingency planning processes, incident response and monitoring procedures, contractor systems oversight, continuous monitoring, system development/change management controls, and its agency-wide security management program. While some efforts have been made to improve access and configuration management controls, security control standards had not yet been applied to all servers, databases, and network devices and a number of system security...

Read More
Methodist Hospital in Lockdown After Ransomware Attack
Mar21

Methodist Hospital in Lockdown After Ransomware Attack

Methodist Hospital in Henderson, KY., is currently in lockdown after a ransomware attack. The hospital has declared an “internal state of emergency,” after critical files were copied and locked. The hospital responded to the cyberattack quickly and was able to contain the malware, although as a result of the lockdown access to electronic communications and web-based systems remains limited. The malicious software was inadvertently installed on the network resulting in files containing patient data being copied and encrypted. According to a statement issued by Methodist COO David Park, “the hackers have copied patients records and locked those copies. They’ve deleted the originals.” Methodist Hospital was able to activate a backup system. Normal operations are continuing at the hospital without any interruption to patient services, but the issue has yet to be resolved and the main network remains locked. The FBI has been notified and an investigation into the cyberattack has commenced. Methodist Hospital is working with the FBI to determine the best way to resolve the issue. A...

Read More
Non-Compliant Hospital Pager Use Persists
Mar18

Non-Compliant Hospital Pager Use Persists

Communicating protected health information (PHI) over unsecured networks is not permitted under Health Insurance Portability and Accountability Act (HIPAA) Rules, which means pagers cannot be used to send PHI unless messages are encrypted. Encryption alone is not sufficient to ensure compliance with HIPAA. Not only must messages be encrypted to prevent interception, there must be a means of verifying the identity of the user. User authentication is essential, as there is no guarantee that a message containing PHI will be received by the intended recipient. If a pager is lost, stolen, or is left unattended, PHI could potentially be accessed by an unauthorized individual. It is also necessary to implement controls to automatically log off users and allow messages to be remotely erased in the event that a pager is lost or stolen. Due to the cost implications of applying these safeguards, and the difficult in doing so, many hospitals implement policies that prohibit the transmission of PHI over the pager network. If PHI needs to be communicated, a pager message is sent and the...

Read More
80% of Organizations Concerned About Large Data Breaches
Mar14

80% of Organizations Concerned About Large Data Breaches

Most organizations now understand that it is no longer a case of whether a breach will occur, but a matter of when their defenses will be breached, yet many organizations appear to be ill equipped to deal with a data breach when one does occur, according to a recent ID Experts survey. The survey, conducted on behalf of insurance analyst firm Advisen, asked 203 risk assessment experts about data breach preparedness and the measures in place to deal with data breaches when they did occur. The aim of the survey was to find out more about how organizations are managing data breach risk, and how insurance coverage gaps are being addressed. Recent large scale data breaches have got many CISOs worried that their organization will be attacked. 80% of respondents said they are worried about their organization suffering a large data breach. 17% of respondents said they had already suffered at least one data breach in the past 12 months. The very real threat of a data breach has prompted 64% of organizations to purchase data breach insurance, yet those policies may offer little benefit....

Read More
Economics of Cyberattacks Explored
Mar11

Economics of Cyberattacks Explored

A Ponemon Institute survey commissioned by Palo Alto Networks has explored the motivations behind cyber-attacks and offers some insight into how organizations can develop defenses to thwart attackers. The survey was conducted in the United States, United Kingdom, and Germany and asked 304 threat experts their opinions on the reasons why criminals chose to attack organizations, how targets are selected, and how much attackers actually make from their criminal acts. In the majority of cases, the main motivation for conducting an attack is money. Respondents indicated that in 67% of cases, attacks are conducted for financial gain. The average earnings for conducting those attacks were determined to be $28,744 per year. In order to earn that amount, hackers spent an average of 705 hours attacking organizations. The figures show that hacking far less profitable than working as a private or public sector security professional, with earnings of four times that figure possible. The report, Flipping the Economics of Attacks, indicates that the majority of hackers look for easy targets. 72%...

Read More
Ponemon: 48% of Healthcare Organizations Suffered a PHI Breach in the Past Year
Mar09

Ponemon: 48% of Healthcare Organizations Suffered a PHI Breach in the Past Year

A study recently published by the Ponemon Institute has revealed that almost half of healthcare organizations (48%) have experienced a data breach in the past 12 months that has resulted in the loss or exposure of the protected health information of patients. The survey, conducted on behalf of software security firm ESET, asked 535 IT security professionals questions about cyberattacks on their organizations, the consequences of those data breaches, and cybersecurity concerns. The survey provides an insight into the current state of healthcare cybersecurity, the effect data breaches are having on healthcare organizations, and the seriousness of the current threat level. Cyberattacks on healthcare organizations are now taking place at a rate of one every month. Hackers were able to evade intrusion prevention systems (IPS) at 49% of organization surveyed, while 37% of respondents said cyberattackers had evaded detection by their antivirus protections and other traditional security measures. A quarter said they were unsure if that was the case. Protections against advanced persistent...

Read More
HIMSS Conference 16 Roundup
Mar04

HIMSS Conference 16 Roundup

The past 5 days have seen almost 42,000 industry professionals attend the HIMSS Conference & Exhibition in Las Vegas; the largest health IT educational event of the year. Each year health IT professionals, executives, vendors, and clinicians from all over the world attend the conference to learn about the latest cutting edge IT products, and to take part in education programs, thought leader sessions, and roundtable discussions. The purpose of the conference is to show how health and healthcare can be improved by the use of IT, and to explain the power information technology has to transform healthcare organizations and increase profits. Attendees were provided with a wealth of information to help them leverage new technology to provide better services to patients. This year attendees were treated to presentations from high-profile keynote speakers including Super Bowl-winning quarterback & five time NFL MVP, Peyton Manning; Dr. Jonah Berger, the author of the best-selling book Contagious: Why Things Catch On, Dell CEO Michael Dell, and the highest healthcare official in...

Read More
SpamTitan Technologies Awarded Ninth VB+ Award
Mar04

SpamTitan Technologies Awarded Ninth VB+ Award

SpamTitan Technologies is celebrating its ninth VBSpam+ award – and thirty-fifth VB award overall – for a high performance in blocking spam emails. Virus Bulletin is a security information service that conducts independent testing on anti-malware and anti-spam solutions. It only distributes VB awards to vendors whose software achieves excellence in preventing web-borne threats – VBSpam+ being the highest award the organization can bestow. The most recent Virus Bulletin anti-spam test took place in January, with sixteen anti-spam solutions undergoing rigorous testing. For the fourth time in a row, SpamTitan Technologies´ anti-spam solution blocked more than 99.9% of spam and, for the third time in a row, it did so without any false positives. Martijn Grooten – responsible for conducting Virus Bulletin´s comparative reviews – commented on the importance of spam filters and how ‘spam filters make the email lives of users a lot easier – and a lot more secure”. Speaking about the performance of SpamTitan Technologies´ anti-spam solution, Martijn said...

Read More
Healthcare Companies Commit to Improving Health Information Flow
Mar04

Healthcare Companies Commit to Improving Health Information Flow

At this year’s Health Information Management Systems Society conference, U.S. Department of Health and Human Services Secretary Sylvia M. Burwell announced that all major Health information technology developers and the top health systems have all pledged to implement three core commitments to help improve the flow of healthcare data to consumers and healthcare providers. A pledge has now been made by 17 health IT developers, 16 health systems, and 17 provider, technology, and consumer organizations. Seven of the biggest healthcare systems providing healthcare services in 46 states are all on board, with Community Health Systems, Hospital Corporation of America, Tenet Healthcare, Ascension Health, Trinity Health, Catholic Health Initiatives, and Kaiser Permanente all having committed to improving health information sharing, as are the Health IT companies responsible for providing 90% of EHRs used by U.S. hospitals. All have agreed to help improve consumer access to healthcare records, implement national interoperability standards, and will not to engage in information blocking. At...

Read More
HiMSS Publishes Report on Pagers
Feb29

HiMSS Publishes Report on Pagers

HiMSS Analytics has published a new report offering insight into the real cost of pagers in healthcare. The report quantifies the cost of pagers and highlights the advantages that can be gained from switching to more efficient methods of healthcare communication such as HIPAA-compliant secure messaging apps. Healthcare Providers Reluctant to Retire Pagers Many industries have embraced new communications technology and are now using smartphones to communicate with employees; however, many healthcare organizations are still using outdated pager technology to communicate with physicians and nurses. Pagers have served the healthcare industry well for decades, yet they are inefficient, only allow one-way communication, and can cause communication delays and workflow disruptions. While it is clear that the technology is outdated and needs to be replaced, a great many healthcare providers have been slow to make the move to new channels of communication. This has been attributed, in part, to misconceptions about the value offered by pagers and inaccurate estimates of the actual cost of...

Read More
TigerText´s Latest Collaboration with Box will Accelerate Consults and Diagnoses
Feb29

TigerText´s Latest Collaboration with Box will Accelerate Consults and Diagnoses

The latest collaboration between TigerText and Box adds DICOM imaging to the types of files that can be shared between medical professionals on the TigerText platform. Digital Imaging and Communications in Medicine (DICOM) is a healthcare industry standard for managing, storing, printing and transmitting information associated with medical imaging that has a file format definition designed to eliminate data inoperability barriers. DICOM facilitates the integration of servers, workstations, scanners, printers and network hardware from various manufacturers into a universal picture archiving and communication system that is widely used by hospitals and other medical facilities to share X-rays, CT scans and ultrasounds. Now, due to the collaboration between TigerText and Box, medical professionals will be able to collaborate on DICOM images securely and with no risk of HIPAA compliance issues – accelerating consults and diagnoses, and enhancing patient care. Improving Communications across the Healthcare Continuum TigerText first announced the integration of secure messaging...

Read More
TigerText´s Secure Messaging Apps Available for Salesforce Health Cloud
Feb29

TigerText´s Secure Messaging Apps Available for Salesforce Health Cloud

TigerText has announced that the integration of its secure messaging apps will be available to extend the capabilities of Salesforce Health Cloud. Salesforce Health Cloud is a patient relationship management solution that enables healthcare providers to gain a complete view of the patient using data from electronic medical records (EMRs) and wearable electronic health apps. The concept behind the management solution is that it enables greater patient engagement across their caregiver networks, enabling healthcare providers to make better informed care decisions. The platform also enables healthcare providers to safely and securely manage patient data. With the addition of TigerText´s secure messaging apps, Salesforce Health Cloud customers will now be able to embed the TigerText secure messaging service in their Health Cloud portals, enabling healthcare providers to conduct HIPAA-compliant conversations for streamlined care coordination and patient handoffs. Communication the Key to Effective Care Delivery According to Joshua Newman – Chief Medical Office at Salesforce...

Read More
Perceptions of Privacy and Security of Medical Records and Health Data Exchange Explored by ONC
Feb28

Perceptions of Privacy and Security of Medical Records and Health Data Exchange Explored by ONC

Great strides are being made toward a fully interoperable health IT infrastructure. Adoption of certified health IT is growing and healthcare organizations and office-based physicians are increasingly exchanging health information electronically, but how do patients feel about the electronic exchange of their PHI? Is concern over data security growing? The Office of the National Coordinator for Health Information Technology (ONC) has been assessing public feeling and has recently issued a brief detailing the findings of surveys it has conducted on consumers over the past few years. Between 2012 and 2014, ONC conducted a nationwide survey which examined security concerns about electronic health records and electronic health information exchange. The number of individuals who are very or somewhat concerned about the privacy and security of their medical records has been decreasing and the number of individuals who expressed a lack of concern about the privacy and security of their medical records is increasing. In 2012, 7% of individuals were choosing to withhold information from...

Read More
OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule
Feb26

OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule

The risk of cyberattack faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure. However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities had led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals. Over the past 3 years, more that 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information. Addressing Security Gaps and Improving Cybersecurity Posture In 2014, the Framework for Improving...

Read More
New Research Reveals the Hidden Costs of Pagers for Healthcare Organizations
Feb26

New Research Reveals the Hidden Costs of Pagers for Healthcare Organizations

New research has revealed that the “soft costs” of pagers in healthcare organizations could mean that hospitals are overpaying to maintain legacy paging services. The study – sponsored by TigerText – was conducted by HIMSS Analytics and concerned pager use in more than 200 hospitals throughout the U.S. The majority of the survey´s participants had a direct role in the selection, purchase or management of pagers, and the study was supported by interview-based research with senior executives at the largest participating hospitals. The report resulting from the study – “The Hidden Cost of Pagers in Healthcare” revealed that 90% of the surveyed organizations still use pagers and on average spend around $180,000 per year – with the average paging service costing $9.19 per month per device, compared to TigerText´s own research showing the cost of their secure messaging alternative to be less than $5 per month per user. Commenting on the conclusion of the survey, Bryan Fiekers – Director of the Advisory Services Group for HIMSS Analytics – said: “This...

Read More
OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency
Feb22

OIG Publishes 2013 Security Report on South Carolina’s Medicaid Agency

The U.S. Department of Health and Human Services’ Office of Inspector General has published a report of an investigation into South Carolina’s Medicaid agency. The investigation was conducted in 2013 following the 2012 hacking of the Revenue Department and a data breach at the state’s Department of Health and Human Services the same year. 74 gigabytes of data were stolen from the Revenue Department, which included the tax returns of 3.8 million adults and Social Security numbers of 1.9 million dependents. 3.3 million businesses’ bank account numbers were also stolen. An employee of the Department of Health and Human Services was discovered to have inappropriately accessed the records of 228,000 Medicaid recipients and emailed the data to a personal email account. The employee was arrested and was sentenced to three years of probation and community service, although the hackers responsible for the cyberattack on the Revenue department were never caught. The purpose of the investigation was to determine whether the state had properly safeguarded data stored in the Medicaid...

Read More
Mobile Device Ransomware Warnings Becoming More Urgent
Feb18

Mobile Device Ransomware Warnings Becoming More Urgent

A special report on CNBC.com into mobile device ransomware was compiled in the aftermath of the Hollywood Presbyterian Medical Center ransomware cyberattack. The attack crippled the hospital´s internal computer system, shut down its email servers and prevented access to EMRs. The hospital had no option but to pay a $17,000 ransom to obtain the encryption key that would unlock its data and communications system. Although investigations are still ongoing into how the crippling malware found its way into the hospital´s system, mobile device ransomware has not been ruled out. Indeed, the CNBC.com article starts with cyber security expert Robert Herjavec commenting that 40% of threats come from inside and – knowing this – cybercriminals are taking advantage of mobile device ransomware to launch more sophisticated cyberattacks. Not the First Ransomware Attack on a Medical Facility Ransomware – a type of computer malware – is an effective weapon for cybercriminals. Traditionally it has been used to encrypt files on a computer to make them inaccessible, and normally...

Read More
Healthcare Ransomware Infection Removed After $17K Ransom Paid
Feb18

Healthcare Ransomware Infection Removed After $17K Ransom Paid

Healthcare ransomware infections can cause major disruption and can have a negative impact on patient health. This week, Hollywood Presbyterian Medical Center took the decision to give into a ransom demand and paid cybercriminals nearly $17,000 for a security key to unlock its EHR. What is Ransomware? Just as healthcare providers take the decision to use data encryption to prevent criminals from gaining access to patient data on laptop computers and portable storage media, encryption can also be used against healthcare providers. Ransomware locks computer files with powerful encryption. To unlock the data a security key must be used. However, the key needed to unlock the data is held by the cybercriminals behind the ransomware attack. The security key cannot be cracked like a password. The only way to recover from a healthcare ransomware infection is to pay the ransom or restore all encrypted data from a backup. This is not always straightforward. Backups are not conducted every second, so some data loss is inevitable. Restoring data from backup files is also not always successful...

Read More
TitanHQ Launches Web Filtering Solution for Hospital Wi-Fi Networks
Feb17

TitanHQ Launches Web Filtering Solution for Hospital Wi-Fi Networks

TitanHQ – a world leader in email and web security solutions – has launched a DNS-based Web filtering solution for hospital Wi-Fi networks. Wi-Fi in hospitals has been acknowledged as a feature that increases patient satisfaction and has been associated with faster patient recuperation. Certainly providing patients with a means of communicating with their families via email and social media makes their stay more bearable. However, providing unfiltered Wi-Fi access to patients can have negative consequences. Patients that spend all day live streaming sports events can eat up bandwidth – preventing other patients from being able to access the Internet at all. Patients can access inappropriate web content in eyeshot of other patients or minors, and – potentially a more serious consequence – is the installation of malware and viruses that may not only infect the user´s device, but also the entire Wi-Fi network. TitanHQ has developed a solution for these potential issues – WebTitan Cloud for Wi-Fi. With Wi-Fi filtering for hospitals, administrators...

Read More
Cyberattack Detection: Confidence High Even If Detection is Often Slow
Feb16

Cyberattack Detection: Confidence High Even If Detection is Often Slow

Detecting a cyberattack promptly is critical in order to minimize the damage caused, but how quickly are cyberattacks actually detected? Tripwire, a leading provider of advanced security and compliance solutions, set out to find out whether IT professionals believed they had the technology and policies in place to enable them to identify a cyberattack rapidly. For the study, 763 IT security professionals from public sector organizations and the energy, financial services and retail industries were asked about the efficacy of seven key security controls that should be implemented to detect a cyberattack while it is taking place. Accurate hardware inventory Accurate software inventory Continuous configuration management and hardening Comprehensive vulnerability management Patch management Log management Identity and access management The results of the study have been published in the Tripwire 2016 Breach Detection Study. Confidence High in Ability to Detect a Cyberattack… The majority of respondents were confident that the measures they had put in place to detect a cyberattack...

Read More
OCR Issues Further Guidance on Health App Use
Feb12

OCR Issues Further Guidance on Health App Use

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance to help mobile health application developers get to grips with HIPAA and determine whether they fall under the classification of a HIPAA Business Associate. Last fall, OCR launched a new developer portal to improve understanding of how the Health Insurance Portability and Accountability Act applied to mobile health app developers. The aim was to improve understanding of HIPAA rules among mhealth app developers. The portal was also used by OCR to anonymously gather information that it could use to direct its focus for future guidance and determine which aspects of HIPAA were proving problematic or confusing for app developers. The new guidance was deemed necessary after OCR assessed the comments and questions that had been submitted via the app developer portal. It is hoped that the new guidance, which has also been posted on OCR’s mHealth Developer Portal, will help app developers avoid falling afoul of HIPAA rules and will help answer some of the questions that are frequently asked. There...

Read More
OCR Launches New Cyber-Awareness Initiative
Feb03

OCR Launches New Cyber-Awareness Initiative

The New Year has already seen the Department of Health and Human Services’ Office for Civil Rights issue new guidance for HIPAA-covered entities. That has now been followed up with the launch of a new initiative to improve cyber-awareness of the latest security threats. By increasing awareness of the threats to healthcare data security it is hoped that many healthcare data breaches can be avoided. As was highlighted by the recent Online Trust Alliance security report, the majority of healthcare data breaches can be easily avoided by implementing basic security principles, such as educating staff members on the latest data security threats. OCR has kicked off the initiative with advice on two growing security threats: Ransomware and tech support scams, both of which are increasing in prevalence over the past 12 months. OCR Offers Advice to Assist HIPAA-Covered Entities Avoid Ransomware   Criminal gangs have been using ransomware with increasing regularity. Ransomware is a form of malware that locks computer files with encryption, preventing the user from gaining access to their...

Read More
Secure Healthcare Messaging Vendors Assessed by KLAS
Jan29

Secure Healthcare Messaging Vendors Assessed by KLAS

Which is the top vendor for HIPAA-compliant secure messaging? It depends. Established players and up and coming companies have recently been assessed by KLAS. The independent research company has rated the current options available to healthcare providers looking to improve communication between care teams without falling afoul of HIPAA Regulations. The cost of healthcare provisioning is rising, placing increasing pressure on healthcare providers to reduce operational costs, improve efficiency, and increase the productivity of healthcare employees. Currently many physicians, nurses and other healthcare professionals are forced to use slow and inefficient communications systems, resulting in many hours of wasted time each week per employee. The use of SMS text messages would solve many of these problems. The communication channel is fast, convenient, and practical, but SMS messages are unsecure. This poses a problem for healthcare providers and other HIPAA-liable entities. HIPAA Rules prohibit the transmission of Protected Health Information (PHI) via SMS as the messages can all too...

Read More
5 EHR Vendors Agree to Carequality Interoperability Framework
Jan29

5 EHR Vendors Agree to Carequality Interoperability Framework

Following the publication of the Carequality Interoperability Framework last month, five major EHR vendors have signed up and agreed to adopt the Sequoia Project’s Carequality initiative. The Sequoia Project has announced that athenahealth Inc., eClinicalWorks, Epic Systems Corporation, NextGen Healthcare, and Surescripts have all agreed to adopt the new framework. Universal interoperability may be some way off, but the addition of the EHR vendors is seen as a major step in the right direction. Thanks to the comprehensive framework, the companies will reap a number of connectivity benefits that were previously difficult to attain until the Framework put an end to the need to enter into separate legal agreements with organizations before data sharing was possible. The announcement confirms that EHR vendors are committed to making total interoperability a reality for both patients and healthcare providers, and shows that universal interoperability could soon become a reality. Sequoia Project’s CEO Mariann Yeager recently said in an interview with EHRIntelligence, “We know there...

Read More
Happy Data Privacy Day
Jan28

Happy Data Privacy Day

October is National Cybersecurity Awareness Month, but today – January 28 – is Data Privacy Day: An international day conceived as a way of improving awareness of privacy issues. It is a day when organizations in Europe and the United States recognize the importance of safeguarding data, protecting privacy, and building the trust of consumers (and patients). Given the volume of healthcare records exposed in 2015 and the number of data breaches still being suffered by HIPAA-covered entities, this year Data Privacy Day is more important than ever before. Happy Data Privacy Day – May the Next 24 Hours be Free of Privacy Breaches!   Data Privacy Day started in 2007 across the pond in Europe, where it is known as European Data Protection Day. 47 European countries honor the day and are involved in campaigns to raise awareness of data privacy issues and share information that can help corporations and individuals better protect stored and shared data. With a unanimous vote of 402-0, the House of Representatives followed suit two years later and also chose to use January 28 as a day to...

Read More
CHIME Launches $1 Million Competition to Solve the National Patient Identifier Problem
Jan22

CHIME Launches $1 Million Competition to Solve the National Patient Identifier Problem

Matching patient records to the correct patient is a complicated business. In theory at least, with patient information recorded digitally, it should be possible to match records with the correct patient no matter where the patient information is accessed or where the data is located. In an ideal world this would happen 100% of the time. Unfortunately, this is not an ideal world and patients and records are frequently mismatched. This can naturally have serious consequences for patients. Records and Patients only Correctly Matched 90% of the Time Studies suggest that the probability of records and patients being paired correctly is around 90% on average. Provided of course, that the records are located within a single health system. Should some records be located in a different health system, the chance of those records being correctly matched is much lower. In fact, when records are shared across different health systems the figure falls to around 80%. If a patient is to receive the best possible level of care, this is a problem that must be resolved. Solving the Problem of...

Read More
Health System’s Network Taken out by Qbot Malware
Jan22

Health System’s Network Taken out by Qbot Malware

Royal Melbourne Hospital’s pathology department’s network was taken down this week by a new variant of Qbot malware, highlighting the damage that can result from tardy software upgrades and patch installations. Microsoft stopped issuing patches for Windows XP in April 2014, leaving the operating system prone to attack. There were fears that as soon as the patches stopped being issued a wave of cyberattacks via zero-day exploits would follow. Those attacks failed to materialize, but any system running the defunct operating system was left vulnerable when support was retired. The decision to keep using Windows XP rather than upgrading has proved extremely costly for Royal Melbourne Hospital’s pathology department. A zero-day vulnerability in XP was exploited resulted in the hospital’s pathology department network being infected with malware, taking the network out of action. The malware also attacks Windows 7 machines and a number of XP and Windows 7 machines were infected. With the network taken down, the hospital’s pathology department was forced to manually process...

Read More
Only 45 Percent of Organizations Confident in Ability to Repel a Cyberattack
Jan21

Only 45 Percent of Organizations Confident in Ability to Repel a Cyberattack

According to the Cisco 2016 Annual Security Report released on Tuesday, fewer than half of worldwide organizations are confident in their ability to repel a cyberattack due to the sophisticated and resilient nature of campaigns now being launched by hackers. The report indicates 45% of organizations are no longer confident of their security posture. 48% of security executives said they were very concerned about security, while 41% indicated they were much more concerned than they were three years ago. There are very real causes for concern. Many organizations are operating an aging infrastructure and the vast majority – 92% – of Internet-connected devices in use contain known security vulnerabilities. Just under a third of devices being used no longer have vendor support. Highly Sophisticated Cyberattacks Proving Hard to Repel Investment in cybersecurity defenses has increased considerably in recent years to address the elevated risk of attack. However, attackers have upped the ante and are conducting ever more sophisticated attacks that are proving difficult to repel....

Read More
Hippocratic Oath for Connected Medical Devices Required, says Cybersecurity Association
Jan20

Hippocratic Oath for Connected Medical Devices Required, says Cybersecurity Association

A cybersecurity volunteer association has written an open letter to healthcare industry stakeholders calling for the adoption of a Hippocratic Oath for connected medical devices. I am the Cavalry says the move would better protect the privacy of patients and ensure their safety. The growing risk of cyberattack coupled with the inherent security vulnerabilities present in many medical devices prompted I am the Cavalry to pen the letter. It is believed that while medical devices allow life-saving therapies to be provided to patients, greater efforts must be made to ensure the data they record are kept secure. Additional safeguards must also be incorporated to ensure the devices cannot be hacked. It is believed that a Hippocratic Oath for connected medical devices would help in this regard. The group also claims that such a measure would serve to preserve trust in the healthcare industry and would help to improve the safety of the devices. The aim is to encourage developers of medical devices to implement a host of safeguards to ensure their devices are resilient to attack and, as far...

Read More
Medical Device Manufacturers Receive New FDA Cybersecurity Recommendations
Jan18

Medical Device Manufacturers Receive New FDA Cybersecurity Recommendations

On January 15, 2015, the Food and Drug Administration (FDA) released draft guidance on the Postmarket Management of Cybersecurity in Medical Devices. The guidance has been released for public comment and will be open for a comment period of 90 days. The aim of the guidance is to help manufacturers of medical devices develop and implement controls to ensure their devices are secure to better protect patients. The guidance contains a number of steps manufacturers should follow to address cybersecurity vulnerabilities after devices have come to market to ensure the continuing safety of patients. These include the monitoring of devices, and conduction of risk assessments to identify security vulnerabilities after devices have come to market. Manufacturers of medical devices must ensure cybersecurity protections are built into devices and are a central part of the design. It is not possible to eliminate all cybersecurity risks at the design phase. Cybersecurity risks may arise at any point in the lifecycle of the products. It is therefore essential that medical devices are constantly...

Read More