NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity
Nov23

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices along with best practices for securing the telehealth and remote monitoring ecosystem. Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks. Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge. The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment. The paper addresses...

Read More
AMIA Calls for Greater Alignment of Federal Data Privacy Rules
Nov20

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and recommends adoption of a more integrated approach to privacy that includes both the healthcare and consumer sectors. The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule). Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies. AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an...

Read More
Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS
Nov15

Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress. The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature. The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service. The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center. NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal...

Read More
Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices
Nov08

Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices

ICS-CERT has issued an advisory concerning five vulnerabilities that have been identified in Roche Point of Care handheld medical devices. Four vulnerabilities are high risk and one has been rated medium risk. Successful exploitation of the vulnerabilities could allow an unauthorized individual to gain access to the vulnerable devices, modify system settings to alter device functionality, and execute arbitrary code. The vulnerabilities affect the following Roche Point of Care handheld medical devices. Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later) CoaguChek Pro II CoaguChek XS Plus & XS Pro Cobas h 232 POC Including the related base units (BU), base unit hubs and handheld base units (HBU). CVE-2018-18564 is an improper access control vulnerability. An attacker in the adjacent network could execute arbitrary code on the system using a specially crafted message. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.3. The vulnerability is present in:...

Read More
OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices
Nov08

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase.  Several deficiencies in FDA policies and procedures were identified by OIG auditors. Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients. The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas. One area of weakness concerns...

Read More
FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity
Oct18

FDA and DHS to Increase Collaboration and Better Coordinate Efforts to Improve Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) have announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security. The security of medical devices has long been a concern. Cybersecurity flaws in medical devices could potentially be exploited to cause patients harm, and with an increasing number of medical devices now connecting to healthcare networks, it is more important than ever to ensure adequate protections are in place to ensure patient safety and threats are rapidly identified, addressed and mitigated. Medical devices are a potential weak point that could be exploited to gain access to healthcare networks and sensitive data, they could be used to gain a foothold to launch further cyberattacks that could prevent healthcare providers from providing care to patients. Vulnerabilities could also be exploited to deliberately cause harm to patients. While the latter is not believed to have occurred to date, it is a very real...

Read More
Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering
Oct17

Webinar: TitanHQ and Datto Networking Discuss Enhanced Web Content Filtering

Earlier this year, spam and web filtering solution provider TitanHQ partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs. The new partnership has allowed Datto to enhance security on the Datto Networking Appliance with enterprise-grade web filtering technology supplied by TitanHQ. The new web filtering functionality allows users of the appliance to carefully control the web content that can be accessed by employees and guests and provides superior protection against the full range of web-based threats. TitanHQ and Datto Networking will be holding a webinar that will include an overview of the solution along with a deep dive into the new web filtering functionality. Webinar Details: Datto Networking & Titan HQ Deliver Enhanced Web Content Filtering Date: Thursday, October 18th Time: 11AM ET | 8AM PT | 4PM GMT/BST Speakers: John Tippett, VP, Datto Networking Andy Katz, Network Solutions Engineer Rocco Donnino, EVP of Strategic Alliances, TitanHQ Click here to register for the...

Read More
FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers
Oct16

FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers

The U.S. Food and Drug Administration (FDA) has issued a warning about vulnerabilities in certain Medtronic implantable cardiac device programmers which could potentially be exploited by hackers to change the functionality of the programmer during implantation or follow up visits. Approximately 34,000 vulnerable programmers are currently in use. The programmers are used by physicians to obtain performance data, to check the status of the battery, and to reprogram the settings on Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. The flaws are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, specifically how the devices connect with the Medtronic Software Distribution Network (SDN) over the internet. The connection is required to download software updates for the programmer and firmware updates for Medtronic CIEDs. While a virtual private network (VPN) is used to establish a connection between the programmers and the Medtronic SDN,...

Read More
Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards
Oct04

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019. The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring. To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention. Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions...

Read More
NIST Releases Guidance on Managing IoT Cybersecurity and Privacy
Oct01

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce. The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail. “IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST. In the guidance document, NIST identifies three high-level...

Read More
Final Participation Request: Emergency Preparedness Survey
Sep17

Final Participation Request: Emergency Preparedness Survey

Do you want to help determine the state of emergency preparedness in healthcare? Over 100 HIPAA Journal readers have already participated in this survey and this is the last chance to contribute by completing this short anonymous survey on emergency preparedness and security communications trends. This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next. After you complete the survey, you will have the chance to enter into a raffle for a $150 gift card from the survey sponsor (RaveMobileSafety). If you provide your email address, you’ll receive the published (anonymous) results before they are released. HIPAA Journal will eventually publish the results. Note: HIPAA Journal is not conducting this survey and HIPAA Journal does not receive any payment for promoting this survey.  If your organization is running a survey that is interesting to healthcare professionals, you can contact us with the...

Read More
Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI
Sep06

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices. Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen. Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions...

Read More
NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
Aug31

NIST Finalizes Guidance on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations

The National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) have released the final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in healthcare delivery organizations. Wireless infusion pumps are no longer standalone devices. They can be connected to a range of different healthcare systems, networks, and other devices and can be a major cybersecurity risk. If malicious actors are able to gain access to the wireless infusion pump ecosystem, settings could be altered on the pumps or malware could be installed that causes the devices to malfunction, resulting in operational and safety risks. An attack on the devices could result in patients coming to harm, protected health information could be exposed, and a compromise could result in disruption to healthcare services, reputation damage, and considerable financial costs. Securing wireless infusion pumps is a challenge. Standard cybersecurity solutions such as anti-virus software may affect the ability of the device to function correctly...

Read More
Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX
Aug23

Warnings Issued About Vulnerabilities in Philips PageWriter Cardiographs and IntelliVue Information Center iX

Over the past few months, several vulnerabilities have been discovered in Philips medical devices, software and systems. This week, two further advisories have been issued by the Industrial Control Systems Cyber Emergency Team (ICS-CERT) about vulnerabilities the firm’s real-time central monitoring system, Philips IntelliVue Information Center iX, and its PageWriter cardiographs. All three of the vulnerabilities are classed as medium risk with CVSS v3 base scores ranging between 5.7 and 6.1. CVE-1999-0103 is a denial of service vulnerability that affects the Philips IntelliVue Information Center iX version B.02. The flaw was discovered by a user of the system and was reported to Philips, which in turn reported the vulnerability to the National Cybersecurity and Communications Integration Center’s (NCCIC). The vulnerability can be exploited remotely and does not require a high level of skill. If multiple initial UDP requests are made, it could compromise the availability of the device by causing the operating system to become unresponsive. The vulnerability has been assigned a...

Read More
At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018
Aug09

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018. The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients. Q2 2018 Healthcare Data Breaches Month Data Breaches Records Exposed April 45 919,395 May 50 1,870,699 June 47 353,548   Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary. It is unclear if any healthcare...

Read More
More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched
Aug09

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular. Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database. Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information. The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy...

Read More
Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps
Aug08

Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps

An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868). The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors. If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity). The way that passwords are stored could allow...

Read More
Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices
Aug07

Healthcare Organizations Reminded of HIPAA Rules for Disposing of Electronic Devices

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media. Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner. HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes. Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI. If electronic devices are not disposed of securely...

Read More
Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform
Jul30

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform. The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein. Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats. Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams. However, security teams can struggle to...

Read More
Warnings Issued Following Increase in ERP System Attacks
Jul27

Warnings Issued Following Increase in ERP System Attacks

The United States Computer Emergency Readiness Team (US-CERT) has warned businesses about the increasing risk of cyberattacks on enterprise resource planning (ERP) systems such as the cloud-based ERPs developed by SAP and Oracle. These web-based applications are used to manage a variety of business operations, including finances, payroll, billing, logistics, and human resources functions. Consequently, these systems contain a treasure trove of sensitive data – The exact types of data sought by cybercriminals for fraud and cyber espionage. Further, many businesses rely on their ERP systems to function. A cyberattack that takes those systems out of action can have catastrophic consequences, making the systems an attractive target for sabotage by hacktivists and nation state backed hacking groups. The US-CERT warning follows a joint report on the increasing risk of ERP system attacks by cybersecurity firms Digital Shadows and Onapsis. The report focused on two of most widely used ERP systems: SAP HANA and Oracle E-Business. The authors explained that the number of publicly available...

Read More
FDA Issues New Guidance on Use of EHR Data in Clinical Investigations
Jul19

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and emphasized that appropriate controls should be put in place to ensure the confidentiality, integrity, and availability of data. While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements. The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products. The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a...

Read More
Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data
Jul10

Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data

The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes. In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care. 150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK. A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was...

Read More
HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks
Jul06

HIMSS Warns of Exploitation of API Vulnerabilities and USB-Based Cyberattacks

HIMSS has released its June Healthcare and Cross-Sector Cybersecurity Report in which healthcare organizations are warned about the risk of exploitation of vulnerabilities in application programming interfaces, man-in the middle attacks, cookie tampering, and distributed denial of service (DDoS) attacks. Healthcare organizations have also been advised to be alert to the possibility of USB devices being used to gain access to isolated networks and the increase in used of Unicode characters to create fraudulent domains for use in phishing attacks. API Attacks Could Be the Next Big Attack Vector Perimeter defenses are improving, making it harder for cybercriminals to gain access to healthcare networks. However, alternative avenues are being explored by hackers looking for an easier route to gain access to sensitive data. Vulnerabilities in API’s could be a weak point and several cybersecurity experts believe APIs could well prove to be the next biggest cyber-attack vector. API usage in application development has become the norm, after all, it is easier to use a third-party solution...

Read More
AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule
Jul05

AHA Voices Concern About CMS’ Hospital Inpatient Prospective Payment System Proposed Rule

The American Hospital Association (AHA) has voiced the concerns of its members about the HHS’ Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system proposed rule for fiscal year 2019, including the requirement to allow any health app of a patient’s choosing to connect to healthcare providers’ APIs. Consumer Education Program Required to Explain that HIPAA Doesn’t Apply to Health Apps Mobile health apps can con collect and store a considerable amount of personal and health information – in many cases, the same information that would be classed as protected Health Information (PHI) under Health Insurance Portability and Accountability Act (HIPAA) Rules. However, HIPAA does not usually apply to health app developers and therefore the health data collected, stored, and transmitted by those apps may not be protected to the level demanded by HIPAA. When consumers enter information into the apps, they may not be aware that the safeguards in place to protect their privacy may not be as stringent as those implemented by their healthcare providers. There...

Read More
Qcentive Controls AWS Costs & Enables Cloud Computing in Healthcare with ParkMyCloud
Jul02

Qcentive Controls AWS Costs & Enables Cloud Computing in Healthcare with ParkMyCloud

The Massachusetts-based healthcare startup Qcentive, the developer of a cloud-based platform that helps healthcare companies with the creation and management of value-based contracts, was one of the first companies authorized to move healthcare data to the cloud. The first-in-class transaction platform has been certified as HIPAA compliant and incorporates appropriate safeguards to ensure the confidentiality, integrity, and availability of ePHI. The company uploads patient and healthcare contract information to AWS, where the data are accessed by the company’s application. The platform helps its health plan clients and their value-based contracting providers analyze claims data and patient information such as emergency room visits and use the information to quickly calculate potential savings. While developing the platform, Qcentive uploaded large quantities of patient and claim data to AWS and created AWS resources as necessary, although as many companies discover, AWS costs can quickly mount up. Qcentive tried to find a way to keep its AWS costs under control, starting with...

Read More
Vulnerabilities Identified in Medtronic MyCareLink Patient Monitors
Jul02

Vulnerabilities Identified in Medtronic MyCareLink Patient Monitors

ICS-CERT has issued an advisory about two recently discovered vulnerabilities in Medtronic MyCareLink patient monitors. The devices are used by patients with implantable cardiac devices to transmit their heart rhythm data directly to their clinicians. While the devices have safeguards in place and transmit information over a secure Internet connection, the vulnerabilities could potentially be exploited by a malicious actor to gain privileged access to the operating system of the devices. The vulnerabilities – a hard-coded password vulnerability (CWE-259 / CVE-2018-8870) and an exposed dangerous method of function (CWE-749 / CVE-2018-8868) vulnerability – exist in all versions of 24950 and 24952 MyCareLink Monitors. The former has been assigned a CVSS v3 score of 6.4 and the latter a CVSS v3 score of 6.2. The vulnerabilities were discovered by security researcher Peter Morgan of Clever Security, who reported the issues to NCCCIC. Exploitation of the hard-coded password vulnerability would require physical access to the device. After removing the case, an individual could...

Read More
Acumera Partners with TitanHQ to Offer Web Filtering to Customers
Jun26

Acumera Partners with TitanHQ to Offer Web Filtering to Customers

The Galway, Ireland-based cybersecurity firm TitanHQ has announced the formation of a new partnership with the Austin, TX-based managed services provider Acumera. Acumera is a leading provider of managed network security services in the United States. Securing widely distributed networks consisting of hundreds or thousands of locations is one of the main strengths of Acumera, with the managed services provider able to meet the unique connectivity, operational, and data security challenges that these large networks create. The company offers network security, connectivity, and visibility services for a wide range of industry sectors. Acumera has been chosen by many healthcare provider networks who have chosen to outsource cybersecurity and provides network security services for drug stores, automated parking garages, and has secured the POS systems and networks of some of the best-known retailers in the United States, including 7-Eleven, Circle K, Subway, Valero service stations, Benetton, and Pluckers. One area where Acumera’s managed services required a boost was web filtering,...

Read More
Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security
Jun13

Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security

A recent HIMSS survey has confirmed that medical device security is a strategic priority for most healthcare organizations, yet fewer than half of healthcare providers have an approved budget for tackling security flaws in medical devices. For the study, HIMSS surveyed 101 healthcare industry practitioners in the United States and Asia on behalf of global IT company Unisys. 85% of respondents to the survey said medical device security was a strategic priority and 58% said it was a high priority, yet only 37% of respondents had an approved budget to implement their cybersecurity strategy for medical devices. Small to medium sized healthcare providers were even less likely to have appropriate funds available, with 71% of companies lacking the funds for medical device security improvements. Vulnerabilities in medical devices are frequently being identified. ICS-CERT has issued several recent advisories about flaws in a wide range of devices. In many cases, flaws are identified and corrected before they can be exploited by cybercriminals, although the WannaCry attacks last year showed...

Read More
More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes
Jun12

More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes

90% of hospitals and 94% of physicians have adopted mobile technology and say it is helping to improve patient safety and outcomes, according to a recent survey conducted by Black Book Research. The survey was conduced on 770 hospital-based users and 1,279 physician practices between Q4, 2017 and Q1, 2018. The survey revealed 96% of hospitals are planning on investing in a new clinical communications platform this year or have already adopted a new, comprehensive communications platform. 85% of surveyed hospitals and 83% of physician practices have already adopted a secure communication platform to improve communications between care teams, patients, and their families. Secure text messaging platform are fast becoming the number one choice due to the convenience of text messages, the security offered by the platforms, and the improvements they make to productivity and profitability. 98% of hospitals and 77% of physician practices said they have implemented secure, encrypted email and are using intrusion detection systems to ensure breaches are detected rapidly. Many providers of...

Read More
Apple Launches API for Developers to Allow EHR Data to be Used in Care Management Apps
Jun06

Apple Launches API for Developers to Allow EHR Data to be Used in Care Management Apps

Apple has launched a new application programming interface (API) for developers that will allow them to create health apps that incorporate patients’ EHR data. Patients who load their EHR data into the Apple Health Records app will be able to pass the information directly to third party apps. The move allows app developers to create a wide range of apps that can help patients manage their care.  The first apps that will be allowed to access EHR data, if permitted by the patient, should be available in the fall to coincide with the release of iOS 12. One such app that can be used in connection with EHR data through the Apple Health Records app is Medisafe. The Medisafe app will allow patients of participating health systems to download their prescriptions lists and set reminders when their medications need to be taken. The app will also alert them to any potentially harmful interactions between their medications. Apple suggests apps could be developed to help patients manage their medical conditions. Access to EHR data will allow those apps to provide more accurate and useful...

Read More
Warnings Issued Over Vulnerable Medical Devices
May14

Warnings Issued Over Vulnerable Medical Devices

Warnings have been issued by the Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) about vulnerabilities in several medical devices manufactured by Silex Technology, GE Healthcare, and Phillips. If the vulnerabilities were to be exploited, an unauthorized individual could potentially take control of the devices. Phillips Brilliance CT Scanners In early May, Phillips alerted the National Cybersecurity and Communications Integration Center (NCCIC) about security vulnerabilities affecting its Brilliance CT scanners. Phillips has been working to remediate the vulnerabilities and has been working with DHS to alert users of its devices to help them reduce risk. There have been no reports received to suggest any of the vulnerabilities have been exploited in the wild. Three vulnerabilities have been discovered to affect the following scanners: Brilliance 64 version 2.6.2 and below Brilliance iCT versions 4.1.6 and below Brillance iCT SP versions 3.2.4 and below Brilliance CT Big Bore 2.3.5 and below See ICS-CERT advisory...

Read More
How to Defend Against Insider Threats in Healthcare
Apr26

How to Defend Against Insider Threats in Healthcare

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique. Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders. Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed. Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur. What are Insider Threats? Before explaining how healthcare...

Read More
House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws
Apr25

House Committee Seeks Advice from Industry Stakeholders on Fixing Cybersecurity Flaws

The continued use of outdated software and the failure to patch vulnerabilities promptly is making cyberattacks on healthcare organizations too easy. This was clearly highlighted by the WannaCry ransomware attacks in May 2017. U.S healthcare providers may have escaped relatively unscathed, but that was not the case across the Atlantic in the UK. The NHS was hit particularly badly by WannaCry. Were it not for the discovery of a kill switch by a security researcher, it could have been a similar story in the U.S. This week, Symantec published a report on a recently discovered threat group that has been attacking healthcare organizations for three years and accessing highly sensitive information. Lateral movement within a network has been made easy due to the continued use of outdated operating systems. These are just two examples of several over the past couple of years and the attacks will continue unless action is taken to address the issue. In the UK, a post-WannaCry assessment by the health industry’s governing body revealed the NHS is still badly prepared for similar attacks....

Read More
What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
Apr02

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996, and was updated by the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records? What is the Relationship Between HITECH and HIPAA and Medical Records? Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI). One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
What is HIPAA Certification?
Mar06

What is HIPAA Certification?

Many vendors would like HIPAA certification to confirm they are fully compliant with HIPAA Rules and understand all aspects of the Health Insurance Portability and Accountability Act (HIPAA), but is it possible to obtain HIPAA certification to confirm HIPAA compliance? What is HIPAA Certification? In an ideal world, HIPAA certification would confirm that all aspects of HIPAA Rules are understood and being followed. If a third-party vendor such as a transcription company was HIPAA certified, it would make it easier for healthcare organizations looking for such as service to select an appropriate vendor. Many companies claim they have been certified as HIPAA compliant or in some cases, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no official, legally recognized HIPAA compliance certification process or accreditation. There is a good reason why this is the case. HIPAA compliance is an ongoing process. An organization may be determined to be in compliance with HIPAA Rules today, but that does not mean that they will be tomorrow or at some point in...

Read More
PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate
Feb26

PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate

PhishMe, the leading provider of human phishing defense solutions, has announced that from February 26, 2018, the firm will be known as Cofense. Along with the name change, the firm has announced it has been acquired by a private equity syndicate, which valued the firm at $400 million. PhishMe was formed in 2007 with the aim of developing products and services to tackle the growing threat from phishing. Employees have long been viewed as the weakest link in security, yet the human element of security defenses was often neglected. Over the years, PhishMe developed its products and services to help companies improve their last line of defense and turn security liabilities into security assets. PhishMe has helped thousands of organizations improve their defenses against phishing through training and phishing simulations. The firm has also developed a range of associated products and services including a reporting platform that has now been adopted by more than 2 million users, as well as incident response and threat intelligence services. While phishing defense is still at the heart...

Read More
What Covered Entities Should Know About Cloud Computing and HIPAA Compliance
Feb19

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

Healthcare organizations can benefit greatly from transitioning to the cloud, but it is essential to understand the requirements for cloud computing to ensure HIPAA compliance. In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance. Myths About Cloud Computing and HIPAA Compliance There are many common misconceptions about the cloud and HIPAA compliance, which in some cases prevent healthcare organizations from taking full advantage of the cloud, and in others could result in violations of HIPAA Rules. Some of the common myths about cloud computing and HIPAA compliance are detailed below: Use of a ‘HIPAA compliant’ cloud service provider will ensure HIPAA Rules are not violated False: A cloud service provider can incorporate all the necessary safeguards to ensure the service or platform can be used in a HIPAA compliant manner, but it is...

Read More
Is Box HIPAA Compliant?
Feb13

Is Box HIPAA Compliant?

Is Box HIPAA compliant? Can Box be used by healthcare organizations for the storage of documents containing protected health information or would doing so be a violation of HIPAA Rules? An assessment of the security controls of the Box cloud storage and content management service and its suitability for use in healthcare. What is Box? Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit or upload content. Box can be used for personal use; however, businesses need to sign up for either a business, enterprise, or elite account. Is Box Covered by the Conduit Exception Rule? The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim...

Read More
Eligible Hospitals Must Now Use QNet for Meaningful Use Attestation
Jan30

Eligible Hospitals Must Now Use QNet for Meaningful Use Attestation

The Centers for Medicare & Medicaid Services (CMS) has recently issued a reminder that eligible hospitals and Critical Access Hospitals (CAHs) participating in Electronic Health Record Incentive Schemes must use the QualityNet Secure Portal (QNet) to submit Meaningful Use attestations in 2018. Back in October, CMS announced it was transitioning Meaningful Use attestations to QNet. Previously two separate systems had been used for attestations and reporting clinical quality measures; but, in order to simplify reporting requirements and streamline data submissions, the QNet portal would be used for both from January 2nd 2018. From October, eligible hospitals and CAHs new to QNet had the opportunity to enroll on the system and get used to how it worked, while existing QNet users were advised to add an MU role to their accounts. From the beginning of this month, the QNet system opened for attestations relating to the 2017 calendar year. The attestation period closes on February 28th. Different Processes for Medicare and Medicaid Hospitals Although attempting to simplify the...

Read More
iPhone Users Can View Their Health Records Through the Apple Health App
Jan26

iPhone Users Can View Their Health Records Through the Apple Health App

Patients are being encouraged to obtain copies of their health records and to take a more active role in their own healthcare. Many hospitals are now providing patients with access to some of their health records through patient portals. Apple has now taken ease of access one step further. The company’s Health app has been updated to include a section that allows users to view their medical records directly on their iPhones. The health app will show allergies, test results, diagnoses, procedures, immunizations, and medications and other health information that is typically available through patient portals. When new information is added to patients’ records, they will receive a notification from the app. The Health app is available with iOS 11.3, and is based on Fast Healthcare Interoperability Resources (FHIR) – a standard for transferring and sharing electronic medical records. Data transmitted to the user’s iPhone is encrypted to prevent unauthorized access, and the app is protected by the user’s iPhone passcode to keep the records confidential. Participating hospitals and...

Read More
Amazon Seeks HIPAA Expert for New Healthcare Venture
Jan17

Amazon Seeks HIPAA Expert for New Healthcare Venture

Amazon has posted a new job vacancy for a HIPAA Compliance Lead, confirming the retail giant is making a move into the healthcare sector. The HIPAA Compliance Lead will be responsible for creating a HIPAA compliance program to ensure its technology and business processes meet the terms of its BAA and the management of all aspects of that compliance program. The new recruit should have at least 5 years of HIPAA experience in an enterprise, experience with the FDA and 510(k) process, 7+ years’ experience in an information technology setting including exposure to software development/auditing, a thorough understanding of HIPAA/HITECH and OIG compliance standards, and experience with business intelligence and analytics tools. Applicants must also have an understanding of HIPAA privacy and security requirements, and how those standards map to ISO 27001, SOC 1/2/3, NIST 800-53. Amazon already offers its cloud platform – Amazon Web Services (AWS) – to healthcare organizations, with AWS supporting HIPAA compliance and Amazon prepared to sign a business associate agreement with...

Read More
Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
CMS Clarifies Position on Use of Text Messages in Healthcare
Jan03

CMS Clarifies Position on Use of Text Messages in Healthcare

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy. SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI. The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms. In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy...

Read More
70% of Healthcare Organizations Have Adopted Off-Premises Computing
Dec15

70% of Healthcare Organizations Have Adopted Off-Premises Computing

A recent survey of 144 U.S-based healthcare organizations has shown the majority have already adopted off-premises computing for applications and IT infrastructure. The popularity of off-premises solutions is growing steadily. The KLAS Research study revealed 70% of healthcare organizations have moved at least some of their applications and IT infrastructure to the cloud. Out of the organizations that have, almost 60% are using a cloud or hosting environment for EHR applications. 69% of healthcare organizations said they would consider utilizing off-premises cloud solutions, or are actively expanding the use of those solutions. Cerner is the leader in off-premises computing for EHR applications, although Epic is attracting considerable interest, with many of its customers considering switching from its on-premises solutions to its data center. One of the fastest growing areas is Infrastructure-as-a-Service (IaaS) as it enables healthcare organizations to leverage off-premise infrastructure rather than having to build a data center. Amazon leads the way in this area and is the...

Read More
Is GoToMeeting HIPAA Compliant?
Dec08

Is GoToMeeting HIPAA Compliant?

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules? GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations. In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA. Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance. It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality,...

Read More
How to Make Your Email HIPAA Compliant
Dec07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
Survey Reveals Poor State of Email Security in Healthcare
Nov29

Survey Reveals Poor State of Email Security in Healthcare

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard. The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security. For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network. The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC. Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting...

Read More
Electronic Records and HIPAA Compliance
Nov24

Electronic Records and HIPAA Compliance

Make sure you understand the relationship between electronic records and HIPAA compliance. It can be more complicated than many Covered Entities believe. Security Officers in the healthcare industry with a responsibility for electronic records and HIPAA compliance have plenty to keep themselves occupied. In the majority of healthcare-related organizations across the country, thousands of electronic health records (ePHI) are being created every day before being used, transmitted and stored. Maintaining the integrity of ePHI is a key element of compliance with HITECH and the HIPAA Security Rule; yet, when you look at the big picture, the scale of the requirement is staggering. Not only does ePHI created and used within an organization have to be safeguarded, but also ePHI transmitted outside of an organization´s network, and ePHI stored in the cloud. Start by Conducting a Risk Analysis One of the primary issues with electronic records and HIPAA compliance is that the technical, physical and administrative safeguards of the HIPAA Security Rule were published three years before...

Read More
President Trump Nominates Alex Azar for HHS Secretary
Nov13

President Trump Nominates Alex Azar for HHS Secretary

Former Deputy Secretary of the Department of Health and Human Services, Alex Azar, is tipped to take over from former Secretary Tom Price after receiving the presidential nomination for the role. Azar previously served as general counsel to the HHS and Deputy Secretary during the George W. Bush administration. President Trump confirmed on Twitter that he believes Azar is the man for the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!” The position of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September, following revelations about his controversial use of military aircraft and expensive charter flights to travel around the country. While there were several potential candidates tipped to receive the nomination, including commissioner of the Food and Drug Administration, Scott Gottlieb, and administrator of the Centers for Medicare and Medicaid Services, Seema Verma, President Trump has made a controversial choice. Alex...

Read More
In What Year Was HIPAA Passed into Legislature?
Nov13

In What Year Was HIPAA Passed into Legislature?

The Health Insurance Portability and Accountability Act or HIPAA was passed into legislature on August 21, 1996, when Bill Clinton added his signature to the bill. Initially, the purpose of HIPAA was to improve portability and continuity of health insurance coverage, especially for employees that were between jobs. HIPAA also standardized amounts that could be saved in pre-tax medical savings accounts, prohibited tax-deduction of interest on life insurance loans, enforced group health plan requirements, simplified the administration of healthcare with standard codes and practices, and introduced measures to prevent healthcare fraud. Many of the details of the five titles of HIPAA took some time to be developed, and several years passed before HIPAA Rules became enforceable. The HIPAA Enforcement Rule, which allows the Department of Health and Human Services’ Office for Civil Rights to impose financial penalties for noncompliance with HIPAA Rules, was not passed until February 16, 2006 – A decade after HIPAA was first introduced. There have been several important dates in the past...

Read More
FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients
Nov02

FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients

The U.S. Food and Drug Administration (FDA) has released final guidance for medical device manufacturers sharing information with patients at their request. Legally marketed medical devices collect, store, process, and transmit medical information. When patients request copies of the information recorded by or stored on the devices, manufacturers may share patient-specific information with the patient that makes the request. The FDA encourages information sharing as it can help patients be more engaged with their healthcare providers. When patients give their healthcare providers data collected by medical devices, it can help them make sound medical decisions. While information sharing is not a requirement of the Federal Food, Drug, and Cosmetic Act (FD&C Act), the FDA felt it necessary to provide medical device manufacturers with recommendations about sharing patient-specific information with patients. The guidelines are intended to help manufacturers share information appropriately and responsibly. The FDA explains that in many cases, patient-specific information recorded by...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
How to Secure Patient Information (PHI)
Oct13

How to Secure Patient Information (PHI)

HIPAA requires healthcare organizations of all sizes to secure protected health information (PHI), but how can covered entities secure patient information? If you are asked how you secure patient information, could you provide an answer? How Can You Secure Patient Information? HIPAA requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of PHI, although there is little detail provided on how to secure patient information in HIPAA regulations. This is intentional, as the pace that technology is advancing is far greater than the speed at which HIPAA can be updated. If details were included, they would soon be out of date. Technology is constantly changing and new vulnerabilities are being discovered in systems and software previously thought to be secure. Securing patient information is therefore not about implementing security solutions and forgetting about them. To truly secure patient information you must regularly review your security controls, update policies and procedures, maintain...

Read More
Why is HIPAA Important?
Oct12

Why is HIPAA Important?

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients? HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs. A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals. Why is HIPAA Important for Healthcare Organizations? HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. The standards for recording health data and electronic...

Read More
New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity
Oct10

New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity

A new partnership has been announced between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS). The aim of the new collaboration is to help advance medical device cybersecurity and improve patient safety. The two organizations will work together to help members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, educating about the threats to device security, training members, and promoting information sharing. For the past three years, AEHIS has been helping healthcare organizations improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have benefited from the education and networking opportunities provided by AEHIS. AEHIS helps its members protect patients from cyber threats, including cyberattacks on their medical devices, though its educational efforts, sharing best practices, and many other activities. MDISS now consists of...

Read More
What Does HIPAA Stand For?
Oct10

What Does HIPAA Stand For?

What does HIPAA stand for? HIPAA is an acronym of the Health Insurance Portability and Accountability Act of 1996 – a legislative act that had the primary aim of improving portability and accountability of healthcare coverage for employees between jobs. HIPAA also helped to ensure employees with pre-existing health conditions were provided with health insurance coverage. HIPAA also introduced standards that healthcare organizations were required to follow to reduce the paperwork burden and simplify the administration of health insurance. The HIPAA administrative simplification regulations streamlined billing, sending and receiving payments, and verifying eligibility. They also helped to ensure the smooth transition from paper to electronic health records and transitions. Since 1996, there have been several major updates to HIPAA, notably the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Enforcement Rule, the inclusion of the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements (The HIPAA Omnibus Final Rule), and the Breach Notification...

Read More
Internet of Medical Things Resilience Partnership Act Bill Introduced
Oct09

Internet of Medical Things Resilience Partnership Act Bill Introduced

The Internet of Medical Things Resilience Partnership Act has been introduced in the U.S. House of Representatives. The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks. The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors. If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
Amazon Alexa is Not HIPAA Compliant – But That Could Soon Change
Oct03

Amazon Alexa is Not HIPAA Compliant – But That Could Soon Change

Amazon Alexa is not HIPAA compliant, which limits its use in healthcare, although that could be about to change. Amazon already supports HIPAA compliance for its cloud platform AWS and is keen to see its voice recognition technology used more extensively in healthcare. However, before the true potential of Alexa can be realized, Amazon must first make Alexa HIPAA compliant. Alexa certainly has considerable potential in healthcare. Alexa could be used by physicians to transcribe medical notes or as a virtual assistant in physicians’ offices. Alexa is currently used in around 30 million U.S. homes, and the technology could easily be used to remotely monitor patients. The technology could also help to engage patients more in their own healthcare. Some healthcare organizations have already started experimenting with Alexa. WebMD has developed an Alexa skill to deliver some of its web content to consumers via their Alexa devices at home. Beth Israel Deaconess Medical Center (BIDMC) has run a pilot scheme to test Alexa’s capabilities in an inpatient setting, although not using real...

Read More
National Cyber Security Awareness Month: What to Expect
Oct02

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens. National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners. Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure. DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month: National Cyber Security Awareness Month Summary Week 1: Simple Steps to Online Safety (Oct. 2-6) Week 2:...

Read More
The Benefits of Using Blockchain for Medical Records
Sep26

The Benefits of Using Blockchain for Medical Records

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security? The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients. Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems. Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act...

Read More
FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange
Sep12

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems. The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.” Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices. The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely;...

Read More
Researchers Call for Updates to Guidelines for Emailing Patients
Aug30

Researchers Call for Updates to Guidelines for Emailing Patients

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients. There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners. The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed. The...

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security. To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator. NIST suggests...

Read More
Phillips Ships DoseWise Portal with Serious Vulnerabilities
Aug22

Phillips Ships DoseWise Portal with Serious Vulnerabilities

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data. Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10. The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS...

Read More
Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere
Aug17

Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere

A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year. Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators. When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge. Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device...

Read More
HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs
Aug11

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization. The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas. The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months. While these results are...

Read More
HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management
Aug08

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management. The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks. HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry. HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the...

Read More
Medical Device Cybersecurity Act Takes Aim at Medical Device Security
Aug08

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks. The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS). Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase. While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the...

Read More
Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available
Aug07

Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available

Warnings have been issued about four vulnerabilities in Siemens PET/CT scanner systems. Siemens is currently developing patches to address the vulnerabilities.  Exploits for the vulnerabilities are already publicly available. The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7. The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied....

Read More
Only One Third of Patients Use Patient Portals to View Health Data
Jul27

Only One Third of Patients Use Patient Portals to View Health Data

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information. GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource. Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information...

Read More
Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms
Jul25

Survey Shows Only a Quarter of Hospitals Have Implemented Secure Text Messaging Platforms

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians. The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database. Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images. Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems...

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
ONC Offers Help for Covered Entities on Medical Record Access for Patients
Jul13

ONC Offers Help for Covered Entities on Medical Record Access for Patients

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case. Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other...

Read More
Mayo Clinic Investing $1.5 Billion in HIPAA Compliant EHR System
Jul13

Mayo Clinic Investing $1.5 Billion in HIPAA Compliant EHR System

The Rochester, MN-based Mayo Clinic – the world’s first and largest integrated not-for-profit medical group practice – has invested $1.5 billion in a new HIPAA compliant EHR system. The Mayo Clinic chose Epic, a leading EHR provider whose systems are used to store and maintain the electronic health records of more than 190 million patients. Up until recently, the Mayo Clinic has been using three EHR systems, provided by General Electric and Cerner Corp. The new EHR system – An integrated electronic medical record and billing system – will see those three systems combined into one. $1.5 billion is a sizable investment, but it was necessary. Operating three separate EHR systems is far from ideal. It means staff need to learn how to use multiple systems, inefficiencies are introduced that are difficult to resolve, and multiple systems inevitably lead to interoperability issues that have potential to hamper collaboration. The new single HIPAA compliant EHR system will help the Mayo Clinic store, use, and share patient health information more efficiently and better serve its...

Read More
AMIA Urges HHS to Provide More Information on Common Rule Updates
Jul07

AMIA Urges HHS to Provide More Information on Common Rule Updates

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated. The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use. The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified. Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented. The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication...

Read More
U.S. Healthcare Providers Affected by Global Ransomware Attack
Jun29

U.S. Healthcare Providers Affected by Global Ransomware Attack

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below. NotPetya Ransomware Attacks Spread to the United States Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems. Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities. While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected The health...

Read More
FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products
Jun22

FDA Chief Announces New Plan for Post-Market Regulation of Digital Health Products

Food and Drug Administration (FDA) Commissioner Scott Gottlieb, M.D., has announced the FDA will be launching a new, risk-based regulatory framework in the fall for overseeing connected medical technology, including health apps and medical devices. The FDA wants to encourage and promote innovation that will lead to the development of new and beneficial medical technologies; however, it is essential that these technologies can benefit patients without placing their health or privacy at risk. Gottlieb said the FDA has now developed a new Digital Health Innovation Plan that will foster “innovation at the intersection of medicine and digital health technology.” The plan includes a novel post-market approach that will allow the regulation of digital medical devices and health-related apps. In a recent blog post, Gottlieb pointed out that close to 165,000 health-related apps have now been released for Smartphones and Apple devices, with forecasts estimating the apps will be downloaded 1.7 billion times by the end of this year. These apps have the potential to improve the health of...

Read More
Study: 1 in 5 Enterprise Users Have Set Weak Passwords
Jun15

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice. Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling. The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals. An analysis of data from enterprises that downloaded...

Read More
ONC Announces Winners of Move Data Forward and Privacy Policy Snapshot Challenges
Jun08

ONC Announces Winners of Move Data Forward and Privacy Policy Snapshot Challenges

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) has announced the winners of its Privacy Policy Snapshot Challenge. Participants in the challenge were required to develop a Model Privacy Notice (MPN) generator capable of generating customizable MPNs for healthIT developers. While resources are available to help HIPAA covered entities, many technology companies are not subject to HIPAA requirements. It was therefore important for a resource to be developed for those businesses to help them adhere to other federal regulations. While a MPN had already been released by ONC in 2011, since then the range of digital health technologies has increased considerably. One MPN would not be suitable for all organizations that collect consumer information. On March 1, 2016, ONC issued a request for information to find out more from the public about the practices that should be disclosed to consumers and how that information should be presented. The challenge to develop a MPN generator was issued in December 2016, with participants leveraging an updated MPN that...

Read More
VA Chooses Cerner to Provide Replacement for VistA EHR
Jun07

VA Chooses Cerner to Provide Replacement for VistA EHR

The U.S. Department of Veteran Affairs (VA) has selected Cerner Corp., to provide a replacement for the outdated self-developed VistA EHR system.  Earlier this year, United States Secretary of Veterans Affairs David Shulkin said a decision needed to be made about the VA EHR system, suggesting an off-the-shelf EHR system was the best choice and that a final decision would be made by July 1. Shulkin said, “Seamless care is fundamentally constrained by ever-changing information sharing standards, separate chains of command, complex governance, separate implementation schedules that must be coordinated to accommodate those changes from separate program offices that have separate funding appropriations, and a host of related complexities requiring constant lifecycle maintenance.” The cost of continued development of VistA was considered to be too great, especially with the prospect of ongoing interoperability problems.  The VA has already invested hundreds of millions of dollars into VistA, yet the EHR is still only semi-interoperable with the system used by the Department of Defense...

Read More
Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts
Jun02

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization. The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization. If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to...

Read More
Medical Device Security Testing Only Performed by One in Twenty Hospitals
May26

Medical Device Security Testing Only Performed by One in Twenty Hospitals

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data. Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs. Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks. Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security...

Read More
Purple Move on WiFi Security Sets Example for All Public WiFi Deployments
May25

Purple Move on WiFi Security Sets Example for All Public WiFi Deployments

Wireless networks offer many benefits to healthcare organizations. Healthcare professionals can access networks and data from any location using portable devices, without the need to plug in to the network. Many medical devices connect wirelessly to WiFi networks improving clinical workflows. However wireless networks can also introduce risks. If any PHI is transmitted over wireless networks, HIPAA requires appropriate controls to be applied to safeguard the confidentiality, integrity and availability of PHI. If WiFi networks lack appropriate security, unauthorized individuals could intercept WiFi packets and view sensitive data, including protected health information. Securing internal WiFi networks is therefore essential. The failure to secure WiFi networks would place an organization at risk of a HIPAA penalty. The risk of a HIPAA violation or data breach is a real concern for healthcare organizations. Security concerns have prevented many hospitals from offering WiFi access to patients, even though offering WiFi can improve the patient experience. Many healthcare organizations...

Read More
Medical Device Cybersecurity Gaps Discussed at FDA Workshop
May19

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices. Best practices and cybersecurity tools that can be adopted to improve defenses against cyberattacks are under discussion. This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate time. The recent WannaCry ransomware attacks resulted in Siemens, Bayer and other manufacturers’ devices having data encrypted. Cyberattacks on medical devices have potential to cause considerable harm to patients. Cybercriminals could also target medical devices to obtain sensitive information on patients or use the devices to launch attacks on healthcare networks. This week, the attacks only resulted in data being encrypted. Bayer reported that both of the healthcare organizations that were affected were able to recover data and restore the functionality of their medical devices within 24 hours. The medical devices were not specifically targeted and...

Read More
Guidance on Securing Wireless Infusion Pumps Issued by NIST
May11

Guidance on Securing Wireless Infusion Pumps Issued by NIST

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access. Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm. Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access. The risks introduced by the devices have been widely...

Read More
Majority of Organizations Failing to Protect Against Mobile Device Security Breaches
May05

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk. Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks. According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred. The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices. 94% of respondents said cyberattacks on mobile devices will become more...

Read More
Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure
May04

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and revealed the impact healthcare data breaches have had on consumers. The survey showed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust. Trust in Healthcare Providers and Insurers is High In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents. Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%)...

Read More
HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape
May03

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk. More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management. The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch. George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access...

Read More
Webroot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined
Apr24

Webroot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined

A Webroot AV update failure has caused havoc for thousands of customers. An April 24 update saw swathes of critical files miscategorized as malicious. While occasional false positives can be expected on occasion, in this case the error was severe. The Webroot AV update failure resulted in hundreds of Windows system files being miscategorized, resulting in serious stability issues. Many users’ servers and PCs were crippled after the automatic update occurred. The problem did not only affect Windows files. Scores of signed executables and third-party apps were blocked and prevented from running. The error affected all Windows versions and saw critical system files categorized as W32.Trojan.Gen. Those files were moved to Webroot’s quarantine folder after the April 24 update. Once the files were moved, users’ computers started to experience severe problems with many displaying errors. In some cases, the moving of system files to the quarantine folder caused computers to crash. In other cases, apps were prevented from running causing major disruption to businesses. Webroot AV also...

Read More
Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA
Apr18

Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA

Abbot Labs, which acquired St. Jude Medical in January 2017, has been warned by the Food and Drug Administration (FDA) that previously identified cybersecurity vulnerabilities in some of its products may not have been corrected. Those vulnerabilities have potential to jeopardize the safety of patients. The investigation of Abbot Labs was conducted February 7-14 at St. Jude Medical facilities in Sylmar, CA, following the public disclosure of potential vulnerabilities in certain St. Jude Medical devices. Those vulnerabilities could potentially be exploited by malicious actors to cause the devices to malfunction and patients to come to harm.  Flaws in the devices were uncovered by MedSec Holdings and were passed to Muddy Waters Capital, which announced the findings in a research report published in August last year. Multiple vulnerabilities were discovered in certain implantable pacemakers and defibrillators manufactured by St. Jude Medical, including the susceptibility to man-in-the-middle attacks that could cause the batteries in the products to be prematurely drained and the...

Read More
Healthcare Providers Are Wasting Millions on Cloud Hosting
Apr12

Healthcare Providers Are Wasting Millions on Cloud Hosting

A study by Communications for Research showed that healthcare organizations are now spending $40 billion a year on IT programs, while MarketsandMarkets research indicates $3.73 billion of that budget is spent on cloud services. By 2020, cloud spending is expected to triple and reach $9.5 billion. MedGadget healthcare market research suggests there will be a 21.95 percent CAGR for spending on cloud computing by the healthcare industry by 2019. More and more healthcare organizations are seeing the benefits that can be gained from switching to cloud computing, especially as a way of reducing IT spending. The public cloud is elastic and capacity can be increased or decreased on demand, but the reality is most organizations use of the cloud involves considerable wastage. Organizations are paying for the public cloud and are ensuring their instances have sufficient capacity, yet for a lot of the time much of the capacity that is paid for is redundant. The 2017 Rightscale State of the Cloud Report suggests 46% of enterprises are carefully monitoring cloud use and are rightsizing their...

Read More
AMIA Suggests it’s Time for a HIPAA Update
Apr11

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world. The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology. HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are. The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access. Healthcare...

Read More
Small Business Cybersecurity Bill Heads to Senate
Apr06

Small Business Cybersecurity Bill Heads to Senate

New legislation to help small businesses protect their data and digital assets has been approved by the Senate Commerce, Science and Transportation Committee this week. The new bill, which was introduced by Sen. Brian Schatz (D-Hawaii) last week, will now head to the U.S Senate. The legislation – the MAIN STREET (Making Information Available Now to Strengthen Trust and Resilience and Enhance Enterprise Technology) Cybersecurity Act will require the National Institute of Standards and Technology (NIST) to develop new guidance specifically for small businesses to help them protect themselves against cyberattacks. New NIST guidance should include basic cybersecurity measures that can be adopted to improve resilience against cyberattacks and mitigate basic security risks. Guidance and security frameworks have been developed by NIST to help larger organizations protect their assets and data, although for smaller businesses with limited knowledge of cybersecurity and a lack of trained staff and resources they can be difficult to adopt. What is needed is specific guidance for small...

Read More
Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing
Apr06

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation. The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited. Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information. At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity. At the hearing, Denise Anderson, president of the National Health...

Read More
Dr. Donald Rucker Named New National Coordinator for Health IT
Apr03

Dr. Donald Rucker Named New National Coordinator for Health IT

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology. Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator. Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator. Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years. While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician...

Read More
WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks
Mar22

WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks

WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information. The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a cyberattack. WEDI points out the seriousness of the threat faced by the healthcare industry. Cyberattacks are costing the healthcare industry around $6.2 billion each year, with the average cost of a healthcare data breach around $2.2 million. Cyberattacks and other security incidents having risen sharply in recent years. More records are now being exposed than at any other time in history and the number of healthcare data incidents being reported reached record levels last year. The Department of Health and Human Services’ Office for Civil Rights received 315 reports of major healthcare data breaches last year and recent research by Fortinet showed that in the...

Read More
NY State HIE Improves Care Quality and Operational Efficiency of Emergency Departments
Mar17

NY State HIE Improves Care Quality and Operational Efficiency of Emergency Departments

A recent study of the Health Information Exchange adopted in New York State has shown the value of investing in an HIE and the positive impact it has on patient outcomes and operational efficiency. Following considerable investment in the New York State HIE, patient stays have been reduced, the likelihood of readmission has fallen, as have the number of physicians needed to examine patients in emergency departments. The study has shown that quality of care has been improved along with operational efficiency, resulting in considerable cost savings and improved patient outcomes. The study examined almost 86,000 emergency department encounters over a period of 19 months between July 1, 2012 and January 31, 2014 at four emergency departments linked to the HealthLinkNY Health Information Exchange. During that time, there were 46,270 patient visits which were attended by 326 physicians. Emergency departments were selected for the study as they are high pressure environments where physicians are required to treat patients with a wide range of medical conditions and must gather information...

Read More
VA to Abandon EHR In Favor of Commercial EHR System
Mar15

VA to Abandon EHR In Favor of Commercial EHR System

The challenges of developing and maintaining a custom EHR system have proved too great for the Department of Veteran Affairs. The VA developed its EHR system – VistA – in house; however, it was labor intensive, costly and time consuming to maintain and use. According to VA secretary, David Shulkin, the system is “too complex and too difficult to maneuver”. A decision needed to be taken on whether to continue to plough money and resources into getting VistA to work as it should, or to call it quits and opt for a new, commercially available system. The VA has more important priorities than software development and has opted for the latter. Shulkin wants veterans to have more choice about where they receive care. Having an EHR that allows data to be easily shared is essential to ensure veterans get the best medical treatment possible. Yet the VistA system often resulted in care being delayed which had a negative effect on patient outcomes. The decision to ditch VistA has been a long time coming. The system has been extensively discussed at hearings and last year feedback was sought on...

Read More
87% of Healthcare Organizations Will Adopt Internet of Things Technology by 2019
Mar01

87% of Healthcare Organizations Will Adopt Internet of Things Technology by 2019

The healthcare industry is embracing Internet of Things technology. 60% of healthcare organizations have already introduced IoT into their infrastructure – The third highest adoption rate of any industry. According to a recent study by Hewlett Packard subsidiary Aruba, in just two years, 87% of healthcare organizations will have adopted Internet of Things technology. The study revealed that the most common area where IoT is being utilized is for patient monitoring and maintenance. 73% of surveyed healthcare executives said they used IoT in this area, while 42% said this was the main use for IoT. The healthcare industry leads the way in this area with the highest adoption rate of any industry sector. 64% of respondents said they use IoT for patient monitors, 56% use IoT for energy meters, and 33% use IoT for imaging devices. Remote operation and control was the second most common use of IoT, used by 50% of providers, while the third most common use is for location-based services, with adoption at 47%. The benefits of IoT are clear. 80% of healthcare executives said IoT has improved...

Read More
Healthcare Industry Threat Landscape Explored by Trend Micro
Feb22

Healthcare Industry Threat Landscape Explored by Trend Micro

Trend Micro has issued a new report that explores the healthcare industry threat landscape, the new risks that have been introduced by the inclusion of a swathe of IoT devices, and how cybercriminals are stealing and monetizing health data. Cybercriminals are attacking healthcare organizations with increased vigor. More attacks occurred last year than any other year, while 2015 saw a massive increase in stolen healthcare records. While the health data of patients is an attractive target, health records are not always being sold for big bucks on underground marketplaces. Health insurance cards can cost as little as $1, while EHR records start at around $5 per record set. However, cybercriminals are now increasing their profits by processing and packaging the stolen data.  Data are used to obtain government-issued iDs such as driver’s licenses, passwords and birth certificates. Farmed identities of individuals who have died are being sold, which can see prices of more than $1,000 charged per identity, or even more if IDs are also supplied. A large haul of health data from an EHR...

Read More
Majority of Healthcare Organizations Struggling with EHR Interoperability
Feb13

Majority of Healthcare Organizations Struggling with EHR Interoperability

A recent survey from Black Book Market Research has highlighted what hospital administrators and physicians know all too well. Great strides may have been made toward a fully interoperable healthcare system, but important medical data is still not accessible. There are still many problems getting hold of electronic health record data and making it accessible to the people who need it most. Many EHR systems do not have the required connectivity. Even when data from healthcare providers’ EHR systems does get sent to other providers, the data are often in an unusable or difficult to use format. 3,391 users of EHRs were surveyed for the Black Book survey. 25% of respondents said they are unable to use any data sent by other healthcare providers, while 22% of surveyed hospital administrators said they receive medical record data from other healthcare organizations in a format that does not allow data to be easily incorporated into their own EHR systems. 70% of hospitals were not using external EHR information because the data were missing from their systems’ workflow. Receiving data in...

Read More
IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed
Jan31

IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed

Organizations around the world are taking advantage of IoT and mobile applications to improve efficiency, yet too little is being done to ensure the applications are secure.  A key lesson from a recent Ponemon Institute survey is application usability and not just data security should always be factored into application development and cloud cost management or users will resist security measures and find workarounds. Organizations can benefit greatly from IoT and mobile technology, yet it is all too easy for major security risks to be introduced. Hackers are well aware of vulnerabilities in mobile and IoT applications and leverage those vulnerabilities to gain access to networks and sensitive data. IoT infrastructure is vulnerable to attack, although the greatest risks are introduced by embedded software in gateways and the cloud. Many IT security practitioners are well aware of the security risks that can potentially be introduced, yet according to a recent survey conducted by the Ponemon Institute, little is being done to mitigate risk. 593 IT and IT security professionals were...

Read More
L.A. Care Health Plan Information Exchange Platform Links 21 Hospitals
Jan06

L.A. Care Health Plan Information Exchange Platform Links 21 Hospitals

Members covered by the L.A. Care Health Plan in Los Angeles are now benefiting from improved health information sharing with healthcare providers following the launch of a new health information exchange platform. L.A. Care Health Plan (formerly known as Local Initiative Health Authority of Los Angeles County) is a public entity providing an accountable care program and other health plans (such as L.A. Care Covered, L.A. Care’s Healthy Kids and PASC-SEIU Homecare Workers Health Care Plan) for Los Angeles residents. Through its 6 health care plans, L.A. Care Health Plan provides coverage for more than 2 million individuals including some of the most vulnerable populations in the County, and is now the largest publicly operated health plan in the United States. Last year, the health plan conducted a pilot with the eConnect information exchange platform supplied by Safety Net Connect. The eConnect platform enables users to provide real-time alerts on admissions, discharges, and transfers using the HL7 Admit Discharge Transfer Protocol. The pilot was a success and in August 2015, L.A....

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited. Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider. Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data. Important Medical Information is Being Withheld by Patients The extent to...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data. The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure. If a wearable device is provided to a patient by a HIPAA-covered entity, the...

Read More
FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
Dec28

FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers

The U.S. Food and Drug Administration (FDA) has published final cybersecurity guidance for medical device manufacturers to help them better protect their devices from cyberattacks. The guidance will help device manufacturers implement a system for identifying and reporting potential security vulnerabilities to ensure flaws can be addressed before they are exploited by hackers. The threat of hackers using vulnerabilities in medical devices to gain access to sensitive data or cause patients to come to harm has been widely publicized in recent years. This year, many cybersecurity professionals have called for device manufacturers to do more to ensure their products – including defibrillators, pacemakers, and drug pumps – are made more secure. The FDA has previously issued warnings to device manufacturers and healthcare providers about medical device security risks. In 2015, the FDA warned of a vulnerability affecting Hospira insulin pumps, which could potentially be exploited by hackers to alter insulin doses to cause patients to come to harm. Earlier this year, short-selling...

Read More
ONC Publishes Final 2017 Interoperability Standards Advisory
Dec21

ONC Publishes Final 2017 Interoperability Standards Advisory

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has published its Final 2017 Interoperability Standards Advisory (ISA). The ISA is a catalog of standards and implementation specifications that can be used by healthcare organizations to address specific interoperability needs. The purpose of the ISA is to serve as a single resource for the healthcare industry to obtain standards and implementation specifications to meet their specific interoperability needs. The ISA covers healthcare data stored in electronic health records, although the resource is intended to be used for a range of health IT that support interoperability needs. ONC points out that the scope of the resource is limited to ‘what’ could be used to address an organization’s interoperability needs, and not necessarily ‘how’ those needs should be met, such as the specific interfaces or tools that should be used. The resource also has a broader scope than the version released in 2016. This year, ONC transitioned from a static document to an online...

Read More
TigerText Announces Record-Breaking Year for Growth
Dec16

TigerText Announces Record-Breaking Year for Growth

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016. The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform every day and the platform is used in over 5,000 healthcare facilities in the United States. TigerText was originally developed as a standalone messaging platform, yet over the course of the past 6 years it has evolved into a comprehensive clinical communications platform. The platform has been tailored to meet the exacting needs of healthcare organizations, including the strict privacy and security controls required by the Health Insurance Portability and Accountability Act (HIPAA). This year has seen two major new developments. Earlier this year, the TigerText platform achieved the prestigious HITRUST certification and in October the company launched...

Read More
Security Cameras Could Be Your Biggest Security Weakness
Dec09

Security Cameras Could Be Your Biggest Security Weakness

Could a networked device that’s designed to enhance security be exploited by hackers to gain access to your network? In the case of security cameras, it is a distinct possibility. Security and surveillance camera security weaknesses could be exploited by hackers to gain access to the networks to which they connect. The cameras could also be used to check for physical security weaknesses or to spy on workers and patients. The past few weeks have clearly shown the need for better security controls to be incorporated into these IoT devices. Hackers have taken advantage of scant security controls to gain access to cameras (and other IoT devices) and have used them for massive Distributed Denial of Service (DDoS) attacks. Many device manufacturers are guilty of failing to incorporate adequate security controls, although not all of the blame can be placed at the door of the manufacturers. IT departments have installed the devices, yet have failed to change default passwords. Weak passwords can easily be guessed by hackers, and in many cases, the default passwords are readily available...

Read More
OCR Warns Covered Entities of Risk of DDoS Attacks
Dec08

OCR Warns Covered Entities of Risk of DDoS Attacks

There has been a surge in Distributed Denial of Service (DDoS) and Denial of Service (DOS) attacks over the past few weeks. The attacks involve flooding systems with information and requests to cause those systems to crash. The attacks have resulted in large sections of the Internet being taken offline, email systems have crashed, and other computer equipment taken out of action. DDoS attacks on healthcare organizations could prevent patients from accessing web services such as patient portals during an attack, but they can also prevent healthcare employees from accessing systems that are critical for healthcare operations. EHRs, payroll systems, or even software-based medical equipment such as drug infusion pumps and MRIs can potentially be taken out of action. Not only do DDoS attacks prevent these systems from being accessed, they can also result in substantial hardware damage and the cost of repair can be considerable. The scale of the recent attacks has been astonishing. Whereas last year, DDoS attacks of the order of 300 Gbps something of a rarity, this year we have seen...

Read More
Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices
Nov09

Lawmakers Seek Clarification from FDA on Efforts to Protect Medical Devices

Concern about the security of medical devices has been growing in recent weeks following the potential discovery of security vulnerabilities in St. Jude Medical devices. While vulnerabilities in medical devices do not appear to have been exploited by cybercriminals, the potential for networked medical devices to be used to attack healthcare organizations and patients cannot be ignored. Currently, around 10-15 million medical devices are in use in the United States, with that number expected to grow considerably over the next few years. With so many connected devices, many of which are approaching end of life and use technology that could potentially be exploited buy cybercriminals, there is naturally concern about device security and how it can be improved. The threat to patients may currently be low, but if action is not taken to improve device security patients could be harmed and vulnerabilities may be exploited to gain access to healthcare data. Last week, Congresswomen Diana DeGette (D-CO) and Susan Brooks (R-IN) sought clarification from the Food and Drug Administration (FDA)...

Read More
Physicians Not Getting Full Benefits from EHR Systems
Nov08

Physicians Not Getting Full Benefits from EHR Systems

Incentive payments for transitioning from paper records to electronic health records has prompted many physicians to purchase electronic health record systems. By 2015, 77.9% of office-based physicians had installed and were using EHRs. However, while EHRs are now in use in most physicians’ offices, the vast majority of physicians are not getting the full benefits of their EHR systems, according to a recent report from the U.S. Department of Health and Human Services’ Centers for Disease Control and Prevention (CDC). CDC took data from the 2015 National Electronic Health Records Survey (NEHRS) for the report: State Variation in Electronic Sharing of Information in Physician Offices: United States. 2015. Survey data were used to describe the extent to which EHR systems were being used by physicians and the report provides a snapshot of the interoperability of medical records. While the systems are now in place to allow the sharing of health information with other healthcare providers, there are still many barriers which are preventing data sharing and consequently, physicians and...

Read More
A NICE New Framework for Developing A Skilled Cybersecurity Workforce
Nov04

A NICE New Framework for Developing A Skilled Cybersecurity Workforce

On Tuesday this week at the NICE conference and Expo in Kansas City, Missouri, the Department of Commerce’s National Institute of Standards and Technology (NIST) announced the release of a new draft version of its NICE Cybersecurity Workforce Framework (NCWF). According to NIST, the new Framework “will allow our nation to more effectively identify, recruit, develop and maintain its cybersecurity talent,” and help U.S. organizations develop a well-trained cybersecurity workforce. The Framework has been developed by the National Initiative for Cybersecurity Education (NICE) and is the product of extensive collaboration between academic institutions, private sector organizations, and government agencies including the U.S. Department of Defense and Department of Homeland Security. The new framework provides common language to categorize different cybersecurity roles and describes job titles and responsibilities in detail. The Framework serves as a workforce dictionary that can be used by organizations to define and share information about the cybersecurity workforce in a detailed,...

Read More
ONC Draws Attention to New Resources to Help Providers Maintain Access to ePHI
Nov02

ONC Draws Attention to New Resources to Help Providers Maintain Access to ePHI

The majority of healthcare providers have now transitioned to electronic health records, yet ensuring ePHI is always accessible when it is needed is sometimes a challenge. Should providers not be able to access ePHI, the health and safety of patients may be put at risk. To prevent harm to patients and HIPAA violations, the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has drawn attention to a number of new resources that have been made available to providers to help ensure ePHI access is maintained. The ONC has drawn attention to a new FAQ that was recently published by Department of Health and Human Services’ Office for Civil Rights (OCR) which explains how Health Insurance Portability and Accountability Act (HIPAA) Rules apply to health IT vendors, such as EHR vendors. Health IT vendors are classed as business associates of HIPAA-covered entities, and as such they are required to abide by the HIPAA Privacy, Security, and Breach Notification Rules. The FAQ explains that under the HIPAA Privacy Rule, EHR vendors must ensure that the...

Read More
$1.5 Million in Grants Awarded by HHS to Improve the Flow of Health Data
Sep30

$1.5 Million in Grants Awarded by HHS to Improve the Flow of Health Data

Grants totaling $1.5 million have recently been awarded to seven organizations by the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) to develop standards-based solutions to improve the exchange of health information. New approaches to health information exchange will be developed and tested, and the results of the Cooperative Agreement programs will help to improve medication management, data exchange, and the coordination of care. According to the ONC, more than 35 applications were received for the High Impact Pilot and Standards Exploration Award grants, which were announced at the Health Datapalooza Conference in May. The $1.5 million will be shared between the seven winning applicants. As Vindell Washington, MD, national coordinator for health information technology explained, “These programs will serve as key building blocks for improving the patient and provider experience with the flow of health information.” Announcing the winners of the awards, Washington said the aim is to “advance the use of common...

Read More
ONC Issues Guidance for Negotiating EHR Contracts
Sep27

ONC Issues Guidance for Negotiating EHR Contracts

The Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has issued guidance for HIPAA covered entities to assist them when negotiating EHR contracts. The guidance offers advice on how to select and negotiate terms with EHR vendors, and helps covered entities understanding the fine print of contracts. The benefits of EHR systems are clear; however, in practice those systems do not always live up to expectations. If mistakes are made in the selection of EHR systems, or errors made negotiating contracts, the systems can result in unexpected costs being incurred, business efficiency can be disrupted, and covered entities may even be prevented from accessing patient records. Many healthcare organizations fail to appreciate that while an EHR system includes the data repository and software for creating, maintaining, and accessing data, the EHR will need to be interoperable with other healthcare IT systems. Compatibility issues with those systems can prove extremely costly. Many of the implementation, maintenance, and access problems that...

Read More
Sharing of Health Data with Patients: 95% of Hospitals Now Offer ePHI Access
Sep16

Sharing of Health Data with Patients: 95% of Hospitals Now Offer ePHI Access

The Department of Health and Human Services has been encouraging patients to take a more active role in their own healthcare and to engage more with their healthcare providers. Not only will this help to improve patient outcomes, it will also help to reduce healthcare costs. Healthcare organizations have also been encouraged to improve patient engagement, in part by ensuring that patients can easily access their ePHI. Under the Shared Nationwide Interoperability Roadmap, healthcare providers should allow patients not only to view their health data, but also to download copies and transmit those data to any healthcare provider of their choosing. This week, the Office of the National Coordinator for Health IT has released statistics showing the progress that has been made and the extent to which electronic capabilities for patient engagement have been implemented by U.S. hospitals. According to the data brief, significant progress has been made. The vast majority of U.S. Non-Federal Acute Care Hospitals are now allowing patients online access to their ePHI. There has also been a...

Read More
Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?
Sep08

Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?

If you use a Cisco Adaptive Security Appliance (ASA) in your organization and have not patched the device to remediate the EXTRABACON vulnerability, the flaw could be exploited by hackers and used to steal ePHI. On August 13, 2016, a group operating under the name Shadow Brokers released an exploit for EXTRABACON. The vulnerability affects a number of Cisco ASA network security devices and could potentially be used by hackers to gain full control of the devices. Should that happen, it would be possible for a hacker to decrypt VPN traffic, or access internal systems, including those used to store ePHI. The EXTRABACON vulnerability affects versions 1, 2c, and 3 of the Simple Network Management Protocol (SNMP) in a number of Cisco devices including its ASA, ASAv, Firepower, and PIX Firewall products. The vulnerability could allow attackers to create a buffer overflow and run arbitrary code by sending specially crafted SNMP packets to an SNMP-enabled interface. In order to exploit the EXTRABACON vulnerability, the attacker would need to have knowledge of a configured SNMP community...

Read More
Muddy Waters Device Hacking Claims Questioned by Researchers
Sep01

Muddy Waters Device Hacking Claims Questioned by Researchers

Last week, Carson Block – founder of short-selling firm Muddy Waters – released a report saying St. Jude Medical’s Merlin@home device for monitoring pacemakers contained critical security flaws that could be remotely exploited. Those exploits could be used to disrupt the function of the devices and cause them to fail. The research for the report was conducted by security firm MedSec. MedSec had been testing a range of devices from multiple manufacturers as part of an 18-month study of device security. MedSec chose not to present the findings to St. Jude, instead the research was offered to Muddy Waters. The two companies entered into a partnership with MedSec being paid a consultancy fee. MedSec will also benefit financially from any shorting of St. Jude Stock. Block was able to short St. Jude’s stock, with the value of shares falling by 5% last Thursday following the publication of the report. However, leading medical device security researchers from the University of Michigan have conducted their own experiments to test St. Jude devices for security vulnerabilities. Their...

Read More
ONC Announces Winners of the Healthcare Blockchain Challenge
Aug31

ONC Announces Winners of the Healthcare Blockchain Challenge

Last month, the US Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) launched a challenge to explore the potential uses of Blockchain technology in healthcare and health-related research. While Blockchain is best known for its use in the digital currency Bitcoin, Blockchain technology has tremendous potential to benefit the healthcare industry, in particular to improve data privacy, security, and interoperability. Blockchain certainly shows great potential and is attracting considerable investment. In 2014, $299 million was invested in Blockchain by VC-backed companies and that figure rose to $474 million in 2015. Critics of Blockchain have expressed concern about the level of computing power needed and the cost of implementing Blockchain technology, claiming the use of the technology would therefore be extremely limited in healthcare. However, even though there are potential stumbling blocks, there was no shortage of potential applications submitted to the ONC. The ONC received more than 70 whitepapers from research...

Read More
St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws
Aug26

St. Jude’s Medical Accused of Failing to Address ‘Stunning’ Cybersecurity Flaws

When security researchers at MedSec discovered flaws in a suite of medical products, instead of contacting the manufacturer of the devices – St. Jude Medical – the company divulged the information to Carson Block, a short seller who runs investment capital firm Muddy Waters Capital LLC. MedSec will receive payment from Muddy Waters for the disclosure. Block has taken a short position against the manufacturer and the bigger the fall in stock prices, the more MedSec stands to make. St. Jude Medical was the second most popular stock with large hedge funds in Q2, 2016. Block recently issued a report through Muddy Waters explaining the flaws which sent stock prices tumbling. After the report was published, St. Jude Medical stock lost 8% of its value and closed the day 5% down. In the report, Block predicted that St. Jude Medical could end up losing half of its annual revenue for at least the next two years while the flaws are remediated. The revelation also threatens to derail the recent $25 billion acquisition of the company by Abbot Technologies. The security...

Read More
Locky Ransomware Attacks on Hospitals Increase
Aug22

Locky Ransomware Attacks on Hospitals Increase

According to a new report from security firm FireEye, Locky ransomware attacks on hospitals have surged this month. Criminal gangs that have previously used the Dridex banking Trojan for attacks appear to have switched to Locky and the healthcare sector is being targeted. Hospitals now face an increased risk of experiencing Locky crypto-ransomware attacks. FireEye discovered a number of “massive” email campaigns were launched this month. Each of those campaigns has been unique. The attackers have used different text for the phishing emails, one-off code for each campaign, different malicious URLs, and unique encoding functions and keys for each campaign. The Rise of Locky Locky ransomware was first discovered in early 2016 and has been used in a number of attacks on healthcare organizations. Most notably, the attack on Hollywood Presbyterian Medical Center in February. That attack resulted in a ransom of $17,000 being paid in order to obtain keys to decrypt locked data. Early Locky campaigns have used JavaScript downloaders to install the crypto-ransomware, with the malicious files...

Read More
Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges
Aug19

Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges

The response from the healthcare industry to current cybersecurity threats has not been fast enough and basic IT security measures are still not being adopted, according to a Nashville-based FBI Supervisory Special Agent. Speaking at last week’s CHIME/AEHIS LEAD Forum Event at Sheraton Downtown Nashville, Scott Augenbaum – an FBI Supervisory Special Agent in the Memphis Division – explained the attendees that too little is being done to keep healthcare data secure. He also pointed out that in the majority of cases, healthcare data breaches could easily have been prevented. When Augenbaum is called upon to visit healthcare organizations following breaches of protected health information, he usually discovers that simple data security measures could have prevented the exposure or theft of PHI. “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated.” He also said that while investment in cybersecurity has increased in the healthcare industry, the situation is not getting better....

Read More
HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations
Aug17

HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations

Large healthcare organizations have the budgets and resources for complex cybersecurity solutions to prevent intrusions and keep the protected health information of patients secure. However, smaller healthcare organizations, in particular physician groups with fewer than 75 employees, face considerable challenges. Many cybersecurity solutions are not ideal for the small business environment and the cost of implementing appropriate defenses against cyberattacks can be prohibitively expensive. However, effective cybersecurity solutions must be deployed. Healthcare organizations are now being targeted by cybercriminals and smaller organizations face a high risk of attack. Hackers are well aware that the defenses of small healthcare organizations can lack sophistication. This can make small practices a target for hackers. If a successful cyberattack occurs it can be catastrophic for small practices. The cost of mitigating risk after a cyberattack is considerable. Many healthcare organizations lack the funds to deal with cyberattacks. This was clearly demonstrated by the cyberattack on...

Read More
13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats
Aug12

13.6% Growth Expected in Hospital Cybersecurity Market to Combat New Threats

Over the next five to six years, growth in the healthcare cybersecurity solution market is expected to increase by 13.6%, according to a new Frost & Sullivan report. Healthcare organizations now have to protect a much broader attack surface now that the vast majority of organizations have transitioned from paper to digital PHI formats. Keeping data protected from attacks by malicious actors is now a major concern for healthcare organizations. The threat landscape has changed considerably and traditional cybersecurity solutions are failing to prevent increasingly sophisticated attacks. The increase in cybersecurity threats will fuel considerable growth in the hospital cybersecurity market. As we have seen in the past few weeks, the Department of Health and Human Services’ Office for Civil Rights has stepped up enforcement of HIPAA regulations and has issued a number of multi-million dollar files to companies that have failed to protect adequately protect the ePHI of patients. The FTC and state attorneys general have also taken action against healthcare organizations that have...

Read More
Karen DeSalvo Leaves ONC: Vindell Washington Takes Over
Aug12

Karen DeSalvo Leaves ONC: Vindell Washington Takes Over

For the past two years, Karen DeSalvo has served as the National Coordinator for Health Information Technology of the Office of the National Coordinator for Health Information Technology (ONC). That role has now come to an end, as today, DeSalvo will be stepping down. The new ONC head will be the former deputy national coordinator, Dr. Vindell Washington. DeSalvo will not be leaving the Department of Health and Human Services (HHS) as she will continue in her role as acting assistant secretary for health, a position she has held since October 2014. DeSalvo took on that post to oversee the nation’s response to the Ebola crisis. Leaving the position of national coordinator will allow DeSalvo to concentrate on that position. Before DeSalvo joined the ONC, one of the ONC’s main roles was to oversee the adoption of electronic health records by the healthcare industry. When DeSalvo took over as head the ONC was becoming increasingly involved with promoting interoperability. DeSalvo played an important part in driving the meaningful use EHR incentive program forward and advancing...

Read More
TigerText Receives HITRUST CSF Certification
Jul28

TigerText Receives HITRUST CSF Certification

Secure healthcare messaging platform provider TigerText has achieved CSF Certification from the Health Information Trust Alliance (HITRUST). TigerText is the first vendor in its class to earn HITRUST CSF certification. HITRUST CSF was developed to help organizations in the healthcare sector certify that they have implemented the necessary privacy and security controls in compliance HIPAA and HITECH legislation, in addition to globally recognized standards and frameworks developed by NIST, ISO, PCI, FTC, and COBIT. Since the HITRUST CSF was developed it has fast become the most widely-adopted security framework in the U.S. healthcare industry. In order for organizations to earn HITRUST CSF certification they must be able to demonstrate that they meet key healthcare regulations covering the protection of sensitive healthcare information and that they are effectively managing risk. As Ken Vander Wal, Chief Compliance Officer at HITRUST, explains “The HITRUST CSF has become the information protection framework for the healthcare industry, and the CSF Assurance program is bringing a new...

Read More
Could New Database Methodology End Massive Healthcare Data Breaches?
Jul22

Could New Database Methodology End Massive Healthcare Data Breaches?

If a hacker succeeds in breaking through network security defenses and gains access to patient data, hundreds of thousands of healthcare records can be stolen in an instant. In the case of Anthem, tens of millions of records were obtained by data thieves. However, a new methodology for protecting relational databases has been devised by Washington D.C-based MD and computer scientist, William Yasnoff M.D. Yasnoff, a managing partner of the National Health Information Infrastructure (NHII) Advisors, believes that the new architecture could help healthcare organizations avoid large-scale data breaches. In a paper published in the Journal of Biomedical Informatics, Yasnoff explains that he has developed a new health record storage architecture that allows healthcare organizations to store and encrypt individual patient’s data separately. By using Yasnoff’s “personal grid” methodology, healthcare organizations can greatly reduce the risk to patients in the event of a data breach. The technique is not being sold by Yasnoff, but can be used free of charge by healthcare organizations and...

Read More
Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report
Jul20

Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report

Consumers’ health data is potentially being placed at risk by entities that are not covered by HIPAA Rules, according to a recent report issued by the ONC. The report – Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA – was produced following a study of the application of privacy and security requirements to non-HIPAA covered entities and business associates.  The report also draws on work conducted by the FTC, National Committee on Vital and Health Statistics (NCVHS), and OCR. The ONC explains in the report that a large number of organizations are now collecting, storing, and transmitting health data, yet many of those organizations are not subject to the same rules concerning the protection of ePHI as traditional healthcare organizations. Data and privacy protections at non-HIPAA-covered entities are not always robust and numerous gaps exist that place the health data of individuals at risk. The Scope of HIPAA is Limited HIPAA covers traditional healthcare organizations that perform electronic transactions –...

Read More
Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall
Jul18

Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall

The lifting of the Joint Commission ban on secure text orders was welcomed by healthcare organizations and secure messaging providers; however, the ban is now back in place. Text orders cannot currently be sent, even if a secure messaging platform is used. Joint Commission Ban on Secure Text Orders Lifted Only for a Month The lifting of the Joint Commission ban on secure text orders was announced in the May Perspectives newsletter, although the June Newsletter explained that organizations wishing to use a secure messaging platform must first be provided with further guidance to help them incorporate the texting of orders into their policies and procedures. The May Perspectives newsletter explained that “effective immediately” the Joint Commission ban on secure text orders was lifted. The newsletter explained that in order for healthcare organizations to start using text messages to transmit orders a number of conditions needed to be satisfied. Standard text messaging platforms could not be used due to the risk of data being intercepted. The texting of orders would only be permitted...

Read More
Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits
Jun28

Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits

Cybercriminals are using increasingly sophisticated methods to gain access to healthcare networks, although according to a recent report – MEDJACK.2 Hospitals Under Siege – from Trap X Research Labs, old school malware and ancient exploits can still be effective. Three hospitals have been discovered to have been infected with malware via medical devices running on legacy systems. The researchers discovered “a multitude of backdoors and botnet connections,” that had been installed using ancient exploits of the unsupported Windows XP platform. Hackers had succeeded in compromising the machines even though the hospitals had modern, sophisticated cybersecurity defenses in place. The initial attacks used old malware which was not detected by advanced security software. The malware was not deemed to pose a threat as the vulnerabilities that the malware exploited had been addressed in Windows 7 and did not exist in later Windows versions. Sophisticated Cybersecurity Defenses Failed to Identify Windows XP Malware Infections One of the hospitals tested by TrapX researchers had a...

Read More
Healthcare Organizations Need to Be Proactive and Hunt for Security Threats
Jun22

Healthcare Organizations Need to Be Proactive and Hunt for Security Threats

Many organizations are now opting to outsource cybersecurity to managed security services providers (MSSPs) due to a lack of internal resources and expertise. However, many MSSPs are unable to offer the advanced threat detection services necessary to significantly improve cybersecurity posture. Raytheon Foreground Security recently commissioned a Ponemon Institute study to investigate how MSSPs were being used by organizations.  Raytheon surveyed 1,784 information security leaders from a range of organizations – including healthcare providers – in North America, the Middle East, Europe, and the Asia-Pacific region. Respondents were asked about the role of MSSPs, how important their services are, and how MSSPs fit in to business strategies. 80% of organizations that have enlisted the services of MSSPs say that they are an important element of their IT overall security strategy and provide a range of services that cannot be managed in house. Many organizations do not have sufficient IT personnel to make their cybersecurity strategies more effective, and when staff are available they...

Read More
VA Implements New Measures to Improve Medical Device Cybersecurity
Jun21

VA Implements New Measures to Improve Medical Device Cybersecurity

In May, a top official at the Veteran’s administration said that the risk of medical devices being hacked to give patients’ overdoses or otherwise cause them to come to harm is relatively unlikely; however, VA deputy director of health information security Lynette Sherrill did point out that medical devices could be a weak link that cyberattackers attempt to exploit. One of the problems is medical devices are not always patched promptly. The devices connect to networks via traditional operating systems such as Windows. When patches are released by Microsoft, medical devices are often the last devices to have the updates applied. The Information Security Monthly Activity Report sent by the VA to congress often shows that medical devices have been infected with malware. In January, the VA discovered three medical devices had been infected, with a further case in February and two more in April. Since malware infections started to be tracked by the VA in 2009, 181 medical device infections have been discovered. These infections have all been contained and are not believed to have...

Read More
NIST Cybersecurity Framework to be Updated
Jun15

NIST Cybersecurity Framework to be Updated

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. The Framework details a set of standards, procedures, and processes that can be adopted by organizations to help them align their policy, business, and technological approaches to deal with cybersecurity risks. In December 2015, NIST issued a request for information (RFI) seeking feedback on use of the Cybersecurity Framework. NIST also asked for comments regarding long-term governance of the Framework and suggestions on how best practices for use should be shared. 105 responses were received. Further feedback was sought from stakeholders at an April 6-7 workshop in Gaithersburg, MD, specifically on best practice sharing, case studies, further development of the Framework, and comment on the NIST Roadmap for Improving Critical Infrastructure Cybersecurity. The feedback received from the RFI and the workshop indicated the Framework had proved to be a useful organization and system level tool, and that it has proved to be valuable for coordinating cybersecurity. Organizations...

Read More
FDA Issues Guidance for Medical Device Makers to Facilitate Data Sharing with Patients
Jun14

FDA Issues Guidance for Medical Device Makers to Facilitate Data Sharing with Patients

The Food and Drug Administration (FDA) has issued new draft guidance for medical device manufacturers offering recommendations to facilitate the sharing of medical device data with patients. The FDA believes that sharing medical data such as oximetry data, heart electrical activity, and cardiac rhythms with patients will help to empower them to become more engaged in their own healthcare, and will help them to make sound medical decisions. In the guidance, the FDA explains that while the data recorded by these devices is primarily for physicians and hospitals, device manufacturers should make the data recorded by their devices available to patients. The data included in the FDA’s definition of patient-specific information include, but is not limited to, healthcare provider inputs, device usage/output statistics, incidences of alarms, records of device malfunctions or failures, or any data recorded by the devices. Device manufacturers have previously suggested that FDA approval would be necessary before they provided medical device data to patients. The FDA has issued the guidance...

Read More
ONC Releases Videos Explaining Patients’ HIPAA Rights
Jun03

ONC Releases Videos Explaining Patients’ HIPAA Rights

Earlier this year, the HHS’ Office for Civil Right (OCR) released guidance for healthcare organizations on patients’ HIPAA rights in an attempt to clear up confusion over access and ensure that covered entities were aware of their obligations under the HIPAA Privacy Rule. The guidance covered many of the questions commonly asked by healthcare organizations, including the models that can be adopted by healthcare organizations for charging for PHI copies. Now that covered entities are prepared, efforts have shifted to advising patients of their access rights under HIPAA. This week, the Office of the National Coordinator for Health Information Technology (ONC) -in conjunction with the OCR – released a series of educational videos to improve understanding of patients’ HIPAA rights. The ONC wants to improve patient engagement and get patients to take greater interest in their health. Encouraging patients to obtain copies of their ePHI can help in this regard. Having access to medical records allows patients to check for errors, provide their data to other healthcare providers or...

Read More
Verity Health System Victim of Phishing Attack
Jun03

Verity Health System Victim of Phishing Attack

Verity Health System has fallen victim to a phishing attack resulting in sensitive employee data being emailed outside the company. Employee names, addresses, Social Security numbers, amount earned in the financial year, and details of tax withheld have been disclosed to the attacker. The breach only affected past and present employees who would have received a W-2 for the past financial year. No patient data was compromised in the breach. An email was received on April 27, 2016., which appeared to have been sent from an individual inside the organization. The email asked for information on Verity employees, which was sent as requested. The scam was discovered just over three weeks later. The Oregon-based healthcare provider is one of a large number of companies that have fallen victim to this kind of scam this year. These phishing attacks are often referred to as business email compromise scams, although internal email accounts are not always compromised. Oftentimes, attackers purchase a similar domain to that used by the targeted organization. The letter ‘I’ could be replaced...

Read More
TigerText Announces Collaboration with Honeywell
Jun02

TigerText Announces Collaboration with Honeywell

TigerText, the leading provider of secure text messaging solutions for the healthcare industry, has announced that users of the Honeywell’s new Dolphin™ CT50h smartphone can now use the TigerText secure messaging app. TigerText has been working closely with Honeywell to develop a customized version of its app which can be downloaded onto the Dolphin smartphone. The new version of the TigerText app works with the next-generation scanner on Honeywell’s Dolphin™ CT50h smartphone, which can be used to verify patients’ identities. TigerText has incorporated its bot technology which allows healthcare data to be pulled directly from healthcare providers’ electronic medical record systems. Physicians can use the app to retrieve critical up-to-date health information about patients’ medications by scanning barcodes with the Dolphin smartphone. The TigerText app allows physicians to obtain EMR data in real time, ensuring they can access all patient data including recent procedures and notes entered by all members of the care team. Having access to the most up-to-date patient information will...

Read More
CHIME Launches New Cybersecurity Center and Program Office
May31

CHIME Launches New Cybersecurity Center and Program Office

The College of Healthcare Information Executives (CHIME) has announced the opening of a new Cybersecurity Center and Program Office which will help healthcare organizations deal with cyber threats and better protect patient data and information systems. Announcing the opening of the new office, CHIME President and CEO Russell Branzell explained the need for better collaboration within the healthcare industry. “Cyber threats are becoming more sophisticated and more dangerous every day.” He went on to say, “Today the focus is ransomware, tomorrow it will be something else. As an industry, we need to pull together and share what’s working so that we can effectively safeguard our systems and protect patients.” The new office will be manned by CHIME staff, although assistance will be sought from Association for Executives in Healthcare Information Security (AEHIS) members, who will serve as security advisors to the center as well as to the healthcare industry. The Cybersecurity Center and Program Office will develop a range of resources to help healthcare organizations develop better...

Read More
HHS Announces Release of the Final Data Security Policy Principles Framework
May27

HHS Announces Release of the Final Data Security Policy Principles Framework

HHS Secretary Sylvia Matthews Burwell has announced the release of the final Data Security Policy Principles Framework for the Precision Medicine Initiative (PMI) which was launched by President Obama in early 2015. The Security Principles Framework was developed to help healthcare organizations that participate in the PMI understand the security measures that must be adopted to protect sensitive health, genetic, and environmental information. According to the HHS, the PMI will help to “enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care,” The PMI is intended to help “deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.” In February, the Obama Administration announced that great progress has been made so far, and that more than 40 commitments have been made by the private sector to advance precision medicine. Those commitments include a promise by leading EHR...

Read More
Cybersecurity Training Failing to Tackle Insider Threat
May27

Cybersecurity Training Failing to Tackle Insider Threat

A recent Ponemon Institute/Experian study – Managing Insider Risk Through Training & Culture – has shown that companies are failing to provide adequate cybersecurity training to prevent negligent behavior by employees and to reduce the risk of an insider data breach. For the latest study, over 600 individuals from a wide range of organizations were questioned about their cybersecurity training programs. Respondents included C-suite executives, managers, and IT professionals from companies that had a data protection and privacy training (DPPT) program in place. The study revealed that 55% of companies have experienced a data breach in the past that was caused by employee negligence or human error. When asked about the risk of a data breach as a result of negligence or employee error the majority of companies were aware of the risk. 66% of respondents said they believed employees are the weakest link in the security chain, yet more than half of respondents said their cybersecurity training programs were not effective. When asked about training programs and employees...

Read More
Apple to Recruit HIPAA Expert as Privacy Counsel
May25

Apple to Recruit HIPAA Expert as Privacy Counsel

Apple is seeking a Privacy Counsel with extensive experience in healthcare privacy and a thorough understanding of HIPAA regulations. The new position confirms that Apple is planning on developing its products to be more valuable to healthcare professionals and patients, and that the company is intent on making more of a mark in the healthcare sector. The new recruit will be required to work on cutting edge projects, providing essential input on privacy and security, working on privacy by design reviews, supporting compliance and auditing frameworks, drafting policies and procedures to ensure compliance with privacy laws, and assisting with privacy complaints and breaches. The individual will also play a major part in designing privacy solutions for Apple products. The new position could indicate Apple is intent on developing HIPAA-compliant apps or may be working on a HIPAA-compliant backend for its frameworks to enable patient data to be stored and transmitted securely, in accordance with HIPAA Rules. Apple has already developed products and frameworks for monitoring patient...

Read More
Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued
May23

Kansas Heart Hospital Ransomware Attack: Ransom Paid, Second Demand Issued

As last week’s Kansas Heart Hospital ransomware attack clearly demonstrates, paying a ransom may not necessarily result in decryption keys being supplied by attackers to allow files to be unlocked. Ransomware Claims Another Healthcare Victim This year a number of healthcare organizations have had vital data locked by malicious file-encrypting software. In February, Hollywood Presbyterian Medical Center felt there was little alternative but to pay a ransom to attackers to obtain decryption keys to unlock files that had been locked with ransomware. The attackers issued a Bitcoin ransom demand of approximately $17,000. Upon paying the ransom, the medical center was provided with a security key for each of the devices that had been infected. Other healthcare providers have also been attacked this year. MedStar Health was reportedly issued a 45 Bitcoin ($19,000) ransom demand, although the ransom was not paid, instead files were recovered from backups. Other attacked healthcare providers were also able to avoid paying a ransom and recovered their locked files by restoring their systems...

Read More
Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies
May20

Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies

The United States Department of Justice has charged an engineer with the theft and possession of trade secrets belonging to two medical device manufacturers. 43-year old Wenfeng Lu of Irvine, California, was indicted on 12 charges by a grand jury on Wednesday this week. Lu is alleged to have stolen proprietary trade secures from EV3 Covidien while employed at the company between January 2009 and October 2011, and from Edwards Lifesciences Corp., where he was employed between November, 2011 and November, 2012. Lu is alleged to have stolen information and emailed the confidential data to his personal email account. It has also been alleged that Lu took photographs of equipment and copied company reports, presentations, emails, and test results. Lu visited the People’s Republic of China (PRC) on multiple occasions after obtaining data. It is alleged that Lu was attempting to set up his own company with associates in PRC and planned to use the trade secrets to manufacture medical devices in PRC. Lu was arrested by the FBI in 2012 while preparing to board a plane bound for PRC. Lu was...

Read More
Department of Veteran Affairs Seeks Vendors to Search for Stolen Data
May17

Department of Veteran Affairs Seeks Vendors to Search for Stolen Data

Even when appropriate controls are implemented to secure electronic protected health information (ePHI), data breaches can still occur. Mistakes are made with the configuration of firewalls, ePHI is accidentally disclosed to unauthorized individuals, and phishing attacks and malware allow criminals to gain access to ePHI. Healthcare data breaches have now become as inevitable as death and taxes despite the best efforts of healthcare organizations to keep ePHI secured. The Department of Veteran Affairs is the largest integrated health system in the United States, with more than 1,700 locations providing healthcare services to more than 8.76 million veterans. The VA stores a considerable volume of ePHI which makes it a large target for cyberattackers. In April alone, the VA blocked 77.69 million intrusion attempts, blocked and/or contained almost 460 million malware samples, as well as more than 105 million malicious emails. With so many attempted attacks, occasional data breaches are to be expected. When breaches occur, lessons are learned, systems are improved, and security...

Read More
TigerText Launches HealthBot Capable of Automating the Provision of Healthcare Information to Patients
May13

TigerText Launches HealthBot Capable of Automating the Provision of Healthcare Information to Patients

TigerText has launched a new secure, HIPAA-compliant, messenger service for web portals and mobile applications which automates a wide range of tasks that previously required the time of support staff. All too often patients face extended wait times when calling hospitals and other healthcare facilities and hold times in excess of 30 minutes are far from uncommon. Obtaining answers to questions and making routine appointments is rarely a quick process, causing considerable frustration for patients. Patient web portals are a convenient way of communicating with patients more efficiently, yet healthcare staff are still required to man the web portals. Many of the questions asked by patients via web portals can be easily handled by a messenger bot. Automating these services can reduce patient waiting times and provide patients with instant answers to their questions. With the cost of healthcare expected to increase by 5.8% each year, healthcare organizations need to find new ways to improve efficiency and lower operational costs. Messenger bots can allow patients to receive...

Read More