Dedicated to providing the latest
HIPAA compliance news

Health System’s Network Taken out by Qbot Malware
Jan22

Health System’s Network Taken out by Qbot Malware

Royal Melbourne Hospital’s pathology department’s network was taken down this week by a new variant of Qbot malware, highlighting the damage that can result from tardy software upgrades and patch installations. Microsoft stopped issuing patches for Windows XP in April 2014, leaving the operating system prone to attack. There were fears that as soon as the patches stopped being issued a wave of cyberattacks via zero-day exploits would follow. Those attacks failed to materialize, but any system running the defunct operating system was left vulnerable when support was retired. The decision to keep using Windows XP rather than upgrading has proved extremely costly for Royal Melbourne Hospital’s pathology department. A zero-day vulnerability in XP was exploited resulted in the hospital’s pathology department network being infected with malware, taking the network out of action. The malware also attacks Windows 7 machines and a number of XP and Windows 7 machines were infected. With the network taken down, the hospital’s pathology department was forced to manually process...

Read More
Only 45 Percent of Organizations Confident in Ability to Repel a Cyberattack
Jan21

Only 45 Percent of Organizations Confident in Ability to Repel a Cyberattack

According to the Cisco 2016 Annual Security Report released on Tuesday, fewer than half of worldwide organizations are confident in their ability to repel a cyberattack due to the sophisticated and resilient nature of campaigns now being launched by hackers. The report indicates 45% of organizations are no longer confident of their security posture. 48% of security executives said they were very concerned about security, while 41% indicated they were much more concerned than they were three years ago. There are very real causes for concern. Many organizations are operating an aging infrastructure and the vast majority – 92% – of Internet-connected devices in use contain known security vulnerabilities. Just under a third of devices being used no longer have vendor support. Highly Sophisticated Cyberattacks Proving Hard to Repel Investment in cybersecurity defenses has increased considerably in recent years to address the elevated risk of attack. However, attackers have upped the ante and are conducting ever more sophisticated attacks that are proving difficult to repel....

Read More
Hippocratic Oath for Connected Medical Devices Required, says Cybersecurity Association
Jan20

Hippocratic Oath for Connected Medical Devices Required, says Cybersecurity Association

A cybersecurity volunteer association has written an open letter to healthcare industry stakeholders calling for the adoption of a Hippocratic Oath for connected medical devices. I am the Cavalry says the move would better protect the privacy of patients and ensure their safety. The growing risk of cyberattack coupled with the inherent security vulnerabilities present in many medical devices prompted I am the Cavalry to pen the letter. It is believed that while medical devices allow life-saving therapies to be provided to patients, greater efforts must be made to ensure the data they record are kept secure. Additional safeguards must also be incorporated to ensure the devices cannot be hacked. It is believed that a Hippocratic Oath for connected medical devices would help in this regard. The group also claims that such a measure would serve to preserve trust in the healthcare industry and would help to improve the safety of the devices. The aim is to encourage developers of medical devices to implement a host of safeguards to ensure their devices are resilient to attack and, as far...

Read More
Medical Device Manufacturers Receive New FDA Cybersecurity Recommendations
Jan18

Medical Device Manufacturers Receive New FDA Cybersecurity Recommendations

On January 15, 2015, the Food and Drug Administration (FDA) released draft guidance on the Postmarket Management of Cybersecurity in Medical Devices. The guidance has been released for public comment and will be open for a comment period of 90 days. The aim of the guidance is to help manufacturers of medical devices develop and implement controls to ensure their devices are secure to better protect patients. The guidance contains a number of steps manufacturers should follow to address cybersecurity vulnerabilities after devices have come to market to ensure the continuing safety of patients. These include the monitoring of devices, and conduction of risk assessments to identify security vulnerabilities after devices have come to market. Manufacturers of medical devices must ensure cybersecurity protections are built into devices and are a central part of the design. It is not possible to eliminate all cybersecurity risks at the design phase. Cybersecurity risks may arise at any point in the lifecycle of the products. It is therefore essential that medical devices are constantly...

Read More
Calculating the Cost of Spear Phishing
Jan17

Calculating the Cost of Spear Phishing

Spear phishing attacks are on the increase and healthcare providers have had to increase spending considerably to deal with the threat and mitigate risk. A recent survey conducted by Cloudmark/Vanson Bourne has helped to quantify the current level of spending on anti-phishing precautions and has produced an estimate of the cost of spear phishing. Spear Phishing: A growing problem for healthcare providers The sending of mass spam emails has long been a tactic used by cybercriminals to get individuals to reveal their login credentials, often indirectly after being fooled into installing malware on their computers. The vast majority of these email campaigns have been poorly written and ill conceived. That said, they have still proved to be effective way of delivering malware, although spam filtering technology has improved considerably in recent years and many of these emails are now being blocked. Cybercriminals have realized that more targeted phishing emails have a much better chance of not only getting past spam filters, but are also more likely to elicit the desired response....

Read More
How Secure are Mobile Health Apps?
Jan16

How Secure are Mobile Health Apps?

How secure are mobile health apps? It may not come as a surprise to find out that many mobile health apps have security vulnerabilities, but what about the health apps that have been tested and approved by the Food and Drug Administration (FDA)? How Secure are Mobile Health Apps? Apparently, even mobile health apps that have gained FDA approval are unsecure. A recent study conducted by Arxan Technologies indicates that 84% of FDA-approved health apps have at least two security vulnerabilities that pose a significant risk of exposing data or that could lead to the devices being compromised. For the study, Arxan assessed 71 of the top health apps used in the United States, United Kingdom, Japan, and Germany, and tested each using tools developed by Mi3, a leading application security company. Mi3 has developed tools that assess potential for data leaks, susceptibility to malware, and privacy risks. Each app was tested for susceptibility to Open Web Application Security Project’s (OWASP) top ten critical security risks. Overall, 86% of the apps were discovered to be vulnerable to at...

Read More
TigerText Launches Healthcare Pager and Fax Replacement
Jan15

TigerText Launches Healthcare Pager and Fax Replacement

TigertText has announced the release of two new communication solutions for healthcare providers. The two new products have clear potential, and could convince many healthcare providers to start phasing out pagers and faxes. The new products, named TigerPage & TigerFax, are aimed at healthcare providers that would like to transition to a more secure, HIPAA-compliant method of communication but who are reluctant to give up the communication tools they have relied on for decades. Rather than totally replacing pagers and faxes, the new solutions allow them to continue to be used. If fact, the speed and efficiency that pages and faxes can be received and responded to is greatly improved. Rather than carrying a pager and a Smartphone, healthcare workers can have pages and faxes sent directly to their Smartphone. Healthcare Providers Reluctant to Relinquish the Pager Pagers and faxes have been an essential communication tool for the healthcare industry for decades, yet despite reliable, HIPAA-compliant communication systems being available for some time, healthcare providers are...

Read More
The Slow Pace of Technology Adoption in Healthcare Explained
Jan14

The Slow Pace of Technology Adoption in Healthcare Explained

When it comes to implementing new technology, the healthcare industry lags behind every other industry sector. It is a well-known fact that the industry appears to resist change, even when those changes stand to significantly benefit patients. In an age of Smartphones, tablets, and the Internet of Things, many people would be amazed to find out that archaic communication methods such as pagers and faxes not only still exist, but are extensively used throughout the healthcare industry. In some cases, the new technology now being introduced by healthcare providers was first introduced in other industry sectors many years ago. There are very good reasons why the pace of change is so much slower in the healthcare industry rather than, say, the financial sector or manufacturing industry. Itamar Kandel, Chief Strategy Officer of TigerConnect, is well aware of the slow pace of change. During his time working with healthcare organizations at VERITAS Software and more recently at TigerConnect, he discovered the reasons why adoption of new technology is slow, even when technology can clearly...

Read More
Beware of Medical Device Ransomware in 2016 Warns Forrester Research
Jan13

Beware of Medical Device Ransomware in 2016 Warns Forrester Research

The spate of data breaches suffered by HIPAA-covered entities is set to continue in 2016 according to predictions by security experts. Malware and phishing attacks on healthcare providers are likely to continue to be used to obtain PHI from healthcare providers this year. While phishing and social engineering was used to gain access to data last year (Anthem, Premera), ransomware attacks have not plagued the healthcare industry, even though the use of the malicious software has grown. Hackers have preferred attacking healthcare providers for the data they hold rather than locking computers and demanding a ransom. Far greater rewards can be gained from obtaining millions of healthcare records than from locking a handful of computers. However, that does not mean that ransomware is not a problem, in fact, research and advisory company Forrester Research has predicted that ransomware attacks are going to be more of a problem in 2016, and the company believes that medical devices and wearables will be targeted. If the prediction turns out to be true, medical devices could be attacked...

Read More
Upgrade Internet Explorer to Remain HIPAA Compliant
Jan11

Upgrade Internet Explorer to Remain HIPAA Compliant

On Wednesday January 12, 2016., Microsoft will be stopping support and security updates for Internet Explorer 8, 9 and 10. All users of Internet Explorer must therefore upgrade to Internet Explorer 11, or make the switch over to Microsoft Edge in order to continue receiving support, security updates, and patches. 18 months ago, Microsoft announced that its internet browser updates for IE8, IE9, and IE10 would be stopping. Any user who has not yet upgraded now has just two days left before their browser officially becomes obsolete. Whenever software is discontinued and support and security patches are stopped, that software becomes a security risk. Vulnerabilities are discovered that are not patched, and hackers are likely to be able to take advantage. Microsoft recently issued a warning saying continued use of IE 10, 9 and 8 would leave individuals “at risk of viruses and other malicious software that exploit security flaws and bugs in the browsers.” Figures from Netmarketshare.com and Duo Security put the number of Internet Explorer users with IE10 and below installed at between...

Read More
NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool
Jan08

NSF Grant Funds Development of Mobile Cloud Dietary Assessment Tool

Many mHealth apps lack sufficient controls to keep patient data secure. In late 2014, a Trustworthy Health and Wellness (THaW) project funded by the National Science Foundation (NSF) determined that 63% of popular mHealth apps were not encrypting data (out of a test sample of 22), potentially placing data at risk of theft. Furthermore, 81% of mHealth apps were using third party storage or hosting services. The benefits of mHealth apps for patients and healthcare providers are considerable. Unfortunately, healthcare providers wishing to use mHealth apps are prevented from doing so by HIPAA. Unless developers of mHealth apps encrypt stored and transmitted data to a nationally accepted standard, or implement other controls to keep data secure, use of the apps by the healthcare industry will be limited. Secure Mobile Cloud Dietary Assessment Tool Under Development University of Massachusetts Medical School and UMass Lowell have recently embarked on a new National Science Foundation grant funded project to test a new mHealth infrastructure that will allow patient data to be collected...

Read More
Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption
Jan08

Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption

The HIPAA Security Rule defines encryption as the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304. Covered entities must ensure that the strength of the encryption software is appropriate. Not all encryption software protects data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption. The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that conforms to a nationally recognized standard such as the Advanced Encryption Standard (AES), recommended by the National Institute of Standards and Technology (NIST). Henry Schein Practice Solutions, Inc., a vendor of software solutions for dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and store patient data, process claims and payments, and send appointment reminders. Dentists are covered under HIPAA and must...

Read More
Benefits of Healthcare Text Messaging Highlighted by New Study
Jan06

Benefits of Healthcare Text Messaging Highlighted by New Study

Further evidence has emerged showing the benefits of healthcare text messaging. A study recently published in the Journal of the American Heart Association clearly showed that an automated mHealth intervention using text messages and Smartphone tracking apps can prove to be an effective strategy for increasing patients’ physical activity levels. The benefits of increasing activity levels, in particular for sufferers of cardiovascular disease, cannot be underestimated. However, under 50% of adults are failing to reach the recommended daily exercise targets, in spite of many initiatives to get the nation more active. In fact, activity levels have not increased substantially since they were assessed as part of the National Health and Nutrition Examination Surveys conducted between 1988 and 1994. According to the American Heart Association, there is a critical need for research into new, effective strategies that can be used to promote increasing daily activity levels. With this in mind, Seth S. Martin, MD, MHS et al, conducted a study at an ambulatory cardiology center in Baltimore to...

Read More
Online Medical Record Access Not Possible for the Majority of Patients
Dec31

Online Medical Record Access Not Possible for the Majority of Patients

A recent survey commissioned by personal clinical engagement platform vendor, HealthMine, indicates patients are still finding it difficult to gain online access to their healthcare data, even though the majority of healthcare providers store healthcare data in digital form. 2013 data suggest that 78% of healthcare providers use EHRs and could therefore conceivably provide online access patient medical data. The recent survey was conducted on 502 consumers that intended to enroll in a 2016 health plan. The survey took place between October and November, 2015. The results of that survey show that over half of consumers (53%) do not yet have online access to their medical records, and almost a third (32%) of Americans have difficulty accessing their medical records. 31% of respondents indicated they have trouble accessing biometric information, 29% said they struggled to gain access to lab records and insurance information. A quarter of respondents had trouble accessing their prescription history. 74% of Americans believe that having access to all of their clinical notes and medical...

Read More
Repeat HIPAA Violators Revealed: Database of Offenders Created
Dec30

Repeat HIPAA Violators Revealed: Database of Offenders Created

ProPublica has created a database of healthcare organizations that have violated patient privacy to make it easier for consumers to find repeat HIPAA violators. The biggest offenders have now been exposed. Since late 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing self-reported data breaches suffered by HIPAA-covered entities. The list of data breaches, often referred to as OCR’s “Wall of Shame” currently list 1425 data breaches dating from October 21, 2009. Some healthcare organizations have suffered a single data breach, while others have suffered more. However, it is difficult to quickly ascertain how many breaches have been suffered by a particular entity. Not all data breaches are listed under the same company name. A search for a particular healthcare provider may reveal just one breach has been suffered, when in actual fact a great deal more have occurred. One good example of a bad example is CVS Health; a search for which would produce one result: A 12,914 record breach suffered this year. A search for CVS Caremark would...

Read More
Study Shows Value of Phishing Simulation Exercises
Dec23

Study Shows Value of Phishing Simulation Exercises

A recent report indicates the probability of members of staff responding to a phishing campaign can be effectively reduced to zero if phishing simulation exercises are completed regularly. The Growing Threat of Healthcare Phishing Attacks The Office for Civil Rights recently issued its first financial penalty to an organization that suffered a data breach after its employees responded to a phishing campaign. The case resulted in University of Washington Medicine agreeing to a $750,000 fine to settle potential HIPAA violations. UWM had already had to cover significant data breach resolution costs after suffering a 90,000-record breach. The fine and data breach costs could potentially have been avoided if staff members had been trained how to identify phishing emails. The healthcare industry is now being targeted by cybercriminals, and phishing is the most commonly used method of gaining access to patient data. Even when multi-million-dollar security defenses are employed to keep networks secure, a single response to a phishing email can be all it takes to compromise the records of...

Read More
IT Pro’s Security Concerns for 2016 Probed by Spiceworks Survey
Dec21

IT Pro’s Security Concerns for 2016 Probed by Spiceworks Survey

A new IT security report issued by Austin-based IT firm Spiceworks indicates 80% of organizations have suffered an IT security incident this year. The company conducted a survey of 200 U.S. IT professionals to find out more about the security incidents suffered in 2015 and to gather opinions on the biggest data security threats for 2016. This year was challenging for IT professionals, with numerous IT security incidents suffered. In spite of this, optimism appears to be high. 71% of respondents said they are planning to increase security in 2016 to deal with cybersecurity threats and next year should seem them much better prepared to deal with security threats. The Biggest Data Security Threats in 2015 In 2015, the biggest security threats came from malware, with 51% of organizations reporting they had suffered a malware attack during the past 12 months. Phishing is still a major problem, with 38% or organizations reporting a phishing incident, while spyware infections were reported by 34% of respondents. Interestingly, when it came to the biggest threats for 2016, 80% or IT...

Read More
TigerText Launches HIPAA Compliant Secure Texting App for Desktops
Dec18

TigerText Launches HIPAA Compliant Secure Texting App for Desktops

TigerText, the leading provider of secure text messaging solutions for the enterprise, has announced the launch of its latest initiative, TigerText Anywhere: A HIPAA compliant secure texting app for desktop computers. TigerText’s HIPAA compliant text message platform is already hugely successful. To date, more than 250,000 healthcare professionals have adopted the secure messaging platform. The company now counts 4 out of 5 of the largest for-profit healthcare systems in the United States among its clients. According to TigerText co-founder and CEO, Brad Brooks, “TigerText has reached the scale necessary to truly improve the quality of care our healthcare customers deliver, while at the same time reducing the costs to do so.” In fact, the potential cost savings from using the HIPAA compliant secure texting app are considerable, as Brooks explains. “By connecting electronic health records, critical alerts, real time shift data, and other essential components of patient care and productivity, we think that secure, real-time messaging could save the healthcare industry $30-$50 billion...

Read More
Adoption of Cloud Applications by the Healthcare Industry Increases Dramatically
Dec17

Adoption of Cloud Applications by the Healthcare Industry Increases Dramatically

The healthcare industry may have been slow to start using cloud applications, but over the course of the past 12 months, healthcare cloud app adoption has increased significantly. Last year, only 8% of healthcare organizations had started using cloud apps. This year that figure has jumped to 36%. Bitglass Report Shows Major Increase in Healthcare Cloud App Usage While there has been a massive jump in the adoption of cloud apps by healthcare organizations, the industry is still well behind almost all other sectors. Heavy regulation and fears about the security of the cloud has held organizations back. It is a similar story for the financial sector. Uptake has been rapid over the course of the past 12 months, but with an adoption rate of just 37.5%, it is only barely above the healthcare industry. Bitglass figures show an increase of more than 71% in adoption rates across all industries, but there are big differences between regulated and unregulated industries. Last year, 15% of organizations in regulated industries were using cloud applications. This the figure has risen to 39%....

Read More
Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security
Dec13

Study Shows Only 49% of Hospitals Use 2-Factor Authentication to Improve ePHI Security

Under HIPAA Rules, access to Protected Health Information must be strictly controlled. HIPAA-covered entities must therefore implement technical safeguards to ensure that only authorized individuals are able to gain access to data. EHRs and other software systems that are used to store or send ePHI must be protected by a minimum of a username and password, and any attempt to gain access to ePHI must be logged and periodically audited. Improving ePHI Security with Two-Factor Authentication Data security can be greatly enhanced by the use of two-factor authentication. Two factor authentication requires an additional identification factor (other than a username/password combo) to be entered prior to access to ePHI being granted. Under the HIPAA Security Rule – 45 CFR § 164 – this control is strongly advisable but not mandatory; however, under the DEA’s Electronic Prescription for Controlled Substances rules, it is mandatory for 2-factor authentication to be used by all entities that e-prescribe controlled substances. Typically, the additional factor is a security question,...

Read More
Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing
Dec12

Two Thirds of Healthcare Organizations Lack Confidence in Data Sharing

A recent survey conducted by Privacy Analytics, a Canadian technology firm specializing in data masking and data de-identification technology, indicates two out of three healthcare organizations do not have complete confidence in their ability to share patient health information without placing patient privacy at risk. HIPAA and Data Sharing Under the HIPAA Privacy Rule, covered entities are not permitted to share the Protected Health Information unless prior authorization has been obtained from the patient, unless those data have first been de-identified – 45 CFR §164.502(d). When de-identifying data, covered entities must ensure the risk of re-identification of patients is kept to an acceptable level: the use of Expert Determination and the Safe Harbor model are suggested – 45 CFR §164.514(a)-(b). When sharing data, many HIPAA-covered entities opt for the Safe Harbor model, which requires the removal of 18 identifiers from the data prior to those data being disclosed to a third party for research studies, policy assessment, etc. Unfortunately, removing this...

Read More
HIPAA Right to Privacy Being Waived for Pharmacy Discounts
Nov30

HIPAA Right to Privacy Being Waived for Pharmacy Discounts

The HIPAA right to privacy can be waived if patients agree to let healthcare providers, insurers, and other covered entities access and share their data. A number of insurers have trialed issuing subscribers with wearable devices that monitor health metrics. In exchange for agreeing to wear the devices that track heart rate, exercise levels, and other vital signs, subscribers are provided with discounts on their premiums. In such cases there is a benefit to both patient and provider. Insurance companies are able to gain a better understanding of the health of subscribers and they can adjust policies and charges accordingly. Subscribers get to monitor their health and wellness more closely and they get a financial reward. Some pharmacies have also started operating similar schemes. Instead of giving discounts on insurance premiums they give discounts on their products and prescriptions, if customers download a Smartphone app and agree to share their data. By offering discounts the pharmacies are able to secure more business. Just like reward cards, the scheme improves brand loyalty....

Read More
Major Mobile Health Application Growth Predicted
Nov29

Major Mobile Health Application Growth Predicted

Mobile technology has potential to revolutionize the provision of healthcare. Mobile technology is already having a major impact on the industry. According to PwC, one of the few limiting factors is how the technology can be implemented to allow healthcare providers to obtain the full benefits of the technology. This does not appear to have hindered growth in the sector. PwC has predicted growth to increase six-fold over the course of the next two years. Growth in the sector will mostly come from the development of new mHealth applications and from monitoring services. A new report published by healthcare market research firm Kalorama Information suggests that the growth of mobile health applications will outstrip all other mobile application areas over the next four years. The Kalorama report highlights the substantial growth already seen in the mHealth market so far in 2015. Manufacturers of devices, software developers, and providers of wireless services are capitalizing on growing demand. By the end of the year, the industry is expected to have generated close to $34 billion....

Read More
Major Data Exfiltration Discovered at Muhlenberg Community Hospital
Nov17

Major Data Exfiltration Discovered at Muhlenberg Community Hospital

Patient, employee, and contractor data have potentially been obtained by unknown third parties as a result of a multi-computer malware infection at Owensboro Health Muhlenberg Community Hospital, KY. According to the breach notice submitted to the Office for Civil Rights, 84,681 individual have been affected by the cyberattack. The security breach was discovered by the FBI after unusual third party network activity was noticed on the hospital’s servers. An alert was issued on September 16, 2015, and the hospital immediately brought in external computer forensics experts to determine the cause of the activity. That investigation revealed a number of computers had been infected with a type of malware that logs all keystrokes on the affected computers. This type of malware then communicates those keystrokes to the hacker’s command and control server. All data entered on the infected computers have therefore potentially be transmitted to the hacker(s) responsible for the attack.  The suspicious network activity was only recently discovered, but the investigation revealed that the...

Read More
WebTitan Gains Accreditation as Friendly Wi-Fi Approved Vendor
Nov11

WebTitan Gains Accreditation as Friendly Wi-Fi Approved Vendor

WebTitan´s Wi-Fi filtering solution has been considered to be of a sufficiently suitable standard to gain accreditation in the UK´s Friendly Wi-Fi scheme. In 2013, the UK´s Prime Minister – David Cameron – announced that a commitment had been received from the UK’s main Wi-Fi vendors that their standard public Wi-Fi service will automatically filter the Internet to comply with the Internet Watch Foundation “watch list” and block access to pornography. The Friendly Wi-Fi Scheme was subsequently created in collaboration with the UK Council for Child Internet Safety (UKCCIS). The motive behind the Scheme is to prevent children and young adults from accessing inappropriate pornographic material themselves and limit accidental exposure to inappropriate material that nearby adults might be viewing in public. “Friendly Wi-Fi” accreditation is given by the Registered Digital Institute to vendors and businesses who commit to protecting minors from exposure to inappropriate web content. TitanHQ has just announced that the company´s WebTitan for Wi-Fi has been accredited by...

Read More
Over Half of IT Security Pro’s Do Not Believe They Will be Targeted by Hackers
Oct30

Over Half of IT Security Pro’s Do Not Believe They Will be Targeted by Hackers

Major cyberattacks have been suffered by a number of HIPAA-covered entities this year. The frequency of cyberattacks on healthcare providers and insurers has increased. However, over half of IT security professionals do not believe their organization will become a victim of a cyberattack, according to a new report issued by the Ponemon Institute. Should this belief turn out to be true it is great news, as 61% of IT pros do not believe their organization is well prepared to deal with a cyberattack if one does occur. If they are wrong, it is very bad news indeed. Cybersecurity Survey Produces Worrying Results   The results of the Ponemon survey are worrying. Evidence suggests cyberattacks on healthcare providers have increased, and the volume of records exposed in those attacks has spiraled this year. Unfortunately, despite the increase in attack frequency and severity, HIPAA-covered entities do not appear to be doing much to counter the threat according to the report. IT security professionals were asked what measures they were planning to deploy over the coming 12 months, and...

Read More
Healthcare Software Security Assessed by BSIMM Study
Oct20

Healthcare Software Security Assessed by BSIMM Study

Aetna, ANDA, McKesson, The Advisory Board Company, Siemens and Zephyr Health have all been assessed as part of the latest Building Security in Maturity Model (BSIMM) study, published yesterday, with healthcare software security discovered to be well behind other industry sectors. This is the first time that healthcare firms have been assessed by the study, which looks at 12 different software security practices. The study assesses enterprise software security development, which for the healthcare industry is severely lagging behind other industries in all 12 of the software security practices tested. This is the first time in the history of the study that one industry has performed so consistently poorly, and has come bottom of the list in all of the security practices tested. The main industries assessed as part of the study were healthcare, the financial services, consumer electronics organizations and independent software companies, as well as a smaller number of organizations from the insurance, retail and telecoms industries. The results of the BSIMM study give organizations...

Read More
Kaspersky Labs Report Probes Security Attitudes Among BYOD Participants
Oct19

Kaspersky Labs Report Probes Security Attitudes Among BYOD Participants

The rise in popularity of mobile devices has seen many companies adopt a Bring Your Own Device (BYOD) scheme. According to a recent survey by Kaspersky Labs, over half of consumers are now using their own mobiles, laptops and tablets at work and take part in such a scheme. Due to the benefits of BYOD schemes, they have now been adopted by many HIPAA-covered entities, although the strict regulations covering data privacy and security have, to a certain extent, restricted use of the devices for work purposes more than in other, less well regulated industries. A Lack of Concern for Work Data   The latest Kaspersky BYOD survey may have shown BYOD schemes have been widely adopted in the United States, but organizations operating such a scheme must effectively deal with the cybersecurity risks the schemes can introduce. While operators of the schemes may address security issues, not all organizations have fully assessed the risks posed by the devices. Furthermore, it would appear that many participants in BYOD schemes are not particularly concerned about data security. Only 10% of...

Read More
Is the Risk of Cyberattacks Really Increasing? Study Says No
Oct19

Is the Risk of Cyberattacks Really Increasing? Study Says No

The Department of Health and Human Services’ Office for Civil Rights breach portal lists all of the self-reported healthcare data breaches submitted by HIPAA covered entities, for all data-exposing security incidents, including hacks. A look at the headlines would suggest hackers are gaining access to patient data with increasing regularity, as malicious attacks on healthcare networks are widely reported in the media. When hacking incidents do occur, they tend to be headline news as they often involve the exposure of vast quantities of data.  So far in 2015, multi-million-record data breaches have been suffered by a number of healthcare providers, health plans and Business Associates of covered entities, but is the risk of cyberattacks actually increasing? A recent study conducted by the University of New Mexico’s Department of Computer Science suggests that despite a number of major healthcare cybersecurity breaches being reported in 2014 and 2015, the risk of cyberattacks occurring has actually changed very little over the past decade, and that we are perhaps not actually in as...

Read More
Android Smartphone Security Continues to Cause Concern
Oct17

Android Smartphone Security Continues to Cause Concern

How Secure is an Android Smartphone? Android Smartphone security continues to cause concern, even after Google’s decision to start issuing monthly security updates for the Android platform. Fears about Android device security were not alleviated by a new University of Cambridge (UK) study (partially funded by Google) which suggests that despite the new monthly security updates, 87.7% of Android Smartphones contain at least one critical security vulnerability. Study Confirms Serious Android Smartphone Security Issues The study involved researchers collecting version numbers and build numbers of over 20,400 devices, via the Device Analyzer App available through Google Play Store. Each phone was also tested against 13 known “critical” security vulnerabilities. The study looked at different Android mobile phone manufacturers and assessed the security of the devices, revealing there are considerable differences in the degree of protection offered to users. Each manufacturer was assigned a security score by the research team, the calculation of which involved an analysis of a number of...

Read More
How to Spot a Phishing Email
Oct14

How to Spot a Phishing Email

October is National Cyber Security Awareness Month, a time of the year when events are organized and new initiatives are launched to increase cybersecurity awareness and highlight the risk of cyberattacks, computer fraud, phishing campaigns and other data security and privacy issues. When President Obama’s declared October National Cyber Security Awareness Month, his aim was to increase resiliency of the nation in the event of a cyber incident, and great strides have been made already to make his dream a reality. The Cybersecurity Threat is Greater Than Ever Before Unfortunately for healthcare providers, cybercriminals are now upping their game. They are developing ever more sophisticated methods of attack in an effort to gain access to healthcare data. The United States now faces the highest risk of cyberattack and all healthcare providers must now invest heavily in defenses to protect their computer equipment and systems from the onslaught of attacks. One of the commonest methods used by cybercriminals to gain access to healthcare networks is phishing. The perpetrators of...

Read More
2016 Global State of Cybersecurity Study Released
Oct13

2016 Global State of Cybersecurity Study Released

The threat landscape is ever changing and the risk of cyberattacks has grown enormously in recent years; however, organizations have responded to the increased threat level by implementing a range of new cybersecurity defenses to keep networks and data secure, according to a recent report on the global state of cybersecurity. Cloud-enabled cybersecurity defenses have been deployed, advanced authentication software installed, and big data analytics are increasingly common. As a result, cybersecurity risks are, in many cases, being effectively managed. One of the main advances has been the use of cybersecurity intelligence, which allows insights to be gained into the biggest security threats. This has allowed IT security professionals to manage risks more effectively, and allocate resources to deal with the biggest threats. We are now also seeing organizations adopt a more collaborative approach to data security, with greater sharing of intel between corporations to deal with a common threat. Global State of Cybersecurity Assessed by PWC   The new Pricewaterhouse Coopers (PWC)...

Read More
Physicians Choose Secure Texts to Engage Patients
Oct10

Physicians Choose Secure Texts to Engage Patients

In today’s healthcare environment it is essential to involve patients more in their own healthcare and greater efforts must be made to engage patients. Physicians are now expected to achieve more during patient consultations, yet the cost of healthcare provision must also be decreased. There are numerous ways this can be achieved. Pre-visit check-ins can be performed, patients can be enrolled in remote health monitoring programs, and offered telehealth services. More online visits should also be conducted. However, the Health Insurance Portability and Accountability Act, specifically the Security Rule, poses problems for physicians looking to improve care and engage patients in their own healthcare. The Security Rule places a number of requirements on HIPAA covered entities to ensure that patients’ Protected Health Information (PHI) is protected at all times. Any healthcare provider wishing to take advantage of the wealth of new technology now available must ensure that efforts are made to keep private data secure. If insecure communication channels are used to communicate with...

Read More
CMS Finalizes Meaningful Use Rules
Oct08

CMS Finalizes Meaningful Use Rules

The Centers for Medicare & Medicaid Services (CMS) has released the final rule modifying Meaningful Use Program requirements (2015-2017) in addition to postponing mandatory adoption of Meaningful Use Stage 3 requirements.   The changes simplify the Meaningful Use requirements for eligible hospitals and healthcare professionals. The changes have taken some time to be finalized. Following on from the interim rule, comments were requested from the general public. Over 2,500 comments were received and reviewed, many of which highlighted the considerable reporting burden placed on healthcare professionals and hospitals participating in the Meaningful Use program. After considering the comments, modifications were made to simplify Stage 3 requirements and add more flexibility to the program, which should ease the reporting burden. Changes were also made to support interoperability and improves outcomes. Dr. Patrick Conway, M.D., M.Sc., CMS deputy administrator for innovation and quality and chief medical officer, said ““We have a shared goal of electronic health records helping...

Read More
ONC Releases Final 10-Year Interoperability Roadmap
Oct08

ONC Releases Final 10-Year Interoperability Roadmap

On Tuesday this week, the Office of the National Coordinator for Health IT released the long-awaited final 10-Year Interoperability Roadmap. Following the release of the draft version of the roadmap in January 2015, the ONC sought comments from stakeholders. Over 250 comments were received, which were used to fine tune the roadmap ahead of the release of the final version. The final Nationwide Interoperability Roadmap explains the ONCs 10-year vision to achieve an interoperable health IT infrastructure, stipulating the steps which must be followed if the ONCs goal of an interoperable health IT system is to be achieved over the next 10 years. The ONC’s vision is to create a health IT environment that “makes the right data available to the right people at the right time across products and organizations in a way that can be relied upon and meaningfully used by recipients.” National Coordinator for Health IT, Karen DeSalvo, says one of the main aims of the roadmap was to focus on methods that can be used “to align incentives, develop an appropriate governance structure and implement...

Read More
OCR Web Portal for Mobile Health App Developers Launched
Oct06

OCR Web Portal for Mobile Health App Developers Launched

The Department of Health and Human Services’ Office for Civil Rights has launched a new web portal for mobile health app developers. The portal will allow application developers to get answers to the burning questions they have about HIPAA Rules and compliance requirements. The new portal is intended to encourage application developers, in particular mobile app developers, to submit comments and questions regarding HIPAA. In a recent email bulletin following the launch, the OCR explained the sort of questions it hopes will be asked. “We are asking stakeholders to provide input on the following issues: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? The information gathered via the portal will also help the OCR develop future guidance covering mobile health apps. New mHealth Guidance has been a Long Time Coming   The Health Insurance Portability and Accountability Act was first introduced in 1996, many years before the first Smartphones...

Read More
7th Annual mHealth Summit to Focus on Mobile Solutions for Health and Wellness
Oct05

7th Annual mHealth Summit to Focus on Mobile Solutions for Health and Wellness

The 7th Annual mHealth Summit is fast approaching. This year, the 4-day conference will be bigger and better than ever before, exploring the impact mobile health, telehealth and connected health are having on healthcare delivery, clinical care management and patient/consumer engagement. The event will also focus on how mobile solutions for health and wellness can improve the delivery of healthcare and patient outcomes. This year the event will take a slightly different format, including the new HIMSS Connected Health Conference, which has been billed as an “all-inclusive event highlighting how technology is enabling the transformation of healthcare delivery.” It promises to be the most comprehensive event in its seven-year history, incorporating industry-leading keynote presentations covering mHealth, mobile apps, wearable technology, interoperability, the Internet of Things, as well as the usual presentations to assist HIPAA-covered entities achieve and maintain compliance. The event offers attendees the opportunity to network, discuss new ideas, and learn about the latest...

Read More
How to Respond to a Healthcare Data Breach
Oct02

How to Respond to a Healthcare Data Breach

HIPAA-covered entities that have spent time developing and testing a health data breach response plan will be able to respond more quickly to a suspected data breach and execute an efficient HIPAA breach response. Those that have not invested time and effort into planning, are likely to struggle to react quickly and delays can prove costly. As the Ponemon Institute’s 2017 Cost of a Data Breach study showed, having a health data breach response plan helps organizations to execute an efficient HIPAA breach response. The faster the response, the easier it will be to contain the breach quickly and limit the harm caused. Organizations that are able to respond to a data breach quickly end up paying less in breach resolution costs. The cost of a data breach increases the longer it takes to respond and deal with the breach. Cyberattacks and Data Breaches Are Inevitable With hackers targeting healthcare providers for the protected health information (PHI) they hold, data breaches are no longer a probability but an inevitability. If fact, it is now highly likely that healthcare providers,...

Read More
How Secure are Your Medical Devices?
Oct02

How Secure are Your Medical Devices?

How secure are medical devices? According to a data security study presented at the recent DerbyCon Security Conference, not very, it would appear. Not only can hackers gain access to MRIs, drug infusion pumps, X-ray machines and other radiology and medical equipment, even a couple of patients have discovered they can access their drug pumps and increase their morphine dosage. In some cases it doesn’t actually take much technical skill at all to gain access to medical devices. A quick search on the internet can reveal the login credentials for machines from many manufacturers. Of course, anyone looking to gain access to a medical device, and potentially the network it is connected to, would need to know where to look. That is not a difficult task, according to the researchers. The search engine Shodan contains lists of thousands of networked medical devices, and even gives names of the devices, what they do, where they are located (what hospital and where exactly in that hospital) and even the doctors who are assigned to use the equipment in some cases. The latter is worrying, as...

Read More
HealthCare.gov Security Vulnerability Critical, Says OIG
Sep30

HealthCare.gov Security Vulnerability Critical, Says OIG

A “critical” HealthCare.gov security vulnerability has been discovered which could potentially be exploited by hackers looking to gain access to highly confidential data, according to the Department of Health and Human Services’ Office of the Inspector General. The government’s team of ethical hackers were let loose on the HealthCare.gov website, and discovered a critical weakness in its otherwise robust security features. The team used standard techniques known as vulnerability scanning, which simulate an attack by malicious outsiders. The scans therefore assessed security vulnerabilities that could realistically be exploited by external hackers. The team of “white hat” hackers discovered the vulnerability, although they were not able to exploit it to gain access to data due to a range of other security defenses installed to safeguard stored data. The HealthCare.gov website is the gateway to taxpayer-subsidized health plans and is used by 36 states, with those health plans subscribed to by millions of Americans. The data potentially accessible through the site is extensive. The...

Read More
McAfee Study Investigates How Hackers Exfiltrate Data
Sep24

McAfee Study Investigates How Hackers Exfiltrate Data

A new data exfiltration study has been released by McAfee, which examines the actors and tactics used by criminals to obtain Protected Health Information and other sensitive data, in addition to effective detection and preventative measures employed by companies to thwart cyberattacks and data theft. The report details the commonest methods used by hackers to get data out of systems once access has been gained. Most cybersecurity reports focus instead of how hackers manage to gain access to computer systems. McAfee has instead concentrated on the little studied area of data exfiltration. Participants in the study were interviewed by the company’s researchers and asked questions about their main security concerns, the threats they face on a day to day basis, the tools used to identify data exfiltration, as well as being asked to provide details of how data were actually exfiltrated. The results of the study provide IT professionals around the world with valuable intel, which can be used to determine the most important measures to address security risks and prevent data theft and...

Read More
Glidewell Laboratories Reports Breach of Employee Data
Sep23

Glidewell Laboratories Reports Breach of Employee Data

An unauthorized individual has been discovered to have stolen the personal information of a number of employees of James R. Glidewell, Dental Ceramics, Inc., according to a breach notice submitted to the California Department of Justice. The breach notice does not specifically mention whether the security breach was the work of a malicious insider or outsider, although the breach notice hints that the breach was caused by a former Glidewell employee. Glidewell has told employees “we are continuing to explore all available means of legal recourse and plan to pursue civil and/or injunctive relief, as may be appropriate.” Upon discovery of the data breach, law enforcement agencies were notified and Glidewell enlisted the help of external data security experts to conduct an internal forensic investigation. The investigations into the data theft are continuing. Patient data were not exposed in the incident, although confidential data of employees have been stolen. The information that has been compromised includes employee names, addresses, financial account information related to...

Read More
Microsoft Issues Warning over Effectiveness of EHR Data Encryption
Sep08

Microsoft Issues Warning over Effectiveness of EHR Data Encryption

Researchers at Microsoft have recently issued a paper questioning the effectiveness of EHR data encryption. A warning has been issued to healthcare providers about security vulnerabilities in some electronic medical record systems, which have been shown to leak information, even when data encryption software is used. The results of the study are due to be presented at the ACM Conference on Computer and Communications Security next month, although the research paper can be viewed now, ahead of the ACM presentation. During the study, Microsoft researchers successfully managed to view patient data that included names, race, age, hospital admission information and other data, by exploiting security vulnerabilities. The paper cites four methods that can be used by hackers to gain access to the Protected Health Information of patients. The researchers were so concerned about the high risk of data exposure, it was deemed necessary to issue a warning to healthcare providers and other HIPAA-covered entities that were using CryptDB based protections. They were told in no uncertain terms to...

Read More
Healthcare Workers Risk Data Exposure from Smartphone Gambling Apps
Sep07

Healthcare Workers Risk Data Exposure from Smartphone Gambling Apps

Healthcare providers and other HIPAA-covered entities operating Bring Your Own Device (BYOD) schemes will be aware that the use of mobile devices carries risks; however a recent study has highlighted just how risky unauthorized apps can be, with employees’ use of Smartphone gambling apps deemed to be especially risky. If healthcare workers are allowed to use their own personal devices for work purposes, policies must be put in place covering the permitted use of apps on the device. Apps must be assessed, and employees informed of the applications which can be used securely on the devices. While an app may never be used for work purposes, if it is installed on a device, security vulnerabilities in that app could potentially be exploited by hackers. An app could therefore be used to gain access to the data stored on the device, or the computer network that the device connects to. New Study Highlights Data Security Risk from Gambling Apps   A recent study conducted by the security company Veracode, suggests that the average sized company has at least one gambling app being used...

Read More
Data Security Report Shows Main Points of Cyberattack by Industry Sector
Sep03

Data Security Report Shows Main Points of Cyberattack by Industry Sector

SurfWatch, a leading provider of cyber risk intelligence analytics and applications, recently released a mid-year cyber risk intelligence report detailing the most common methods used by hackers to gain access to confidential patient and business data, including the main points of cyberattack by industry sector. The company discovered that despite a number of highly sophisticated attacks on healthcare providers in recent months, the majority of hackers are still using the same tried and tested methods to break through security defenses as they have for years. The most common points of attack are poorly secured websites and applications, patient and customer accounts, and endpoints, which account for 77% of all cyberattacks evaluated by SurfWatch analysts. The main aim of the SurfWatch Labs 2015 Mid-Year Report was to identify the most effective ways organizations can reduce the risk of suffering cyberattacks. Big money is being diverted to improve cybersecurity defenses and to protect against hackers; however it is important that organizations look closely at all potential attack...

Read More
Have Your Mitigated Your Mobile Device Security Risks?
Sep03

Have Your Mitigated Your Mobile Device Security Risks?

Mobile devices have potential to improve efficiency in the healthcare industry, which in turn leads to increased productivity of the workforce and a reduction in operational costs. However, tablets, Smartphones, laptops and other portable networked devices also introduce new security risks, and can potentially give hackers an easy entry point into a healthcare network. Unfortunately, banning the use of mobile devices in the workplace is no longer a feasible option. The only choice for healthcare providers and other HIPAA covered entities is to leverage the benefits of the devices, while mitigating the risks they pose, as far as is practical and possible. Mobile Devices Carry a High Risk of PHI Exposure   Mobile devices carry a high risk of accidental PHI exposure. The devices can be used to connect to healthcare networks and view PHI in many cases, and data can also be stored on the devices; however since they are portable, they are also easily lost or stolen. They can also be used to connect to healthcare networks via insecure public Wi-Fi, and apps are often downloaded to...

Read More
4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG
Aug30

4 out of 5 Healthcare Providers Have Been Hacked, Say KPMG

The healthcare industry is under attack. Hackers are targeting healthcare providers, insurers and other HIPAA-covered entities for the precious data they hold, yet health firms are still unprepared to deal with the threat. The seriousness of the situation has been illustrated in a recent cybersecurity report from KPMG. The company commissioned a survey (conducted by Forbes Insights) which shows that 81% of health firms has suffered a cyberattack in the past two years, but only 53% of providers and 66% of payers consider themselves ready to defend against a cyberattack. The survey was conducted on CIOs, CTOs and Chief Compliance Officers in healthcare organizations with revenues in excess of $500 million per annum. Healthcare providers and insurers’ cybersecurity measures assessed via the questionnaire. The report shows that in spite of the increased threat to data security, healthcare organizations are ill prepared for an attack. A quarter of respondents said their organizations were not able to detect cyberattacks in real time, as they lack the necessary software systems to do so....

Read More
Secure Texting Can Help Patients with Insulin Management Says New Study
Aug30

Secure Texting Can Help Patients with Insulin Management Says New Study

Secure text messaging has been shown to help patients manage their dosage of insulin according to a recent study published in the Journal of Medical Internet Research. The study was conducted by researchers at Bellevue Hospital in New York City with the aim of assisting patients with insulin dosing, with a primary focus on assisting low-income individuals. 61 participants consented to take part in the Mobile Insulin Titration Intervention Diabetes Program. 33 patients were sent reminders to check their blood glucose levels every day, and had to send their blood glucose readings to the hospital via text message. By sending the information to the hospital, nurses were able to remotely monitor blood glucose levels: If the readings were too low or too high, patients had their insulin dosage altered accordingly. The control group, consisting of the 27 participants, received standard care, and titrated their insulin at home during visits from remote healthcare workers. The results of the survey clearly show the benefits of Bellevue’s diabetes program: 88% of participants were able to get...

Read More
Mobile Devices Biggest Enterprise Cybersecurity Vulnerability
Aug24

Mobile Devices Biggest Enterprise Cybersecurity Vulnerability

A news release issued by Check Point Software suggests mobile devices now represent the biggest threat in the security chain; a potential problem for healthcare organizations operating a BYOD scheme. Mobile devices are now viewed as one of the easiest entry points into an otherwise protected computer network and are now the biggest enterprise cybersecurity vulnerability according to the report. Large healthcare providers should take note, as they are likely to be particularly vulnerable to attack, purely because of the number of mobile devices they have in operation. According to Check Point Researchers, organizations allowing 2,000 or more mobile devices to connect to the network have a 50% chance of at least six devices being infected or having been targeted by cybercriminals. 72% of IT professionals agreed that for the coming year, the top security challenge is securing corporate information; however in close second place (67%) was dealing with personal device security. Securing, storing and segregating personal and corporate data on mobile devices is a major challenge. Key...

Read More
New Android Smartphone Data Security Warnings Issued
Aug12

New Android Smartphone Data Security Warnings Issued

New Android Smartphone data security warnings have been issued, alerting users to new security flaws in the software which could potentially allow hackers to gain control of the devices. The Android security flaw discovered by IBM’s X-Force Application Security Research Team could affect 55% of Android phone owners, while Check Point’s discovery could similarly affect millions. These announcements come after Samsung, Google and LG had stated they will now be providing monthly security updates for Android devices, including a fix for the Stagefright vulnerability. Unfortunately, Android devices often include additional software installed by the device manufacturer, a problem Apple and Blackberry do not share: Both companies have developed their own hardware and software. As a result the latter companies can roll out security updates much more quickly. With the open-source Android platform, security fixes will always be issued more slowly. ‘Certifi-gate’ Security Breach Reported   Android Smartphone data security warnings are now being issued with increasing frequency. The...

Read More
SpamTitan Technologies Undergoes Rebranding Exercise – Emerges as TitanHQ
Aug11

SpamTitan Technologies Undergoes Rebranding Exercise – Emerges as TitanHQ

From today, SpamTitan Technologies – one of the world´s leading providers of email and web security solutions – will be known as TitanHQ. To support its continued evolution as a provider of email and web security solutions, SpamTitan Technologies has rebranded as TitanHQ. The company has had seen substantial growth over the past five years due to the release of new products, the introduction of cloud security services and through relationships with partners throughout the world. As the company continues to grow, its leadership has decided on the rebranding as part of its future plans. TitanHQ´s CEO – Ronan Kavanagh – said “As our customers’ needs have evolved so too has our product suite. We have added great new products and product brands such as SpamTitan, WebTitan and ArcTitan. The company continues to respond to consumer demand and this rebrand is part of this response. We now feel it is right to incorporate all of our great products under one umbrella brand which will allow us communicate one core message through one central platform to our customers”....

Read More
Hospital Drug Pump Hacking Risk Discovered
Aug06

Hospital Drug Pump Hacking Risk Discovered

In addition to having to deal with the threat to electronic health records from hackers, hospitals must also be wary of attacks on their medical devices; as evidenced by a new Food and Drug Administration (FDA) warning over a drug pump hacking risk that exists with Hospira’s Symbiq drug pump. Symbiq Drug Pump Hacking Risk Warning Issued by FDA   Only a few days ago, two hackers discovered it was possible to hack into the onboard computers of Fiat Chrysler automobiles and take control of the vehicle; now patient’s plugged into the Symbiq drug pump could potentially be at the mercy of malicious hackers. Such is the severity of the Symbiq drug pump hacking risk, on Friday last week the FDA issued a warning to all hospitals using the device, instructing them to retire the devices and make the transition to other, more secure drug infusion pumps. In the meantime the FDA recommended that healthcare providers should “disconnect the pumps from their networks and update their drug libraries manually.” Since the vulnerability can be exploited via unused ports on the devices, the FDA...

Read More
Hackers Stole Anthem Data for Espionage; Not Fraud
Aug03

Hackers Stole Anthem Data for Espionage; Not Fraud

The colossal data breach suffered by Anthem Inc., appears to have occurred for reasons related to espionage, not financial gain, according to Symantec. Hackers often break into healthcare databases to steal patient health data and Social Security numbers, which have a high value on the black market. The data can be used to commit identity fraud, file false tax returns, and obtain credit in the names of victims; but that is not the only way data can be used. Human intelligence (HUMINT) has potential to be much more valuable. The Anthem cybersecurity attack has been linked to a group of hackers operating under the name of Black Vine. Black Vine hackers are well funded, operate out of China, and are understood to have ties to the Chinese Government, although this is understandably denied by Beijing. The group has previously been linked to major security incidents throughout the U.S, conducted on aviation companies, gas turbine manufacturers, military installations, the financial sector, and some healthcare organizations. Black Vine is not known to engage in cybercrime for financial...

Read More
HIPAA Survey Shows Compliance Assessments Can Increase Business
Jul27

HIPAA Survey Shows Compliance Assessments Can Increase Business

A recent series of customer polls conducted by RapidFire Tools Inc., a leading provider of HIPAA-compliance assessment tools, showed that Managed Service Providers (MSPs) are using compliance assessments to engage prospects and increase business. Furthermore, those assessments are now proving more effective at increasing business and winning new contracts than in previous years. The polls were conducted on MSP customers using RapidFire’s Network Detective HIPAA Compliance Module. The results clearly show that compliance assessments are allowing MSPs to capture new clients and create new projects, as well as being instrumental in obtaining extended service agreements. MSPs were asked about instances where they have been able to use the compliance assessment tools to justify the services being provided to clients. Respondents explained that the compliance assessments enabled them to show that the protections currently in place to safeguard Protected Health Information were far inferior to those being offered. The recent spate of successful hacks on healthcare providers’ servers and...

Read More
NCCoE Cybersecurity Practice Guide for Mobile Devices Released: Comments Requested
Jul26

NCCoE Cybersecurity Practice Guide for Mobile Devices Released: Comments Requested

The use of Smartphones and other portable devices in healthcare is growing and the federal government is concerned. The devices carry a high risk of causing a data breach, and the feds are concerned that physicians and other healthcare workers may accidentally expose patient data, or worse still, give hackers an entry point into hospital EHRs. Medical identity theft costs billions of dollars every year, and patient’s privacy is being violated on an almost daily basis. Hackers are targeting healthcare organizations, thieves are looking for portable devices to steal, and malicious insiders are copying data from EHRs; however, Smartphones have potential to cause even more data breaches. The reason? The data security and privacy protections used to safeguard data stored on the devices is often inadequate.   NCCoE Takes Steps to Protect Mobile Healthcare Devices   The National Cybersecurity Center of Excellence (NCCoE) was formed by National Institutes of Standards in Technology (NIST), the state of Maryland, and Montgomery County, Md in 2012, and during the past three years...

Read More
Four Unpatched Internet Explorer Vulnerabilities Announced
Jul24

Four Unpatched Internet Explorer Vulnerabilities Announced

Four “new” Internet Explorer vulnerabilities have been announced this week. The announcement did not come from Microsoft; security researchers revealed the flaw because Microsoft has been too slow to address the issue. A patch has still not been released to address the security flaws even though Microsoft was made aware of the problems more than that seven months ago. The announcement came via Hewlett-Packard’s Zero Day Initiative (ZDI) program, which pays security professionals to identify software flaws that could potentially be used by hackers to gain access to computers, or infect them with malware. The ZDI team announces security flaws that have not been addressed by software developers in a reasonable time-frame: 120 days from the date of discovery of a vulnerability. Since this time-frame has been exceeded, ZDI researchers have now released limited details of the issues to the public. The ZDI team only issues partial information on the location and nature of the security flaws, and does not disclose information that would tip off hackers and allow them to take...

Read More
American Hospital Association Opposes HIPAA HPID Use
Jul24

American Hospital Association Opposes HIPAA HPID Use

Earlier this week, the Vice President and Deputy Director of the American Hospital Association (AHA) sent a letter to the Centers for Medicare & Medicaid Services (CMMS) expressing concern over the implementation of Health Plan Identification numbers (HPIDs) and Other Entity Identifiers (OEIDs). HPID Use and HIPAA When HIPAA was introduced, it required national identification numbers to be used by healthcare providers, health plans and individuals. A national ID number was introduced in 2004, although the IDs were only for providers, not individuals. In September 2012, the HPID proposed rule was published, although it took until November 2014 before the rule was finalized. HPIDs and OEIDs will now be required to be used for HIPAA transactions from Nov 7, 2016. It is not a requirement for health plans to be identified in HIPAA transactions, but if they are, from Nov 7, next year a HPID must be used. AHA States Opposition to HPID Use in HIPAA Transactions   The letter, sent from Ashley Thompson to Andy Slavitt, the acting administrator for CMMS, stated the AHAs opposition to...

Read More
New HIPAA Compliance Tool Released for Small Dental Practices
Jul24

New HIPAA Compliance Tool Released for Small Dental Practices

Achieving compliance with HIPAA Privacy and Security Rules can be a challenge for all organizations, regardless of size; however smaller healthcare providers tend to have more problems. Budgets tend to be more restrictive, and a lack of suitable staff means slow progress is made. This was clear from the results of the pilot round of HHS compliance audits. Regulatory bodies such as the Department of Health and Human Services’ Office for Civil Rights (OCR), State Comptrollers, and Attorneys General, investigate data breaches for HIPAA violations, and periodic audits are conducted to assess compliance. The next round of OCR HIPAA compliance audits will assess how well organizations have implemented the requirements laid down in the Privacy Rule, Security Rule and Breach Notification Rule. Healthcare organizations, health plans, healthcare clearinghouses – and Business Associates of the above – will have their compliance efforts put to the test. The audits will be conducted on large healthcare providers, multiple hospital systems, the nation’s largest health insurers;...

Read More
The Healthcare Cybersecurity Challenge: How to Keep ePHI Secure
Jul20

The Healthcare Cybersecurity Challenge: How to Keep ePHI Secure

The healthcare industry faces many challenges, but perhaps one of the biggest at present is how to keep electronic protected health information of patients secure. Hackers are targeting healthcare providers for the data they hold, HIPAA-covered entities large and small are under attack, and the volume of cyberattacks is increasing at an incredible rate. New malware is evolving fast, employees are stealing data more frequently and worse still; the threat landscape is ever changing. The Workgroup for Electronic Data Interchange (WEDI) Offers Assistance   The Workgroup for Electronic Data Interchange (WEDI) is a not-for-profit organization and a leading authority on healthcare IT security. One of the main aims of the organization is to help healthcare providers improve the quality of care provided to patients, while introducing efficiencies to drive down costs. One of the ways it achieves this objective is by offering guidance on improvements that can be made to healthcare information exchanges. The organization was formed nearly 25 years ago by the Secretary of Health and Human...

Read More
Survey Shows U.S Companies Are Saying Bye Bye to BYOD
Jul17

Survey Shows U.S Companies Are Saying Bye Bye to BYOD

Bring Your Own Device (BYOD) schemes have proved popular in the healthcare industry. Physicians, nurses and other healthcare workers have petitioned healthcare providers to allow the use of personal Smartphones, tablets and laptops at work, and many have given in and introduced BYOD schemes.   The Benefits of BYOD   Financial constraints often hinder the uptake of new technology, and BYOD offers a cheap and convenient solution. The benefits of Smartphones and tablets can be gained, without the cost of having to purchase, maintain – and replace every 2-3 years – mobile devices for all physicians, nurses, and care providers. Uptake was rapid in many industries, although slower in the healthcare industry due to heavy regulations covering data privacy and security. Over the past five years, more and more healthcare providers have started to embrace BYOD and are now enjoying the benefits; as are physicians, nurses and other healthcare workers opting into the scheme.   BYOD Security Risks   Personal devices can be used in a healthcare setting, although not...

Read More
Healthcare Big Data: Privacy and Security Workgroup Gives Preliminary Report
Jul16

Healthcare Big Data: Privacy and Security Workgroup Gives Preliminary Report

Big data has considerable potential to improve the quality of care provided to patients, and even improve patient outcomes; however, there are risks. Privacy advocates worry that the disclosure of health data together with personally identifiable information could result in the data being used for discriminatory purposes, or could otherwise cause patients to be harmed. Analysts predict that big data can, and will, be used to reduce the cost of healthcare delivery; however first the issue of patient privacy needs to be resolved. Big data, no matter how useful for the advancement of medical science, can only be used if patients’ right to privacy is assured. The potential benefits for the healthcare are too valuable to ignore; however deciding on the allowable uses of data, while preserving patient’s right to privacy, is a difficult task. It is a problem the Whitehouse is trying to address, and it has turned to stakeholders for help.   How to Leverage Big Data While Protecting Patients’ Privacy Rights   President Obama requested assistance from the Department of Health and...

Read More
2015 Biannual Healthcare Data Breach Report Released
Jul15

2015 Biannual Healthcare Data Breach Report Released

The healthcare industry had a particularly torrid time last month with 18 data breaches reported to the OCR, exposing 1,455,863 records, the bulk of which came from the CareFirst data breach. This month the number of data breaches reported has increased to 21, although the number of new victims created was much lower, with 159,231 individuals affected. An analysis of the data breach reports for the past three years shows that little has changed since 2014, “the year of the data breach,” at least not for the better. Fewer data breaches have been reported in 2015 than in 2014, 122 compared to 131, up until the end of June. However, measure the year in the number of victims created and 2015 is on an entirely different scale. 89,439,761 new data breach victims have been created so far this year, compared to 12,503,190 last year and 851,433 in 2013. Many of this year’s victims are now data breach veterans having had their data exposed by their insurer and their healthcare provider. Biannual Data Breach Report 2014 saw a big rise in the number of reported data breaches, and this year...

Read More
Two More Flash Vulnerabilities Discovered: Calls for Software to be Retired
Jul14

Two More Flash Vulnerabilities Discovered: Calls for Software to be Retired

A useful and valuable software platform or a collection of security holes held together with code? Opinion is divided on the usefulness of Adobe Flash, when hackers can apparently exploit vulnerabilities with ease. Some are calling for Adobe Flash to be consigned to the annals of history following after five security flaws have recently been discovered: Flaws that are already being used by hackers to gain access to computers and data. Three zero-day vulnerabilities have already been discovered this year, including one just a few days ago. Now a further two zero-day vulnerabilities have been identified. The latest two are arguably the most serious; one of which allows hackers to use the Adobe Flash security flaw to take full control of a computer. Patches not Yet Developed to Address Latest Adobe Flash Security Vulnerabilities   The flaws were uncovered as a result of the recent data breach at Hacking Team, and have been identified as CVE-2015-5122 and CVE-2015-5123. They affect Adobe Flash operating on Windows, OS X and Linus systems. The new bugs are similar to the security...

Read More
Study Highlights Importance of Conducting Regular Malware Scans
Jul13

Study Highlights Importance of Conducting Regular Malware Scans

Concentrating resources on improving protections for computer networks will make it harder for hackers to gain access to protected data; however, according to a report from Vectra Networks, there is a high probability hackers are already inside. In a recent security test, all computer networks analyzed showed some evidence of a targeted intrusion having already taken place. Vectra analyzed the computer networks and end point devices of 40 enterprises, and each network was found to include some indicators of a targeted attack, regardless of the size of the network. Over a quarter of a million devices were analyzed by the network security company as part of the study. Stages of a Malware Attack Infection The first stage involves infection of a PC or other device, using a targeted attack such as a spear phishing campaign, or a more random means of spreading the malware: Infecting websites for example. Once code has been downloaded onto a target machine, hackers can start to make changes to the system. Command and Control The first phase of the attack proper occurs when a foothold in a...

Read More
2015 Most Wired Benchmarking Survey Reveals Data Security is Main Focus for Hospitals
Jul12

2015 Most Wired Benchmarking Survey Reveals Data Security is Main Focus for Hospitals

Each year the American Hospital Association (AHA) assesses the state of health IT by conducting a survey of U.S hospitals. This week the results of the 17th Annual Healthcare’s ‘Most Wired’ Survey were published. The survey data show hospitals are serious about data security, with theft prevention and breach detection at the top of many hospitals’ priority lists for the year. After analysis of the responses, the “Most Wired” hospitals, those that had reached the required standard of health IT planning and implementation, were crowned winners. 338 hospitals qualified for consideration, with the results of the vote announced and published in the July issue of Hospitals & Health Networks magazine. Healthcare’s ‘Most Wired’ Survey   The benchmarking survey measures the pace of information technology adoption in the healthcare industry, and examines how IT is being leveraged to improve quality and safety, business and administrative management processes as well as clinical integration and interoperability. The VMware-sponsored survey was conducted in partnership...

Read More
Malware as a Service Being Offered to Criminals on Darknet
Jul09

Malware as a Service Being Offered to Criminals on Darknet

You can choose a cloud-platform-as-a-service and software-as-a-service; however for the criminally minded, it is possible to purchase malware-as-a-service. Cybercriminals are now adopting the same business model to sell their malicious software as legitimate software vendors. A platform or software-as-a-service is a business model that allows a product to be used, developed and managed by an individual or company; gaining the benefits of the software without having to develop everything from scratch. Malware-as-a-service is available on the darknet and offers criminals the same benefits. In depth computer knowledge is not required; a criminal can select off-the-shelf malware to suit his or her needs. The creations of skilled hackers can be used by any number of relatively unskilled individuals to allow them to gain access to computers and networks and steal the valuable data they store. Industry leaders are now referring to this mass-market malware sale as “the industrialization of cybercrime,” and it is a highly profitable business. It is so successful and profitable that sales...

Read More
HIMSS Releases 2015 Healthcare Cybersecurity Report
Jul09

HIMSS Releases 2015 Healthcare Cybersecurity Report

297 healthcare leaders and information security professionals have recently given their opinions to HIMSS on the state of healthcare cybersecurity, with the results of the survey recently published in HIMSS’s 2015 Cybersecurity Report. The release of the report coincided with the Chicago Privacy and Security Forum event between June 30 and July 1 of this year. The report highlights a number of concerns about cybersecurity; perhaps the most pressing being the sheer shale of the current attack surface. Hackers are breaking through security defenses left, right and center; but more worrying is the fact that they have been doing that for a number of months, and are already inside many computer systems. Healthcare Professionals are Concerned Their Protections may not be Enough   Numerous major breaches have affected tens of millions of employees, consumers and patients over the course of the past few months. New data breaches are being discovered on an almost daily basis and no industry appears to be safe from attack. Hacking groups are (allegedly) being financed by foreign...

Read More
New Mobile Malware Appearing at Rate of 4,900 per Day
Jul07

New Mobile Malware Appearing at Rate of 4,900 per Day

The threat from malware, phishing and spear phishing campaigns has been widely reported in recent months. Numerous new strains of dangerous malware have been identified this year and the past few weeks have seen the FBI issue warnings on two malware strains; Sakula and Stegoloader; two particularly worrying pieces of malware that are currently being used by cybercriminals to gain access to healthcare data and financial information. The scale of the threat is difficult to estimate; however a new study on mobile malware offers an indication of just how serious the problem is. The report from Security firm, G Data, indicates new malware strains are appearing at a rate of nearly 5,000 per day. According to the report, the firm collected over 200 new android malware samples on average every hour in the first quarter of the year. 440,000 new strains of Android malware were discovered in Q1, 2015, representing a 6.4% increase compared to Q4 of 2014: A jump of 21% from corresponding period last year. In Q1 more than double the volume of malware was discovered than in the whole of 2011 and...

Read More
FBI Alert Suggests OPM/Anthem Malware Link
Jul05

FBI Alert Suggests OPM/Anthem Malware Link

The recently discovered data breach at the Office of Personnel Management (OPM) appears to have sparked an FBI alert (FBI memo: A-000061, issued June 5, 2015, according to CSO) over a particularly nasty strain of malware called Sakula. Healthcare Organizations under Threat from Sakula Malware   The Sakula malware strain is a RAT, or Remote Access Trojan, which once installed on a host’s computer, will allow hackers to make changes to the system, download other files or do what they want. The malware is often unwittingly downloaded via infected websites and popups or installed via infected email attachments. The FBI Memo warns that: “Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions.”   Sakula Linked to Anthem and OPM Data Breaches   The timing of the FBI high confidence alert may be a coincidence, although given recent events this appears unlikely. The...

Read More
Healthcare Software Security Assessed by Veracode
Jul04

Healthcare Software Security Assessed by Veracode

The cloud offers healthcare providers the opportunity to streamline the provision and management of medical services. However, healthcare providers attempting to harness the power of the cloud could potentially be placing Protected Health Information (PHI) at risk. HIPAA requires covered entities to safeguard PHI at all times, whether it takes the form of physical records or digital files. Any PHI stored or accessible via apps or other cloud applications must have security controls in place to protect the data. All cloud applications must therefore be subjected to a thorough risk assessment to identify potential security vulnerabilities, and any issues found must be addressed. Many healthcare providers, and other HIPAA-covered entities, enlist the help of professionals when it comes to assessing mobile application security, with Veracode a market leader. Over 200,000 Cloud Application Security Assessments Performed   Veracode assesses applications for security vulnerabilities that could potentially be exploited to gain access to patient data; or login credentials to gain...

Read More
2015 Application Data Security Study Released
Jul03

2015 Application Data Security Study Released

The Sans Institute has recently released the findings from this year’s mobile app security survey. The report, “2015 State of Application Security – Closing the Gap”, explores the differences in attitude between mobile application developers and security operations teams: Those responsible for protecting the data recorded, stored and transmitted by applications. The survey was conducted on 435 individuals, of which 35% were application developers, with the remaining 65% comprising respondents from the data security industry. The Gap between Developers and Security Professionals is Closing One of the main issues limiting the adoption of mobile applications – especially in the healthcare industry – is a lack of robust data security protections for mobile devices. Developers are excellent at creating useful and fully functional apps, but they lack the knowledge to make the apps secure; a necessity before health apps can be used by medical professionals. Security professionals excel at securing mobile applications, but many do not understand the App development process. To...

Read More
MedData Report Offers New Healthcare Cybersecurity Insight
Jul03

MedData Report Offers New Healthcare Cybersecurity Insight

A new healthcare cybersecurity report has been released by the MedData Group, detailing the results of a new survey conducted on 272 U.S healthcare professionals. New Insights into the State of Healthcare Cybersecurity The Report – Physician and Hospital Professionals’ Perspectives on Cybersecurity in the Workplace – analyzes the results of a survey conducted in June of this year, and provides an insight into the current trends in healthcare cybersecurity. The report also highlights some to the major concerns medical professionals have about data security. The survey was conducted on physicians, hospital administrators and Health IT professionals and asked their opinions on a wide range of cybersecurity issues. With the increased risk of suffering data breaches, HIPAA-covered entities (CEs) have been given little choice but to implement a number of new security controls to repel hackers, monitor networks and prevent malware from being installed. However, physicians are not too confident in their organizations ability to prevent breaches. Physicians Lack Faith in Cybersecurity...

Read More
Serious Adobe Flash Security Vulnerability Discovered
Jul01

Serious Adobe Flash Security Vulnerability Discovered

In addition to dealing with the increased threat of Cryptowall ransomware and Stegoloader malware attacks, healthcare IT professionals must be aware of the latest software security vulnerabilities as they can all too easily cause a data breach. Adobe Flash in particular is a major security risk, with yet another serious security vulnerability discovered in the past few days. The latest Adobe Flash security flaw has an easy fix; the company issued a patch last week to tackle the vulnerability; however any computer that does not have the latest version of the software installed is a potential attack point for hackers. This could pose a problem for multiple hospital systems with thousands of networked computers to update. Another Adobe Flash Hacking Risk Discovered   The security vulnerability was discovered not by Adobe, but FireEye Intelligence, a cyber-security company specializing in zero-day malware and advanced security threats. The company identified a security flaw which can be exploited by criminals to gain access to computers running Adobe Flash software. Hackers use a...

Read More
Healthcare Data under Threat from Stegoloader Malware
Jun30

Healthcare Data under Threat from Stegoloader Malware

Back in 2013 a new form of malware was discovered which was capable of stealing information from the system on which it was installed – as with other malware – however, this variant differs in that it hides in PNG image files, making it look innocuous. The malware has recently been discovered to be having something of a resurgence, and healthcare providers are being targeted. Risk of Malware Transmission via PNG Images   The Trojan works using a process called digital steganography. Steganography has Greek origins, and roughly translates as “covered writing”. The technique allows hackers to hide bits of code within the image pixels or other part of the image such as the header section. The Danger of the Stegoloader Trojan The Stegoloader Trojan family is otherwise known as Win32/Gatak.DR and TSPY_GATAK.GTK according to Dell SecureWorks. The latest variants of the malicious software identified by Trend Micro are TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP. The latest three variants are most commonly acquired from file sharing websites; in particular illegal software and...

Read More
Extent of Unauthorized Cloud Service Usage by Employees Uncovered
Jun29

Extent of Unauthorized Cloud Service Usage by Employees Uncovered

How many cloud services is your organization using? According to a new report, if the figure is under 928 – the average number of cloud services used by healthcare providers – you may be underestimating the extent to which employees are using the cloud. The data suggest employees are breaching security policies by using cloud services that lack the necessary security controls. If the data collected is representative of the healthcare industry as a whole, HIPAA violations are being committed on a daily, if not hourly basis by healthcare professionals. Benefits of HIPAA-Compliant Cloud Services   There are a number of advantages to be gained from using cloud services. Healthcare providers and other HIPAA-covered entities can cut IT equipment and maintenance costs by hosting data in the cloud. Leveraging cloud services can also improve productivity, and speed up accessing and logging of patient data. A number of healthcare providers have been able to improve patient health outcomes by making use of cloud services. Security Risks Being Taken by Employees   Skyhigh Networks...

Read More
CFO Sentenced to Jail for False Meaningful Use Claims
Jun27

CFO Sentenced to Jail for False Meaningful Use Claims

A former Chief Financial Officer (CFO) has been sentenced to serve 23 months in federal prison after making false claims to receive payments under the Medicare Electronic Health Record (EHR) Incentive Program. Joe White, 68, was the former CFO of Shelby Regional Medical Center and was responsible for overseeing the implementation of new Electronic Health Records (EHRs) at the hospital, and attested that the hospital had met the minimum standards as required by the EHR Incentive Program. The HITECH meaningful use incentive program has resulted in billions of dollars in payments being made to hospitals and other healthcare organizations that have made the change from paper to Electronic Health Records. To qualify for the incentive payments, healthcare providers must “adopt, implement, upgrade or demonstrate meaningful use of certified EHR technology.” Each year, hospitals are required to attest to reaching meaningful use standards. In order to receive the incentive payments, on Nov. 20, 2012, White knowingly claimed that the hospital was a meaningful user of EHRs when this was not...

Read More
FBI Malware Warning Issued over CryptoWall Ransomware
Jun26

FBI Malware Warning Issued over CryptoWall Ransomware

The FBI has issued a warning to all U.S Companies – and individuals – over the growing threat of ransomware, with a version called CryptoWall singled out as representing the biggest threat. The malware is not just a problem in the United States: The infection has spread globally. Once infected, victims are often left with little choice but to pay up or lose everything. The warning has come via the Internet Crime Complaint Center (IC3). IC3 is a joint initiative operated by the FBI and the National White Collar Crime Center, and since April of last year it has received 992 complaints about CryptoWall infections. The total cost from the malware infections is estimated to have exceeded $18 million. The malware may be complex, but its mode of operation is simple. When a PC becomes infected with the malware the device is locked and the data encrypted. No data can be obtained from the device, it cannot be used, and everything on it will be permanently erased – or remain permanently locked – unless a ransom is paid. Since the data is encrypted, there is no way to retrieve any...

Read More
Samsung Galaxy Hacking Vulnerability Worrying for BYOD Schemes
Jun24

Samsung Galaxy Hacking Vulnerability Worrying for BYOD Schemes

Despite a security vulnerability existing on Samsung Galaxy devices, the electronics giant has yet to issue a fix 7 months after the company was first alerted to a hacking vulnerability affecting S3 to S6 models of Samsung Galaxy phones. The Samsung security vulnerability could potentially allow the phones to be hijacked by hackers, allowing information entered or sent via the phones to be viewed. The security vulnerability concerns the software used for the phones keyboard, according to researchers at NowSecure. What is especially worrying is the owner or user of the phone does not need to take any actions to allow hackers to gain access the mobile phone; the security vulnerability can be exploited remotely. How are Hackers Gaining Access to Samsung Phones?   Fortunately, the hack is not straightforward to pull off. It requires considerable technical skill and can only be executed at specific times; when the keyboard software is being updated. The researchers point out that a hacker with access to Wi-Fi networks, or with the ability to otherwise manipulate a user’s network...

Read More
Privacy Concerns Mount Over Government MIDAS Healthcare Database
Jun22

Privacy Concerns Mount Over Government MIDAS Healthcare Database

In order to protect the privacy of Americans, Protected Health Information and other highly sensitive data must have a finite lifespan. When data is no longer required it must be securely destroyed. Holding data indefinitely is an unnecessary security risk, yet the government is recording healthcare information in its MIDAS – Multidimensional Insurance Data Analytics System – database indefinitely. The MIDAS database is maintained by CACI under government contract, and is owned by the Centers for Medicare and Medicaid Services. The MIDAS database is a critical component of Barack Obama’s Healthcare reform, and is instrumental to the smooth running of the system. The database has been in operation for four years, and serves as a perpetual central repository for all data collected. That data includes Personally Identifiable Information (PII) and Protected Health Information (PHI) and well over a million Americans, and that number is growing. Individual’s full names, addresses, contact telephone numbers and home addresses are stored with passport numbers, Social Security numbers,...

Read More
HIPAA Compliance Deadline for Windows Server 2003 Upgrade Fast Approaches
Jun17

HIPAA Compliance Deadline for Windows Server 2003 Upgrade Fast Approaches

Microsoft has announced it will be stopping issuing patches and software updates for Windows Server 2003 on July 15, 2015. Any HIPAA-covered entity that is still running the outdated software on any of its servers after this date will be in violation of the HIPAA Security Rule, and could face a financial penalty from the Department of Health and Human Services’ Office for Civil Rights (OCR). Microsoft advises users to upgrade to Windows Server 2012 R2 in order to maintain security standards and receive continued support, upgrades and patches. Upgrades Must be Planned and Time is Fast Running Out   When Microsoft stopped issuing patches for Windows XP, all users had to be moved onto new operating systems; a task that required a considerable amount of planning, a considerable number of man hours and a not insignificant financial outlay. While a HIPAA-covered entity will have fewer servers than desktops/laptops, upgrading servers has potential to cause even more disruption, especially in large organizations operating a number of servers and an even higher number of virtual...

Read More
Medical Devices Being Targeted to Gain Access to Networks
Jun12

Medical Devices Being Targeted to Gain Access to Networks

According to a white paper issued by TrapX Labs, medical devices are being targeted by hackers who are using the equipment as backdoors to gain access to healthcare computer networks. The report cited three examples of medical device hacking where hackers had gained access to medical equipment and bypassed the complex data security systems installed by healthcare providers. Healthcare data security systems may be highly effective at detecting network intrusions and repelling brute force attacks, but the protection does not extend to all medical devices. Major security vulnerabilities exist that are not being addressed. Many healthcare providers believe their electronic equipment to be secure, as protections are in place to prevent access. However, according to the report, security systems are not effective at protecting medical devices. Criminals are gaining access, yet hospital IT staff are unable to scan the equipment without assistance from the manufacturer. If an intrusion is detected, the manufacturer or contractor must be contacted to access the devices and perform tests....

Read More
Unrecognizable Malware Explosion Reported by Check Point
Jun11

Unrecognizable Malware Explosion Reported by Check Point

A new report from Check Point Software Technologies has revealed the extent that malware is plaguing healthcare providers and other industry sectors. Over the past 12 months there has been an explosion in malware. In 2013, businesses received an average of 2.2 pieces of malware every hour. By 2014, that figure had risen to 106. That is 106 pieces of malware discovered every hour of every day (on average). The shocking discovery was made after the company analyzed the data from over 60,000 enterprise gateways in 2014. Even company Vice President, Juliette Rizkallah, was surprised by the results and said the current situation is “frightening.” Even more frightening is the fact that the malware is not being repelled; it is downloaded, installed and is sending confidential data to hackers. The report indicates that malware is succeeding alarmingly frequently. The researchers have suggested that the average large company is being attacked by malware every 34 seconds. New files are downloaded to the network, and every minute they communicate with external software. In spite of the...

Read More
Cybersecurity Services Being Outsourced Due to Lack of Skilled Staff
Jun10

Cybersecurity Services Being Outsourced Due to Lack of Skilled Staff

A lack of suitable personnel with appropriate skills to improve cybersecurity defenses is leading many CISOs and CIOs to look outside their organizations for assistance. Businesses and healthcare providers and now increasingly hiring third party experts to provide cybersecurity services, according to a new report by Cybersecurity Ventures. Wave of Attacks Increases Demand for Trained Cybersecurity Staff   Cybersecurity incidents have risen by 48% over the course of the previous 12 months and industry experts predict that the volume of security incidents will rise further still throughout 2015 and 2016. This is not a problem that will just go away. Improving cybersecurity defenses to resist highly sophisticated attacks requires skilled staff, and with the complexity of attacks increasing there is no time to lose. The quarterly Cybersecurity Market Report indicates that the increased risk of attack has led many businesses to create new positions for cybersecurity officers; however the dearth of talent has seen 209,000 of those cybersecurity jobs remain unfulfilled. Over the next...

Read More
ONC Turns Attention to Big Data Security
Jun10

ONC Turns Attention to Big Data Security

Big data has huge potential for improving patient care and treatment outcomes, but the use of patient information raises some serious questions about privacy and security. The ONC Health Information Technology (HIT) Privacy & Security Workgroup (PSWG) has been discussing the issues faced by the healthcare industry. At a meeting of the group on Monday a number of healthcare big data issues were raised. The group aims “To address distrust in big data algorithms: Improve trust through algorithmic transparency and to consider applying Fair Credit Reporting Act (FCRA) approaches to promote algorithmic transparency,” in addition to taking action to improve data privacy and security standards. Issues with HIPAA and Healthcare Big Data One of the main concerns raised by the group is the fact that HIPAA only covers certain areas of health big data. There are notable gaps which could cause problems down the line according to the group. “Failing to pay attention to these issues undermines trust in health big data, which could create obstacles to leveraging health big data to achieve gains...

Read More
Stolen Data Found on Dark Web by New Security Startup
Jun07

Stolen Data Found on Dark Web by New Security Startup

You have been attacked by hackers and they have stolen your data, but how can you tell? According to a new security start-up, discovering a breach of healthcare data can be a very quick process: Terbium Labs has developed a method of identifying stolen data within minutes of it being posted online. CEO of Terbium, Danny Rogers, along with CTO, Michael Moore, believe they have developed a system that takes “a large scale, computational approach to finding pilfered data,” and allows stolen data to be identified faster and more securely than was previously possible. Reducing the Risk of a HIPAA Data Breach   In order for a company to identify stolen data, it must first be provided with the confidential records that it needs to search for. This naturally involves some risk. As the past few weeks have shown, passing data to Business Associates increases the risk of a data breach. Medical Management LLC being a good example. Terbium’s new product, called Matchlight, uses an innovative method of identifying data, while ensuring the data the company stores on a HIPAA-covered entity is...

Read More
Patients Want to Share Their PHI, Says ONC Study
Jun05

Patients Want to Share Their PHI, Says ONC Study

A new study released by the Office of the National Coordinator for Health IT (ONC) this week – Individuals’ Perceptions of the Privacy and Security of Medical Records – suggests that patients are happy with their healthcare data being shared; they just don’t want that information shared with unauthorized individuals. Healthcare Data Privacy Protections under HIPAA The sharing of healthcare data is highly restricted under the Health Insurance Portability and Accountability Act (HIPAA). The information can only be viewed by authorized individuals for the purpose of providing medical care or other essential healthcare purposes such as billing. Protected Health Information (PHI) cannot even be shared for the purposes of medical research, unless the data is first de-identified or patient permission is obtained. This may be about to change, certainly for the purposes of research, but how do patients actually feel about the use of their data by healthcare providers? Do they have concerns about the growth in use of Electronic Health Records (EHRs)? Vaishali Patel, PhD MPH and...

Read More
Who do Boards Blame for HIPAA Breaches and Cybersecurity Incidents?
Jun03

Who do Boards Blame for HIPAA Breaches and Cybersecurity Incidents?

When a HIPAA data breach occurs questions are asked about the technical, physical and administrative controls that were put in place to secure the data. Companies are put in the spotlight and everyone feels the heat, but new data indicates that the finger of blame is now pointing in a different direction, certainly as far as directors are concerned. According to a new report by NYSE Governance Services, entitled Cybersecurity in the Boardroom, there has been a shift of blame for data breaches in recent years. It is no longer just the Chief Information Security Officer (CISO) that boards hold responsible for a data breach. The report shows that the entire C-suite is in for a torrid time. Some directors still pick out one individual in the cross-hairs, while others appear to fire indiscriminately. Blame for Data Breaches Spread more Widely According to the report, the Chief Executive Officer (CEO) is most often blamed with the Chief Information Officer (CIO) also taking a considerable amount of heat. Both are clearly in the firing line. However, everyone in the executive team came in...

Read More
Phishing, Spear Phishing and Malware: How Hackers Gain Access to PHI
May31

Phishing, Spear Phishing and Malware: How Hackers Gain Access to PHI

Criminals looking to break through the cybersecurity defenses put in place by health insurers and healthcare providers – to safeguard Protected Health Information (PHI) – can choose an easy or hard way to gain access to the data. Unsurprisingly, many choose the easy route in and exploit one of the largest security vulnerabilities; one that many healthcare providers have failed to address. The end users sitting at a terminal, PC or laptop with access to the network, emails and EHRs. IT staff can build multi-layered defenses and lock servers in impenetrable vaults, yet the army of healthcare workers who have full access to EHRs are an easy way for hackers to sneak through sophisticated defenses, undetected. If end users can be convinced to divulge their login credentials, or even easier, click on a malicious link or download and double click a malware affected attachment, the thieves can be in and out of a system almost as quickly as it takes to copy a database full of patient health records. Fortunately, many tech-savvy healthcare workers will be able to spot a phishing...

Read More
Secure Text Message Service Improves Response Times at Chicago Cardiology Institute
May29

Secure Text Message Service Improves Response Times at Chicago Cardiology Institute

The Chicago Cardiology Institute, a leading healthcare provider offering treatment for cardiovascular and peripheral vascular diseases, has implemented a new secure text message service that allows its nurses, physicians and other healthcare staff to communicate in a timely and efficient manner, without running the risk of violating data privacy and security legislation. HIPAA Prohibits the Transmission of PHI over Insecure Networks   The Health Insurance Portability and Accountability Act (HIPAA) places a number of restrictions on healthcare providers to ensure patient privacy is protected and Protected Health Information (PHI) is secured. HIPAA does not permit the transmission of PHI over insecure networks; meaning pagers, Smartphones and other mobile devices cannot be used to communicate PHI, unless the data is first encrypted. Healthcare providers wanting to improve communication between care teams, and speed up the exchange of healthcare information, must implement a system to secure communications. One of the most efficient and easiest ways to do this is to use a secure...

Read More
HHS Launches Redesigned Responsive Website
May18

HHS Launches Redesigned Responsive Website

The Department of Health and Human Services has completed the re-vamp of its website and its visitors are now presented with a clearer, crisper and more user-friendly interface thanks to a design that was developed to work on all devices and screen sizes. The change has been long overdue as any regular visitor to the HHS website could attest; the information was always there, but finding that information was a slow process and searching was especially difficult on a handheld device. Designed with Current and Future Visitors in Mind Before the site was developed, the HHS conducted market research survey, web analytics, workshops and usability testing with the public, and took the initiative from companies such as WIRED and NPR; both of which have recently redesigned, reorganized and re-purposed their own web content. “Out with the old and in with the new” has been taken to heart, with the HHS clearing out 154,000 files that were obsolete, removing all of the unnecessary files to speed up site searches. With less files to search with every query, search sped has been greatly...

Read More
Cost of Data Breaches to Hit $2.1 Trillion by 2019
May13

Cost of Data Breaches to Hit $2.1 Trillion by 2019

Juniper Research has released a new report suggesting the cost of data breaches will hit $2.1 trillion by 2019 as a result of the increase in cybercrime and the sheer scale of data that will be recorded on consumers’ lives. The Future of Cyber Crime & Security   The new report – The Future of Cybercrime & Security: Financial & Corporate Threats & Mitigation – offers an in depth analysis of the current digital security landscape and the threats now being faced, and creates a roadmap for the evolution of connected devices to predict the effect that data breaches will have over the course of the next four years. While security of the Internet of Things is getting a lot of attention at present, Juniper Research calculates the actual risk of data exposure to be minimal, certainly over the next four years. The real threat, and where the majority of data breaches will occur, is the current IT infrastructure according to Juniper. Network servers, laptop computers and other endpoints will continue to be the major locations of breaches. The report suggests that the...

Read More
Crime Leading HIPAA Breach Cause Says Ponemon Data Security Study
May08

Crime Leading HIPAA Breach Cause Says Ponemon Data Security Study

The threat to the healthcare industry from hackers is growing. Hacking and network server incidents are now the main cause of HIPAA data breaches, according to the OCRs “wall of shame”. Yesterday, the Ponemon Institute released data from a new Privacy and Security which confirms that criminals are now the major cause of HIPAA breaches. The new study – the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data – shows that criminal activity is behind 45% of all healthcare data breaches, be that the theft of equipment or records with intent to use or sell the data, hacking incidents, malware, phishing and theft by malicious insiders. The loss of laptop computers and other unencrypted devices, accidental disclosures and administration errors has traditionally been the major cause of data breaches over the past few years, including 2014. This is the first time that carelessness and negligence has not been the leading breach cause. This is unlikely to change in the near future, especially considering criminal activity has increased by 125% over the course of the last 5...

Read More
Almost Three Quarters of Companies Unprepared for Data Breaches
May06

Almost Three Quarters of Companies Unprepared for Data Breaches

A day after the Department of Justice announced released new guidelines for responding to data breaches, the results of a survey conducted by EiQ Networks, a provider of security, risk and compliance solutions, confirms the need for assistance. Nearly three quarters (72%) of respondents claimed they were not prepared for a data breach. The survey was conducted on 168 IT decision makers, with the sample including respondents from a range of industries. The data suggests IT staff do not have much confidence in either the defenses they have employed or how their organizations will deal with a data breach when it occurs. There were numerous problems highlighted by the survey, with a general lack of resources cited as one of the main issues. IT departments simply do not have the staffing levels required to safeguard systems and prevent data breaches, but 62% if respondents claimed their main concern was a lack of process – or only a partial process – to protect their company. There were inadequate checks being conducted to determine whether a security incident had actually...

Read More
Department of Justice Releases Breach Response Best Practice Guide
May05

Department of Justice Releases Breach Response Best Practice Guide

The Cybersecurity Unit of the U.S Department of Justice (DOJ) has produced a new set of guidelines to assist organizations prepare for data breaches to enable them to take prompt action to mitigate damage and address security vulnerabilities. The DOJ felt that smaller organizations were unsure about the correct breach response, and aimed its guidance at these companies rather than large corporations and healthcare providers which are likely to have already implemented appropriate policies and procedures. A step by step guide is also included to help organizations prepare for the inevitable and the guidelines detail the steps that must be taken directly after the breach to minimize continuing damage along with a useful section covering actions that must not be taken, such as continuing to use an infected system to communicate. Unfortunately, while steps are listed, not all will be appropriate for every organization. It is therefore essential that companies develop their own breach policies and procedures to match their own infrastructures. The guide point out certain critical...

Read More
Cybercrime Report: Children’s Healthcare Data Prized by Thieves
May04

Cybercrime Report: Children’s Healthcare Data Prized by Thieves

Cybercriminals are targeting healthcare providers and insurers in an attempt to obtain the Protected Healthcare Information (PHI) and Social Security numbers they hold, but above all else it is the Social Security number of children they are after. According to a study conducted by the University of Texas Center for Identity, children are 35 times more likely to suffer identity fraud after a data breach than adults. A 2011 study conducted by Carnegie Mellon University’s Cylab suggests the risk is much higher, and children are 51 times more likely to suffer from fraud. The UT survey researchers have estimated that one in ten U.S children have had their identities stolen to some degree. Who do Criminals Use Healthcare Information and Social Security Numbers? Social Security numbers – along with personal identifiers –can be used by criminals to commit fraud in a variety of ways and the value of these numbers has led criminals to come up with highly sophisticated and diverse ways of breaking through organizations’ defenses. Thieves use healthcare data and Social Security numbers to...

Read More
Study Suggests HIPAA Data De-identification Improvements Required
Apr28

Study Suggests HIPAA Data De-identification Improvements Required

Under HIPAA Rules, healthcare providers and other covered entities (CEs) are permitted to use the Protected Health Information (PHI) of patients – and share this information with others – provided that the data has been de-identified. It must not be possible for PHI data to be tied to any individual. CEs are permitted to share the data if it can be demonstrated that the risk of that data being associated with a particular patient is small and have two options for de-identifying healthcare data prior to sharing that information with a Business Associate: They can de-identify data using a model such as k-anonymity, or they can set a rule-based policy – the Safe Harbor model – that changes data values; for example, changing dates of birth to the following or preceding year, or stripping out days and dates to just provide a patient’s age. However, while the latter method is often used, it is far from perfect. According to a recent study published in the Journal of the American Medical Informatics Association (JAMIA), this procedure does not tailor protections to the...

Read More
Healthcare Apps Helping to Improve Patient Care and Reduce Costs
Apr25

Healthcare Apps Helping to Improve Patient Care and Reduce Costs

The Healthcare Information and Management Systems Society conference this year provided healthcare professionals with even more than in years gone by. HIMSS 2015 was bigger and better than ever and attendees got more opportunities to learn, discuss and debate the current issues facing the healthcare industry. HIMSS also published the data from the 2015 HIMSS Mobile Technology Survey. The survey asked questions of 238 respondents’ use of mobile technology as a method of engaging patients in their own healthcare. The results indicate that healthcare professionals are taking great strides to embrace new technology and communicate with patients in a format that they are comfortable with using. According to mobile usage data from the Pew Research Center, in January, 2014, 90% of Americans owned a cell phone and 64% owned a Smartphone. 81% used the devices to send or receive text messages, 60% for internet access and 52% for sending emails. The explosion in mobile usage has been rapid and the healthcare industry appears to be keeping up. Not only are telehealth services now being offered...

Read More
House Passes Cybersecurity Bill Amid Privacy Protests
Apr23

House Passes Cybersecurity Bill Amid Privacy Protests

The cybersecurity bill – officially the Protecting Cyber Networks Act (PCNA) – has been pushed through following a spate of targeted attacks on the retail, financial and healthcare sectors over the course of the past 12 months. Those attacks resulted in hackers obtaining tens of millions of private and confidential records, including Social Security numbers, credit card and financial details, medical information and insurance details. On Wednesday, the Protecting Cyber Networks Act went to the vote in the House of Representatives, and the bill was passed 307-116. The main purpose of the bill is to allow a real-time threat detection system to be established in the fight against hackers, with the bill paving the way for this by allowing greater sharing of information relating to cybersecurity threats with the government departments tasked with combating those cybersecurity threats. A Backdoor to Allow Increased Government Surveillance The bill is certainly not without its critics. While the sharing of information between corporations and government departments should certainly help...

Read More
How Are Hackers Accessing HIPAA-Covered Data?
Apr22

How Are Hackers Accessing HIPAA-Covered Data?

Healthcare hacking incidents are on the rise. Recent security reports from the Verizon, HITRUST and Symantec all suggest that the cybersecurity risk is now at an all time high. The threat from hackers is very real; they are targeting healthcare organizations and when they gain access to healthcare computer networks they can steal many tens of millions of records. Only this year, the Premera and Anthem hacking incidents exposed close to 90 million records, of which 11 million included healthcare data and Social Security numbers. But how are hackers gaining access to healthcare databases? What are the main risks to cybersecurity in the healthcare industry? When data breaches are announced they are usually described to be “highly sophisticated” in nature. They would need to be to bypass multi-layered security systems, in which considerable time, money and resources have been invested. However these highly sophisticated attacks often involve some rather unsophisticated tactics. Tactics that include asking a person with access to Protected Healthcare Information to tell them their login...

Read More
Apple Watch to Include HIPAA Compliant Text Message Apps
Apr21

Apple Watch to Include HIPAA Compliant Text Message Apps

The Apple watch has finally been released, of sorts, with the device now being available online; although it will not be available on Apple stores until the summer. The long awaited new Apple product was given a release date of 24th April although Apple appears to be selling the device on a “built to order” basis, rather than filling its stores with a device that potentially has only limited appeal. Stores will not release the watches until late May. The Apple Watch includes a number of features that could make it an invaluable wearable device in the healthcare industry, although the success of these devices depends not so much on the device itself, but getting third party developers on board to offer applications and additional functionality. It is these applications that really help to build support for a new wearable device as those offered by the manufacturer can be limited. The watch appears to be attracting a number of developers which is a good sign so far. There are a number of apps that could well benefit physicians and other healthcare professionals. These include a...

Read More
Verizon 2015 Data Breach Investigations Report Released
Apr15

Verizon 2015 Data Breach Investigations Report Released

The 2015 Verizon Data Breach Investigations Report puts the healthcare industry under the spotlight and reveals some of the major issues faced by the industry and the large gap that exists between where HIPAA-covered entities (CEs) are now with their data security protections and where they need to be to meet the minimum standards required by HIPAA. This is the eighth year that Verizon has released its security report and this year the data sample is bigger than ever, allowing greater faith to be placed in the report’s findings than in previous years. A total of 70 organizations contributed data for the report, an increase of 50% year on year. The company’s analysts looked at some 80,000 reported security incidents – up 26% from the previous year – and 2,100 reported data breaches, which is an increase of 55 percent from the previous year. The report goes into intricate detail about the data breaches that have reported over the course of the past 12 months and offers advice on some measures that can be employed to improve security and protect confidential data. Verizon Adds a...

Read More
Faster Delivery of Lab Test Results Achieved by Pathology, Inc.
Apr15

Faster Delivery of Lab Test Results Achieved by Pathology, Inc.

Privately owned pharmacies and laboratories are covered by HIPAA Rules, and they must therefore ensure that all Protected Health Information (PHI) stored and transmitted, is appropriately secured, with the security measures used dictated by the standards laid down in the HIPAA Security Rule. The privacy of patients must be assured at all times. Highly sensitive health information, such as medical test results, could cause patients to come to harm if accidentally disclosed to the wrong individuals. Efforts should therefore be made to ensure any transmission of data cannot be intercepted and read. To reduce the risk of HIPAA breaches, many laboratories stick to tried and tested delivery methods, and accept there will be a delay in data reaching physicians. Some companies have risen to the challenge, and now ensure faster delivery of lab test results by utilizing new technology. They have leveraged Smartphones to coordinate patient care more efficiently and ensure treatment to patients is provided more rapidly. This smart use of technology has allowed HIPAA-covered entities to improve...

Read More
Symantec Study Shows Data Breaches Increased 23% in 2014
Apr15

Symantec Study Shows Data Breaches Increased 23% in 2014

It is April, which means the release of the Symantec Annual Internet Security Report. Each year the security software company releases a report compiled from the data that it collected during the course of the past year. The report – which can be viewed here – is an insight into the general state of cybersecurity. The figures show the number of security breaches rose 23% in 2014. The report covers all industries, including healthcare, with the bulk of data breach victims affected by retail industry security breaches. Hacking incidents caused data to be exposed on a monumental scale and while there were fewer “mega-breaches” in 2014 – 4 breaches of more than 10 million records compared to 8 the previous year – the report states that data breach incidents are still a major issue. Hackers were responsible for a large number of the additional 23% of security breaches. The report suggests that there were fewer cases of identity exposure in spite of the overall 23% rise. The report suggests ”this could indicate that many breaches— perhaps the majority—go unreported or...

Read More
TigerText Announces First Secure Messaging App for Apple Watch
Apr14

TigerText Announces First Secure Messaging App for Apple Watch

TigerText – the leading provider of secure messaging solutions for the healthcare industry – has today announced details for the first secure messaging app to be made available for the Apple Watch. From early next month, Apple Watch users will be able to take advantage of TigerText´s secure messaging capabilities in order to send and receive secure, encrypted messages from their wrist. TigerText for the Apple Watch will enable users to securely communicate with anyone hands-free, helping them save valuable time – especially in critical care settings. TigerText’s Apple Watch app brings all the benefits of the healthcare industry’s leading secure messaging app to the wrist. As with the TigerText apps for mobile device and desktop computers, users will be able to see when a message has been sent, delivered and read. The TigerText Apple Watch app will also have these key features: • Speech-to-Text: As an alternative to typing out a text message, users will be able to dictate to the app – which will then translate the words into text. • Receive Notifications and...

Read More
ONC Report: Healthcare Providers Hiding Behind HIPAA
Apr13

ONC Report: Healthcare Providers Hiding Behind HIPAA

Healthcare providers are hiding behind HIPAA regulations and are hindering interoperability, with many actively involved in information blocking according to a recent ONC report to congress. On Friday, ahead of HIMSS 2015, the Office of the National Coordinator for Health IT’ issued a report to congress as required under the 2015 Omnibus Appropriations bill. The report sheds light on the practice of “Information Blocking” in the healthcare industry and suggests that the problem is beyond the scope of current agencies to “detect, investigate and address the problem”. Only last summer Epic Systems was criticized for poor interoperability with EHRs, with Rep. Phil Gingrey (R-Ga) particularly vocal on the matter. The problem is understood to be widespread, and it is not only vendors who are responsible, although many are hampering interoperability efforts by restricting information flow and creating closed systems. The healthcare industry is also at fault according to the report. It states that “A common charge is that some hospitals or health systems engage in information...

Read More
Criticism of ONC’s EHR Interoperability Plan Builds
Apr11

Criticism of ONC’s EHR Interoperability Plan Builds

The Office of the National Coordinator for Health IT proposed an Interoperability Roadmap in January this year, to help the healthcare industry achieve the benefits that should come from moving over to electronic health record (EHR) systems. The ultimate aim of the plan is to create an environment where medical professionals can share data on patients and access medical information quickly and easily, which in turn should have an important impact on patient outcomes. After the issuing of the first draft, the ONC invited healthcare providers and other holders of healthcare data to read the roadmap and send in comments. That comment period ended on April 3, and many healthcare organizations took the opportunity to help the ONC achieve its goal. Criticism has been constructive and a number of concerns have been raised. Timescale for Critical Actions The Interoperability Roadmap calls for a number of actions to be taken by both stakeholders of healthcare organizations as well as industry regulators. These measures are critical to the overall success of the Interoperability Plan and are...

Read More
American Hospital Association Advises ONC HIPAA is Sufficient
Apr09

American Hospital Association Advises ONC HIPAA is Sufficient

Critics of level of data security required under HIPAA legislation are calling for even greater demands to be placed on holders of Protected Health Information (PHI). Improved security and privacy controls would make it harder for cybercriminals – and other data thieves – from obtaining healthcare data. The Interoperability Roadmap of the Office of the National Coordinator is intended to help achieve nationwide secure health data exchange involving the EHR systems that have now been implemented by many healthcare organizations. The roadmap calls for changes to be made to the existing framework of rules and regulations to improve cybersecurity controls to help achieve interoperability. The American Hospital Association (AHA) disagrees. AHA Voices Opinion on the ONC Interoperability Roadmap The ONC published a draft of the Roadmap back in January and invited healthcare organizations to submit comments. It will assess the feedback it receives before releasing the final version of the Interoperability Roadmap. The ONC has received criticism from many quarters over the first draft, with...

Read More
Hacking: How Severe is the Threat to the Healthcare Industry?
Apr08

Hacking: How Severe is the Threat to the Healthcare Industry?

Retail, financial, entertainment, healthcare. It would appear that no industry is safe from hackers. The volume of incidents reported over the past 12 months, and the sheer scale and complexity of some of the attacks indicate that the threat level is currently at critical. The healthcare industry in particular appears to be under attack. Two hacking incidents on health insurers resulted in the perpetrators obtaining 78.8 million records from Anthem and approximately 11 million records from Premera Blue Cross, the latter including healthcare data. There were numerous smaller incidents reported where hackers had gained access to PHI according to data from the Office for Civil Rights. The OCR requires all HIPAA-covered entities to report data breaches affecting more than 500-individuals within 60 days of discovery. Between March 1st 2014 and February 28th 2015, the OCR received 31 breach reports that were attributed to hacking/IT incidents. However, the data only includes hacking incidents involving data covered under HIPAA and in many cases data breaches are not noticed until...

Read More
Major Focus on Cybersecurity at HIMSS15
Apr03

Major Focus on Cybersecurity at HIMSS15

The HIMSS Annual Conference & Exhibition is a firm fixture in many healthcare IT professionals’ yearly work calendars. The conference showcases the latest healthcare technologies and highlights current trends in the industry, while keynote speakers share solutions in health IT. The move to EHRs has elevated risk of cybercrime and the massive data breaches to hit all industries over the past 12 months clearly demonstrate that the threat from hackers is a very real. Furthermore cybercriminals are targeting healthcare providers and health plans in search of the Protected Health Information (PHI) they hold. In February and March of this year, two massive hacking incidents were reported by health insurers which resulted in 89,800,000 confidential records being obtained by cyber criminals. 11 million of those records were reported to have contained sensitive PHI. This year, HIMSS has a strong cybersecurity focus to help the industry take proactive steps to improve defenses against hackers. There will be a new Cybersecurity Command Center at this year’s conference, which will allow...

Read More
HIPAA Audits May Give False Sense of Security
Apr01

HIPAA Audits May Give False Sense of Security

The news that Premera Blue Cross was audited just three weeks before hackers were able to infiltrate its computer systems has raised a number of questions regarding the effectiveness of compliance audits. The U.S. Office of Personal Management performed an audit of the health insurer and identified a number of security vulnerabilities that it advised Premera to address, in particular the failure to install patches and software updates in a timely manner and the importance of developing a baseline configuration that would allow full audits of the insurer’s servers and databases to be conducted. It took the OPM six months to release its final report on the audit, during which time hackers were accessing and copying the PHI of Premera’s members. After the report was released, it took a further 2 months before the insurer was able to identify the HIPAA breach and shut down access, although that was too late to prevent the PHI of 11 million members from being obtained by the thieves. These issues, along with a handful of other observations, were not considered to be serious enough at...

Read More
Cloud Security Adoption: Healthcare and Pharmaceutical Lead the Way
Mar31

Cloud Security Adoption: Healthcare and Pharmaceutical Lead the Way

When it comes to Cloud Security adoption, the healthcare and pharmaceutical industries lead the way according to a recent survey by CipherCloud, an industry leading provider of secure cloud services. Both industries are required to implement safeguards – under the Health Insurance Portability and Accountability Act (HIPAA) – to ensure that Protected Health Information is kept private and confidential, which according to the report is the reason why cloud security adoption is so important and uptake has been so high in these industries. Healthcare and pharmaceuticals have been grouped together in the report, and account for 38% of companies which have chosen to store data securely in the cloud. The banking and finance industry is second, accounting for 25% of companies, with telecommunications third (16%) and the Government in fourth spot (9%). HIPAA does not demand that PHI is encrypted while at rest, although data encryption is an addressable area. If covered-organizations decide not to encrypt data, they must document the reasons why, along with the alternative safeguards...

Read More
Does your Organization Need a Secure Text Messaging Service?
Mar26

Does your Organization Need a Secure Text Messaging Service?

Text messaging has revolutionized worldwide communications. Since the first service was provided in the United States in 1995 it has grown to become one of the most popular – and most frequently used forms of communication, with 74% of mobile users – some 2.4 billion individuals worldwide – now using SMS to communicate with colleagues, friends and relatives. SMS messages are also used extensively in healthcare. 87% of healthcare professionals now use their mobile devices in the workplace, whether that is their own phones – via hospital Bring Your Own Device schemes – or those issued by a healthcare provider. According to a Manhattan Research/Physician Channel Adoption Study, physicians spend 64% of their online time looking for information that allows clinical decisions to be made. However, while extremely prevalent in healthcare, text messaging is inherently insecure. Any PHI transmitted over the mobile network can be potentially viewed by numerous unauthorized individuals. Text message can be relayed and routed via multiple carriers, the messages can remain on servers – in...

Read More
No Fees for Health Exchange Say Patients
Mar23

No Fees for Health Exchange Say Patients

The Society of Participatory Medicine – in conjunction with ORC International – has released survey data that indicates that three quarters of patients believe that Protected Health Information (PHI) should be easily and freely shared between hospital workers, physicians and other health care providers. The lack of sharing and poor interoperability is believed to have a serious impact on the medical care that patients receive. According to the poll, a fifth of patients had previously experienced difficulty receiving medical care because their healthcare data was not shared between providers. A PWC survey indicated that it is not only the sharing of data that is a problem. When data is shared, in 60% of cases providers face significant delays accessing the required information. In addition to full sharing of information between authorized individuals, 87% of patients said that they believed that access to their PHI should be free of charge. One of the issues that doctors have to face is that providing access to PHI incurs a significant cost: Healthcare providers are required...

Read More
91 Million HIPAA Data Breach Victims Reported in Last 3 Months
Mar22

91 Million HIPAA Data Breach Victims Reported in Last 3 Months

The healthcare industry now has to fend off a concerted wave of attacks by cybercriminals looking to obtain the ultimate prize; tens of millions of healthcare records; each worth up to £1000 on the black market. This year hackers have stolen the data of over 91 million patients and health plan members. To put this into perspective, more records have been stolen by thieves – or have otherwise been exposed – in the first three months of 2015 than were compromised in the whole of 2013. In fact, there have been more than 16 times as many breach victims reported this year than there were in the whole of 2013. The total number of individuals affected by breaches in the past 8 years is 120 million. To put that figure in context, 120M is a third of the population of the United States, and 76% of these individuals have only become victims this year. While lost laptops, data sticks and unencrypted Smartphones have caused a number of breaches in recent months, there is now a new front that healthcare providers and insurers must defend. Their servers and email accounts, which are increasingly...

Read More
Mobile Devices Under HIPAA Rules: Will Geofencing Boost Data Security?
Mar21

Mobile Devices Under HIPAA Rules: Will Geofencing Boost Data Security?

Making healthcare mobile devices secure is a challenge faced by all healthcare providers. It is essential, under HIPAA Rules, to ensure that all medical devices – and the data they contain – are safeguarded and protected against misuse. However, the view from IT professionals is that device users are not being as careful as they should be. According to a recent Cisco Systems report, IT professionals believe that employees are engaging in highly risky behaviors that are potentially putting personal and healthcare data at risk. The report indicates that 70% of IT professionals believe that data breaches have been caused by the use of unauthorized programs in more than 50% of cases. The survey also indicates that 44% of employees are sharing work devices against company policies, while almost four out of 10 respondents have said that they have had to deal with employees who have accessed parts of a network that they were not authorized to enter. Perhaps even more worrying is the fact that 46% of employees admitted to transferring data from a work device to a personal computer to allow...

Read More
HIPAA Warning: Health Insurers Must Conduct A Full IT Security Audit
Mar20

HIPAA Warning: Health Insurers Must Conduct A Full IT Security Audit

A HIPAA data breach affecting 150,000 individuals is shocking. A breach involving 11 million individuals is astonishing. Both incidents have occurred this month, with the latest mega data breach affecting almost three times the number of individuals as the Community Health Systems data breach of last year, making it the largest healthcare data breach of all time, eclipsing the Tricare breach of 2011 that exposed 4.9 million records. It is clear that the healthcare industry has now entered a new era, where companies are being targeted by criminals who are looking to steal data on a monumental scale. Health insurers make attractive targets as they hold the personal information, health data and Social Security numbers of tens of millions of consumers and in many cases, network security measures are not particularly robust. Huge Rewards for Hackers According to a recent report issued by Price Waterhouse Coopers – Managing cyber risk in an interconnected world: key findings from the Global State of Information Security – the value of data is considerable. The report states that “A...

Read More
Data Breach Security Bill Criticized for Lack of Privacy Safeguards
Mar19

Data Breach Security Bill Criticized for Lack of Privacy Safeguards

The Data Security and Breach Notification Act – commonly referred to as the Data Breach Security Bill – was announced by President Obama earlier this year at the State of the Nations address. Last week the new bill was introduced, with the Subcommittee on Commerce, Manufacturing, and Trade having held a meeting yesterday to discuss the new bill. The aim of the bill is to improve cybersecurity measures throughout the United States and introduce new standards to protect the privacy of consumers. The new legislation was deemed necessary, as while there are numerous pieces of legislation covering data privacy and security, according to Vice Chairman of the House Energy and Commerce Committee, Marsha Blackburn, and Rep. Peter Welch, the new bill will “”replace the current patchwork of laws” and introduce a single, national standard to protect the sensitive data of all consumers. According to a statement released by Blackburn, “This bill will help enhance the security of sensitive information and provide much needed clarity by creating a national standard and ensure that consumers are...

Read More
How To Strengthen Defenses Against HIPAA Data Hacking
Mar19

How To Strengthen Defenses Against HIPAA Data Hacking

The large scale data breaches that affected Anthem and Premera Blue Cross this year – and Community Health Systems in 2014 – are a sign of things to come. Healthcare providers, insurers, healthcare clearinghouses and healthcare business associates must face up to the fact that the game has now changed, and cyber attacks are now an inevitability, not just a possibility. Criminals have previously concentrated on obtaining credit card numbers to commit fraud, although following the major breaches of last year at Target and Home Depot; action is being taken by the retail industry to implement new safeguards and protect consumer data. As the $7 billion retail industry improves defenses, hackers are turning to other less protected industries and the healthcare sector is the prime target. Thieves are now concentrating on obtaining Social Security numbers to sell on the black market. These numbers, especially when accompanied by healthcare data and other personal identifiers, can be used to commit identity and medical fraud, allowing criminals to commit millions of dollars of identity...

Read More
Amedisys Discovers Data Encryption Alone May Not Prevent A HIPAA PHI Breach
Mar17

Amedisys Discovers Data Encryption Alone May Not Prevent A HIPAA PHI Breach

The Baton Rouge based home health and hospice provider, Amedisys Inc., has issued approximately 6,900 breach notification letters to patients alerting them to a potential disclosure of their Protected Health Information. While most data breaches involving electronic Protected Health Information arise as a result of a failure to implement data encryption, this latest HIPAA breach occurred in spite of 256-bit data encryption being employed. The data breach was discovered during an audit of IT equipment revealed that 142 desktop computers and laptops were missing. The company ascertained that the missing computers had been issued to members of staff, but had not been recalled when the individuals’ employment came to an end. While the data was encrypted, since the security keys fort the devices remained active, the protection put in place to protect PHI was rendered useless. The PHI stored on the computer hardware included Social Security numbers together with patient names, addresses, dates of birth, insurance ID number, medical records and other unspecified personally identifiable...

Read More
HIPAA Compliance and the Cloud
Mar13

HIPAA Compliance and the Cloud

The cloud offers many advantages to healthcare providers and other covered entities. It is possible to use cloud services and remain HIPAA compliant; however, it can be a long and arduous process to obtain all the necessary documentation to confirm that is the case, and if you can’t, you could end up violating HIPAA Regulations. The cloud is convenient and flexible. Covered entities (CEs) can use private and secure cloud services which allow a great deal of customization and there are now a wide range of companies offering cloud based services to the healthcare industry; an industry that has traditionally lagged behind others when it comes to adopting new IT technology. However, any CE using the cloud must exercise extreme caution, especially when it comes to moving data to and it. This is an area well covered by HIPAA regulations. Many healthcare providers have ventured into the cloud already and have implemented their own measures to ensure that PHI is secured. Today, a number of providers of cloud services are taking care of this aspect of the business and are offering “HIPAA...

Read More
Delegates Prepare for the 23rd National HIPAA Summit
Mar09

Delegates Prepare for the 23rd National HIPAA Summit

Next week, government department heads and industry leaders will meet at the 23rd National HIPAA Summit to give updates on the progress that has been made over the past 12 months and to provide information on new laws and regulations. The summit also offers an opportunity for compliance officers and other healthcare professionals to receive training on a wide range of healthcare IT and HIPAA-compliance issues. The threat of cyberattacks on healthcare providers has risen to an all time high and healthcare costs are spiraling out of control. The industry may be in critical condition, yet healthcare providers, health plans and other covered entities must find the funding to improve data security and protect the privacy of patients and health plan members. Since the introduction of HIPAA this has been a major challenge, but with the introduction of HITECH, the Affordable Care Act (Obamacare), the move to IC10 coding and the passing of the HIPAA Omnibus Rule the challenge has grown. HIPAA-covered entities now face a huge financial and administrative burden to comply with these...

Read More
Study Says Website Security Gap in HIPAA Rules is Being Exploited
Mar02

Study Says Website Security Gap in HIPAA Rules is Being Exploited

A recent study into privacy violations on the web has been released indicating that the majority of searches for health information by third party companies could potentially result in them obtaining Protected Health Information. The study – Privacy Implications of Health Information Seeking on the Web – was devised and conducted by Timothy Libert, a Pennsylvania doctoral student. He claims that the third parties using this method to obtain data included data brokerages and online advertising companies. The problem is widespread with 91% of health-related websites initiating HTTP requests to third parties and these requests, in 70% of cases, contained information that included symptoms and treatments of diseases. The data that is recorded on consumers is extensive, and the study cites Facebook, Google and ComScore which were found to have collected data on approximately a third of users, with Google topping the table having collected data on 78% of its users. The problem with this invasion of privacy is the information could potentially be used to discriminate against...

Read More
How to Prepare for a HIPAA Compliance Audit
Feb23

How to Prepare for a HIPAA Compliance Audit

In 2011 the Department of Health and Human Services’ Office for Civil Rights developed an audit program to assess the state of healthcare compliance. The pilot audits, which started in 2011 and were completed in 2012, uncovered numerous violations of HIPAA Privacy, Security and Breach Notification Rules. Only 11% of audited entities passed the audits with no observations or violations, while more than 60 percent of the audits uncovered security standard violations. The OCR was lenient on offenders and did not issue major fines for non-compliance issues, instead action plans were developed to help the audited organizations implement the necessary safeguards to protect healthcare data. The OCR is not expected to be as lenient during the second phase of the audit program, which is due to commence later this year. The second phase is likely to see organizations fined for HIPAA violations in line with the new penalty structure introduced with the Omnibus Rule of 2013. Phase 2 of the OCR Compliance Audit Program   One of the aims of the pilot round of audits was to discover which...

Read More
Brookings Report: HIPAA Hacks Up 1,800 Percent
Feb19

Brookings Report: HIPAA Hacks Up 1,800 Percent

A new report by the Brookings Institution predicts a wave of HIPAA data breaches in 2015, claims that the healthcare industry is particularly vulnerable to attack and that there is a lack of consequences for healthcare providers that violate HIPAA Rules. The report suggests that if breaches are to be avoided, healthcare providers, health plans, clearing houses and business associates must invest more heavily in IT security and must be further incentivized to make changes to improve privacy and security standards. The Brookings Institution was founded in 1916 following the formation of the Institute for Government Research (IGR), and was the first organization devoted to analyzing public policy issues at the national level. The organization has produced numerous influential proposals for Congress, homeland security and a number of intelligence operations and has helped shaped debates and has influenced national policies. The latest report focuses on data security in the healthcare industry, and the timing of its release couldn’t be more appropriate, in the week that followed the...

Read More
Wearable Devices Carry High Risk of Causing HIPAA Violations
Feb18

Wearable Devices Carry High Risk of Causing HIPAA Violations

Advances in technology have allowed wearable devices to be developed to monitor health and fitness, and while these gadgets, monitors and sensors have potential to greatly improve healthcare, they also carry a high risk of a causing a HIPAA violation. Over the past 12 months the number of devices in use has grown at a tremendous rate. In 2013 the market for wearable devices was estimated to be worth $1.4 billion and by 2024, sales of wearable devices are expected to generate $70 billion per year. High Risk of Data Exposure   Wearable devices include fitness bands, such as those developed by Fitbit, which record detailed data during exercise and everyday living. In 2011, users of the devices discovered just how much personal information was saved, stored and unfortunately for many, also shared with the online community. Some discovered their exercise data had been indexed by Google and was publicly available. Not only was data from jogging, cycling and running sessions recorded, but also much more personal information including other forms of “exercise”. This included kissing,...

Read More
2015 Healthcare Cybersecurity Threats
Feb17

2015 Healthcare Cybersecurity Threats

The healthcare industry is facing an elevated threat of attacks by hackers and healthcare providers and insurers are being targeted for the data they hold on patients and plan members. The threat does not only come from cyberspace, as thieves are on the hunt for the laptops and mobile devices of healthcare professionals for the information they contain. Personal information and healthcare data carries a high value on the black market, and Social Security numbers, personal identifiers, ePHI and Medicare details are impossible for criminals to resist, especially when the databases storing that information contains tens of millions of individuals records and has substandard protections. Healthcare Data Privacy and Security Threats Healthcare organizations must fight a battle against cybercriminals on many fronts. HIPAA-covered entities must shore up defenses and thoroughly assess their organization for weaknesses, before implementing a plan to manage any potential security risks that are identified. Multi-level security systems must then be installed to ensure data is properly...

Read More
AIS Network Announces Launch of HIPAA Compliant Secure Cloud Services
Feb16

AIS Network Announces Launch of HIPAA Compliant Secure Cloud Services

AIS Network has announced the launch of a range of managed High Security Private Cloud services which are fully HIPAA-compliant, and have been developed to offer the highest levels of security as required by the healthcare sector. The company’s new range of services is fully compliant with HIPAA, HITECH, PCI and FISMA, and has been developed specifically for highly regulated industries. Many healthcare providers are reluctant to outsource their IT services, in particular if they require contact with highly sensitive data. Outsourcing payment and patient portals and data storage can increase the risk of committing HIPAA-violations. In order for healthcare providers to make the switch to managed cloud services they must be confident that the service provider they choose understands healthcare regulations and can guarantee 100% HIPAA compliance. Few providers are prepared to give such a guarantee. AIS Network provides a solution with a suite of compliant High Security Cloud Services built on the Microsoft Cloud Platform. This ensures easy integration with existing healthcare...

Read More
Analysts Suggest Link Between CHS and Anthem HIPAA Breaches
Feb13

Analysts Suggest Link Between CHS and Anthem HIPAA Breaches

Anthem has started an investigation into the data breach which exposed the personal data of up to 80 million Americans and is attempting to determine how hackers gained access to its systems. The insurer has announced that the first attempt possibly dates back to 10th December, 2014; however some analysts believe the attackers may have first gained hold of the computer systems some nine months previously, with the system potentially having been compromised in April 2014. The report, published in Forbes, suggests that the “Cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data” bears similarities to the techniques used by a known state-sponsored Chinese hacking group. The group, which operates under names such as Deep Panda, Group 72 and Axiom was responsible for a number of hacks on US companies. The breach has also been linked by some experts to the Heartbleed Bug, which first emerged in 2011. The fix for the bug was issued in April last year, yet in spite of the danger, many millions of websites have yet to have had the fix...

Read More
Should HIPAA be Expanded to Improve Defenses Against Hackers?
Feb12

Should HIPAA be Expanded to Improve Defenses Against Hackers?

The recent massive data breach at Anthem Inc., has caused HIPAA Privacy and Security Rules to come under the spotlight, with many asking if the legislation – in its current format – goes far enough to protect the privacy of patients and health plan members. The Anthem breach could potentially have been avoided had the insurer used full data encryption along with the appropriate security controls to keep the security keys private. HIPAA Rules could certainly be tightened to improve data security, but that is no guarantee that healthcare organizations would comply promptly and implement those additional controls. HIPAA does not currently specify that an organization must use data encryption, only that the issue should be addressed. Data encryption is therefore voluntary and according to a Forrester Research report released in September 2014, only 59% of healthcare organizations had implemented full-disk encryption or partial encryption of healthcare data. Before covering the question of whether legislation needs to be tightened, here is a refresher of what legislation has been...

Read More
Anthem Data Breach Expected to Cost Over $100 Million
Feb12

Anthem Data Breach Expected to Cost Over $100 Million

A HIPAA breach carries a huge financial penalty and one the scale of that which recently affected Anthem Inc., is expected to result in costs of many tens of millions of dollars. Anthem holds an insurance policy from the American International Group to protect against cybercrime and data exposures, and is covered for losses up to $100 million. Even this sizeable amount may be exhausted with the latest data breach. The total cost, which is unlikely to be known for many months, may exceed the 100M barrier once the cost of issuing breach notifications, paying OCR penalties, implementing new security measures and fighting lawsuits are factored in. Further costs must also be covered to mitigate any damage caused such as providing credit monitoring services to victims free of charge. Anthem originally offered a year of credit monitoring services but has since extended this to two year. If 80 million individuals have been affected, damage mitigation costs alone will take up a sizeable chunk of the insurance payment. The OCR has already announced that it is looking into the breach as a...

Read More
Details Emerge of Anthem HIPAA Breach
Feb11

Details Emerge of Anthem HIPAA Breach

The colossal security breach at Anthem Inc, which exposed the Social Security numbers and personal details of 78.8 million plan members, is understood to have involved data from as early as 2004. The investigations are ongoing and it is currently not known exactly how many of its members have been affected. A recent U.S. News and World Report indicates that hackers previously attempted to access the system as early as December 10, 2014. Anthem’s announcement of the breach indicated that January 27, 2015 was the first occasion that access had been gained. Anthem Spokeswoman, Kristin Binns, did not confirm the exact date of the breach, but later announced that “The hackers succeeded in penetrating the system and stealing customer data sometime after Dec. 10 and before Jan. 27”. Forensic investigators have discovered a number of network access attempts that all carry the same hallmarks, and it would appear that numerous unauthorized data access queries were made during this period using the login credentials of five Anthem Technical workers. The company’s security system appears to...

Read More
Federal Officials to Explore HIPAA Rules on Data Encryption
Feb10

Federal Officials to Explore HIPAA Rules on Data Encryption

On Friday last week, a day after Anthem Inc., announced the largest ever reported HIPAA breach, the Senate Health, Education, Labor and Pensions committee announced that the healthcare IT security is to be addressed and that it will “take up the matter as part of a bipartisan review of health information security”. The AP reports Jim Jeffries, spokesman for chairman Lamar Alexander, R-Tenn, as saying “We will consider whether there are ways to strengthen current protections.” Last year saw major data breaches at Sony Pictures and Target which exposed highly sensitive information about employees and customers, while the healthcare industry was hit with a number of breaches including the successful hacking of Community Health Systems in April and June, in which 4.5 million patient records were exposed. The latest incident is on an unprecedented scale in healthcare, having affected up to 80 million individuals. The latest breach confirms the FBIs warning of increased attacks on healthcare organizations. Hackers are targeting organizations for the data they hold and the...

Read More
HHS Updates HIPAA Data Breach Reporting Portal
Feb05

HHS Updates HIPAA Data Breach Reporting Portal

A new OCR HIPAA Web Portal has been installed on the HHS website, streamlining data collection on potential HIPAA violations and the reporting of HIPAA Privacy and Security Breaches. The second round of HIPAA compliance audits – originally penciled for October 2014 – were delayed due to the implementation of the new web portal. The update signals that the Office for Civil Rights is making good progress, and that it will soon be in a position to start sending pre-audit surveys and commence Phase 2 of its HIPAA compliance audit program. HIPAA Breach Report Portal Changes The previous web portal consisted of a single page for filing reports, while the new Java-based wizard takes the user through a multi-step complaint/breach reporting process. Each step must be completed before progressing to the next section. The new wizard makes it more straightforward to file reports, although initially it may prove to be more time consuming for users to file reports. When filing breach reports or making HIPAA Privacy complaints, the user is routed through a series of specific questions with the...

Read More
National Data Exchange Roadmap Released by ONC
Jan30

National Data Exchange Roadmap Released by ONC

The Meaningful Use program has helped encourage healthcare providers to make the move from paper files to electronic health records. Now the majority of organizations have moved to EHRs, the next step is for further policies and procedures to be developed to allow the healthcare industry to obtain the full benefits of digital record-keeping. Covered entities must continue to invest in technology to improve communication of data while also employing the appropriate safeguards to protect it from prying eyes. To help the industry achieve the main benefits of EHRs, while ensuring the data is properly protected, the Department of Health and Human Services’ Office of the National Coordinator for Health IT has been working on a roadmap. The ONC Interoperability Roadmap – A 10-Year Plan for EHRs The first draft of the roadmap has now been issued. The main aim of this new Interoperability Plan is to make it possible for physicians and other medical professionals to obtain quick access to EHRs and to be able to view and share patient data in a timely manner. Access to this information...

Read More
OCR to Clarify HIPAA Rules for Mobile Health Companies
Jan30

OCR to Clarify HIPAA Rules for Mobile Health Companies

The HHS has responded to a letter sent by Representative Peter DeFazio (D-OR) requesting clearer guidance on HIPAA Rules relating to the mobile health industry, and has confirmed that the OCR does intend to work more closely with the industry to ensure HIPAA Rules are being followed. In September last year, Representatives DeFazio and Tom Marino (R-PA) wrote to HHS Secretary, Sylvia Burwell, requesting much needed updates to HHS guidance on HIPAA. In the letter it was pointed out that the technical compliance guidelines had not been updated in the past 8 years, yet the pace of technology over the same period has been considerable, with the past 6 years having seen the market for mobile apps – including mobile health apps – grow into a $68 million industry. Burwell replied to the letter a month later in November, although her response has only just been made public. She confirmed that the HHS is aware of the rapid growth in the use of technology and that it understands there are a number of issues with HIPAA Privacy and Security Rule compliance and that the guidance it has...

Read More
FTC Calls for Greater Protection than HIPAA for Internet of Things
Jan28

FTC Calls for Greater Protection than HIPAA for Internet of Things

This week, the FTC published a new report calling for greater privacy and security controls to be implemented covering the Internet of Things (IoT). The growth of digital technology over the past few years has seen numerous new mobile devices come to market which can record and share detailed information about the owner’s health and lifestyle. Digital cameras can now take photos at the press of a button, while those images can just as easily be shared with others. Home automation systems similarly store data, while wearable devices such as fitness trackers and Smartwatches record health metrics and use GPS systems to track individuals. All of this highly detailed data is stored in the cloud, on the devices themselves, and potentially on the devices of friends, family and acquaintances. There is potential for this data to be shared with unauthorized individuals and controls must be put in place to reduce the risk of unauthorized disclosure. In an increasingly interconnected digital world, data privacy and security is of paramount importance. The FTC pointed out that six years ago...

Read More
Healthcare Technology Trends for 2015
Jan23

Healthcare Technology Trends for 2015

A wealth of new technology is knocking on the door of the healthcare industry and with the current pace of development, 2015 promises to be a very exciting year. Last year we saw health technology develop at a tremendous pace. In 2014 alone, investment in health technology topped $5 million; more than double the investment of the previous year. However, rapidly escalating costs, fast reducing budgets and more stringent regulations are putting the industry under more pressure than ever before, and the strain is starting to show. Cost cutting while improving treatment outcomes and complying with HIPAA, HITECH and Meaningful Use creates the biggest challenge for the healthcare industry in 2015. The use of big data, powerful analytics, predictive technologies, the Internet of Things and 3D printing are all expected to have a major impact in 2015; however, predicting the trends that will have the most significant impact on the healthcare industry – in light of the daily technological advances  – is a tall order. Some of the major issues, innovative technologies and HIT...

Read More
Government to Help Mobile Health Developers Comply with HIPAA
Jan22

Government to Help Mobile Health Developers Comply with HIPAA

Mobile health apps have great potential to improve efficiency in healthcare as well as patient outcomes; however developers of mobile health apps are struggling to attract interest from healthcare providers due to fears that their products would cause violations of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA Privacy and Security Rules serve to protect patient privacy and keep health and personal data secure. Substantial financial penalties are being issued by both the Office for Civil Rights and Attorney General’s Offices for non-compliance, and understandably healthcare providers are being extremely cautious with any new technology or software that could potentially touch the Protected Health Information of their patients. The App Association (ACT) – an advocacy and educational organization representing mobile app developers – wrote to the Office for Civil Rights requesting clarification on HIPAA privacy rules, and how they apply to mobile developers. Developers are keen to incorporate the required privacy controls to ensure HIPAA-compliance;...

Read More
Obamas Cybersecurity Plan Could Preempt HIPAA
Jan16

Obamas Cybersecurity Plan Could Preempt HIPAA

This week President Obama announced a number of new initiatives aimed and improving cybersecurity to better protect consumers. 2014 was a year that saw hackers successfully gain access to the computer systems of retailers, corporations, healthcare providers, educational institutions and even the Pentagons Twitter account was successfully hacked. Cybercriminals were able to steal and expose personal and corporate data, commit identity fraud, obtain Medicare and Medicaid services and make fraudulent insurance claims, and the threats remain for those individuals affected. The volume of electronic personal data now being stored means security breaches can easily affect many millions of individuals. Last year U.S. companies – and many healthcare organizations – were targeted by criminals and highly complex attacks exposed financial and personal consumer data on a grand scale. Home Depot hackers stole the credit card information and personal data of 56 million Americans. Hackers were able to obtain 40 million credit card numbers from Target as well as the personal information of...

Read More
Federal Advisers to Propose Legislative Changes Covering Big Data
Jan15

Federal Advisers to Propose Legislative Changes Covering Big Data

The Health IT Policy Committee’s Privacy and Security Workgroup has been assessing a number of Big Data issues affecting the privacy and security of patients following on from two public hearings hosted by the group in December last year. The ultimate aim is for the workgroup to make a number of recommendations on policy to the Office of the National Coordinator for Health IT, and ultimately to have these recommendations incorporated into new federal DHHS policies. The public hearings allowed stakeholders to voice their concerns about the use of big data in healthcare, as well as to highlight the benefits it can bring such as improving patient care and treatment outcomes, while reducing operational costs. There is naturally a balance to be struck to ensure the benefits can be gained while privacy risks to individuals are minimized. Having gained valuable information at the hearings, the workgroup now has the task of assessing current policies and determining whether the right framework is in place to gain the all important benefits while protecting patient privacy. A number...

Read More
Lack of Mobile Device IT Support in Hospitals Frustrates Physicians
Jan15

Lack of Mobile Device IT Support in Hospitals Frustrates Physicians

According to a recent report by Spyglass Consulting, the use of Smartphones and tablets by doctors has now risen to an estimated 96%; yet only ten percent of those physicians are willing to use their own devices to communicate or access the electronic health records of their patients. Furthermore, a lack of support from hospital IT departments negates much of the usefulness of these devices in a healthcare environment. One of the major problems comes from a lack of suitable EMR tools provided by the hospital. Many hospitals and clinics are opting for desktop virtualization tools such as those provided by Citrix, and while in theory these tools should work, in practice the system is despised by physicians because of the frequent crashes and user-unfriendly navigation. There is a lack of investment in IT infrastructure according to Spyglass MD, Gregg Malkary. He believes many hospitals that are not part of Meaningful Use are unwilling to make the necessary investments in mobile technology. Spyglass spoke with 100 doctors up to date with current technology as part of its research for...

Read More
CHIME Leader Says Healthcare Cybersecurity is Top Priority in 2015
Jan14

CHIME Leader Says Healthcare Cybersecurity is Top Priority in 2015

Charles Christian, FCHIME, LCHIME, CHCIO, has the 2015 Trustees Chair at the College of Healthcare Information Management Executives (CHIME) and believes 2015 to be a year where positive changes will be made to improve cybersecurity in healthcare, although many challenges are faced. Just as new technology is being used – and exploited – by cybercriminals looking to gain access to the Protected Health Information of patients, healthcare providers can easily use technology to keep the data of their patients protected. The technology exists to prevent any external unauthorized third parties from gaining access to protected information and this must be used to ensure that data remains confidential and private. Evolving technologies are allowing greater protections to be placed on data, which can be effectively secured in motion and at rest. CHIME is committed to educating its members on new technology, how it can be used and implementing best practices to keep electronic Protected Health Information secure. Christian believes that positive patient identification and cybersecurity to be...

Read More
New Jersey Extends HIPAA: PHI Data Encryption Mandatory
Jan13

New Jersey Extends HIPAA: PHI Data Encryption Mandatory

New Jersey Governor, Chris Christie, signed a new law last week that extends the reach of HIPAA, calling for New Jersey healthcare providers to make greater efforts to keep the electronic health records of patients secure. The new law will go into effect in July this year and requires all covered entities to use data encryption software on all electronic devices that contain Protected Health Information. HIPAA does not currently require all health data to be encrypted. The legislation only states that the “encryption of healthcare data must be addressed”. The new law takes this further and mandates encryption. When the law comes into effect in the summer, all end user computer systems including laptop computers, desktop PCs, portable storage devices, tablets and Smartphones will require PHI to be encrypted. The new law states: “Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable,...

Read More
Top 10 Technology Trends for Healthcare in 2015
Jan12

Top 10 Technology Trends for Healthcare in 2015

The latest technology offers healthcare providers an incredible opportunity to improve the standard of care they are able to provide to their patients, and C-Suiter’s appear keen to implement the new tech; however it is essential that any technological advance is assessed for its cost effectiveness as well as the benefit it has to patients. This week the ECRI Institute has published a list of the top ten technologies which could revolutionize the healthcare industry, which have potential to improve the level of care provided to patients as well as reduce operational costs. The Top 10 Hospital C-Suite Watch List highlights the most exciting new technologies that could benefit the healthcare industry and suggests that top level management keeps a close eye on developments over the coming 18 months. ECRI is a not-for-profit organization dedicated to researching new technologies, medications, processes and different approaches with the aim of improving the level of care provided to patients. ECRI has over 45 years experience providing technical assistance to the healthcare industry and...

Read More
HIPAA-Compliant Custom App Development Services Now Provided by Caspio
Jan06

HIPAA-Compliant Custom App Development Services Now Provided by Caspio

Caspio has recently announced it is now offering HIPAA Compliant Professional Services for App Development, following on from the success of its popular HIPAA Enterprise Platform as a service. Caspio is a leading cloud platform provider and offers its platform-as-a-service to businesses and organizations in the public and private sector, allowing them to develop powerful web and mobile applications to improve efficiency, usability and integration between colleagues and customers. Its cloud platform has been adopted by hundreds of businesses including some of the biggest names in retail, insurance, manufacturing, logistics and online media, as well as by numerous non-profit organizations, educational establishments and government agencies. The company’s platform allows web and mobile applications to be created quickly that can streamline administrative processes, provide a greater level of automation and secure data management. Applications can be developed to track inventory, schedule resources, log registrations and training, create online customer portals, automate billing...

Read More
Major HIPAA Data Breaches Make 2014 a Landmark Year
Dec30

Major HIPAA Data Breaches Make 2014 a Landmark Year

2014 has been a landmark year, although unfortunately for the healthcare industry, for the wrong reasons. This year has seen some of the largest recorded HIPAA data breaches ever to affect the healthcare industry, exposing the protected health data of millions of patient and costing the healthcare industry as a whole many tens of millions in fines and levies. The healthcare industry accounted for 42.3% of all data breaches recorded this year according to the Identity Theft Resource Center Report for 2014, and healthcare providers have been responsible for exposing the Protected Health Information of over 8 million Americans in 322 recorded breaches. Healthcare Industry Warned of Major Breach Risk The year had only just begun when the FBI released a stern warning to the healthcare industry that cybercriminals were likely to target the healthcare sector in the coming months, and that medical devices and hospital networks were under an elevated risk of a targeted attack. The FBI attributed the increased threat to the “mandatory transition from paper to electronic health records, lax...

Read More
Health Insurance Firms Focused on Big Data and Wearables
Dec24

Health Insurance Firms Focused on Big Data and Wearables

There has a lot of hype surrounding wearable technology in recent months and over the past two years the industry has seen an incredible amount of investment in new technology as big brands and startups develop new ways to monitor, track and record body metrics and health information. Many new Smartwatches have been released this year with 2015 expected to see the market flooded with new wearable devices. Smartwatches may not yet have become mainstream products, but surveys show the public is ready to embrace new fitness and health tracking devices. There has also been considerable interest in the devices from insurance companies, with some experts believing wearables could cause a massive shake up in the industry and change how insurance premiums are calculated and sold to customers. If insurance companies want to sell more policies, reducing premiums can certainly win more business. If customers are unlikely to ever make a claim there is no reason why they should not be rewarded with lower premiums. High risk clients naturally should pay more to cover their higher risk level. The...

Read More
Watch out for Wearables if you Want to Avoid a HIPAA Violation
Dec17

Watch out for Wearables if you Want to Avoid a HIPAA Violation

Wearable devices are rising in popularity and now Google Glass has been made available to all in the USA and UK, Apple is launching a Smartwatch and other big influential brands are heavily investing in wearables, the next few years could see the devices become the norm and used throughout the healthcare industry. Currently more than 25% of adults in the United States own a fitness tracker or use a Smartphone fitness tracking application and a considerable amount of personal health data is being now recorded. A recent survey conducted by Juniper Research has predicted that the wearables market will grow ten-fold over the next 4-5 years and over 180 million devices will have been sold by 2018. Google Glass is stealing the headlines; however Apps and fitness bands are the most popular method of tracking health and wellness at the present time. The data recorded could revolutionize healthcare allowing preventative steps to be taken to help patients avoid illness and injury. Smart glasses such as Google Glass may not prove so popular for consumers, but the benefits to business are...

Read More
Sony Pictures Confirms Breach Potentially Exposed HIPAA Data
Dec16

Sony Pictures Confirms Breach Potentially Exposed HIPAA Data

Sony Pictures has made an announcement confirming the protected health information of some employees could have been exposed in this month’s security breach. Employees were sent a breach notification letter earlier this week containing details of the data the company believes was exposed. While the written notification letters have only just been mailed, an E-mail was sent to all affected employees earlier this month alerting them to the security breach and stating that computer records had been compromised. In that E-mail Sony Pictures suggested that all affected persons sign up for credit monitoring services with AllClearID; the company being used by Sony Pictures to help mitigate any damage caused. The notification letter reiterated the need to sign up for credit monitoring services and provided additional details about the breach, including more information on the scale of the data exposure. Earlier this month some computers at Sony Pictures were hacked in what appears to be a targeted attempt to steal company and employee data. Some of the data has already been posted on...

Read More
5 Actions to Take to Secure Healthcare IT Systems and Prevent HIPAA Breaches
Dec11

5 Actions to Take to Secure Healthcare IT Systems and Prevent HIPAA Breaches

The publishing of data from the 2013 Survey on Medical Identity Theft by the Ponemon Institute has highlighted the prevalence of medical identity fraud and has shown the crime is becoming much more commonplace. Over the course of past 12 months the number of reported cases of medical identity fraud has risen by 20%. There are now believed to be over 1.84 million Americans now affected by medical identity fraud. The cost is colossal and is a huge drain on the economy, while the victims have had to cover over $12.3 billion in out of pocket expenses. Many of the victims have had their medical records exposed in data breaches at healthcare organizations. If data breaches result from violations of HIPAA regulations, healthcare organizations can be held accountable. The HHS Office for Civil Rights is issuing substantial fines for non-compliance and class action lawyers are keen to sign up victims of data breaches to claim damages. Even in cases where PHI has been accidentally exposed or been deliberately hacked, healthcare organizations can still face hefty fines. In extreme cases it is...

Read More