Dedicated to providing the latest
HIPAA compliance news

Our HIPAA news for small and mid-sized practices section covers common aspects of HIPAA Rules that are often neglected by small to medium-sized covered entities. This news section also includes the latest information for healthcare professionals and small to mid-sized clinics that are concerned about HIPAA-compliance and avoiding HIPAA Privacy, Security and Breach Notification Rule violations.

News items have been selected as they are of particular relevance for small to mid-sized healthcare practices.

The news items and articles in this section cover HIPAA violations and data breaches at small to mid-sized healthcare providers, settlements and regulatory fines issued by state attorneys general and the Department of Health and Human Services’ Office for Civil Rights (OCR), new state and federal compliance requirements and the latest news and guidance on HIPAA compliance from OCR and the ONC.

For up to date information delivered direct to your inbox, be sure to sign up for our weekly HIPAA newsletter.

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft
Apr17

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution. Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014. Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information. Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents. On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016. She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were...

Read More
Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches
Apr03

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI. For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents. In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents. The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted...

Read More
What is Considered Protected Health Information Under HIPAA?
Apr02

What is Considered Protected Health Information Under HIPAA?

Protected health information – or PHI – is often mentioned in relation to HIPAA and healthcare, but what is considered protected health information under HIPAA? What is Considered Protected Health Information Under HIPAA Law? If you work in healthcare or are considering doing business with healthcare clients that requires access to health data, you will need to know what is considered protected health information under HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and disclosures of PHI. Violate any of the provisions in the HIPAA Privacy and Security Rules and you could be financially penalized. There are even criminal penalties for HIPAA violations. Claiming ignorance of HIPAA law is not a valid defense. Under HIPAA, protected health information is considered to be individually identifiable information relating to the health status of an individual, the provision of healthcare, or individually identifiable information that is created,...

Read More
South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill
Mar28

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised. Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018. The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA. Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the...

Read More
Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year
Mar27

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States. The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business. Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK. Choi explained that...

Read More
HIPAA Rules on Contingency Planning
Mar27

HIPAA Rules on Contingency Planning

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame. A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order. Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters. Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and...

Read More
What is the Civil Penalty for Knowingly Violating HIPAA?
Mar26

What is the Civil Penalty for Knowingly Violating HIPAA?

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules What is HIPAA? The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data. HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties. As with other federal laws, there are...

Read More
How to Become HIPAA Compliant
Mar21

How to Become HIPAA Compliant

If you would like to start doing business with healthcare organizations you will need to know how to become HIPAA compliant, what HIPAA compliance entails, and how you can prove to healthcare organizations that you have implemented all the required safeguards and privacy controls to ensure the confidentiality, integrity, and availability of any protected health information you will be provided with or given access to. How to Become HIPAA Compliant There are no shortcuts if you want to become HIPAA compliant. HIPAA compliance means implementing controls and safeguards to ensure the confidentiality, integrity, and availability of protected health information and developing policies and procedures in line with the Healthcare Insurance Portability and Accountability Act (1996), the HIPAA Privacy Rule (2000), the HIPAA Security Rule (2003), the Health Information Technology for Economic and Clinical Health Act (2009), and the Omnibus Final Rule (2013). To become HIPAA compliant, you will need to study the full text of HIPAA (45 CFR Parts 160, 162, and 164) – which the Department...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
Analysis of February 2018 Healthcare Data Breaches
Mar19

Analysis of February 2018 Healthcare Data Breaches

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018. Summary of February 2018 Healthcare Data Breaches February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches. While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed. Largest Healthcare Data Breaches of February 2018 The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below. Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI St. Peter’s Surgery...

Read More
Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year
Mar14

Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year

A recent Ponemon Institute survey has revealed 62% of healthcare organizations have experienced a data breach in the past 12 months. More than half of those organizations experienced data loss as a result. The Merlin International sponsored survey was conducted on 627 healthcare industry leaders from hospitals and payer organizations. 67% of respondents worked in hospitals with 100-500 beds and had an estimated 10,000 to 100,000 networked devices. Last year more than 5 million healthcare records were exposed or stolen, and the healthcare was the second most targeted industry behind the business sector. 2017 was the fourth consecutive year that the healthcare industry has been second for data breaches and there are no signs that cyberattacks are likely to reduce over the coming year. Even though there is a high probability of experiencing a cyberattack, 51% of surveyed organizations have yet to implement an incident response program. This lack of preparedness can hamper recovery if a cyberattack is experienced. As the Cost of a Data Breach Study by the Ponemon Institute showed, a...

Read More
What is a HIPAA Violation?
Mar14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
Is it a HIPAA Violation to Email Patient Names?
Mar14

Is it a HIPAA Violation to Email Patient Names?

We have been asked is it a HIPAA violation to email patient names and other protected health information? In answer to this and similar questions, we will clarify how HIPAA relates to email and explain some of the precautions HIPAA covered entities and healthcare employees should take to ensure compliance when using email to send electronic protected health information. Is it a HIPAA Violation to Email Patient Names? Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI. Electronic communications, including email, are permitted, although HIPAA-covered entities must apply reasonable safeguards when transmitting ePHI to ensure the confidentiality and integrity of data. It is not a HIPAA violation to email patient names per se, although patient names and other PHI should not be included in the subject lines of emails as the information could easily be viewed by unauthorized individuals. Even when messages are protected...

Read More
2018 HIPAA Changes and Enforcement Outlook
Mar13

2018 HIPAA Changes and Enforcement Outlook

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown. Are Major 2018 HIPAA Changes Likely? The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.” While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced. Therefore, there are...

Read More
Is Office 365 HIPAA Compliant?
Mar12

Is Office 365 HIPAA Compliant?

Is Microsoft Office 365 HIPAA compliant? Can healthcare organizations use Office 365 and remain in compliance with HIPAA and HITECH Act Rules? What is Office 365? Office 365 is a suite of subscription products developed by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access. Office 365 for Healthcare Microsoft is willing to enter into a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, provided the latter is purchased through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also covers the use of the Microsoft Azure cloud platform. Microsoft does not demand that a BAA be obtained prior to use of Office 365, as the BAA is automatically made available to customers with an online service contract. However, HIPAA covered entities should obtain a BAA prior to use of Office 365 in conjunction with any electronic protected health information (ePHI). They should also specify an administrative contact. In the event of a security breach, the administrative contact...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
Alabama Data Breach Notification Act Passed by State Senate
Mar08

Alabama Data Breach Notification Act Passed by State Senate

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week. Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents. The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm. Entities that would be required to comply with the Alabama Data Breach Notification Act are persons, sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive...

Read More
Is a HIPAA Violation Grounds for Termination?
Mar07

Is a HIPAA Violation Grounds for Termination?

Is a HIPAA violation grounds for termination? What actions are healthcare organizations likely to take if they discover an employee has violated HIPAA Rules? Since the introduction of the HIPAA Enforcement Rule, the HHS’ Office for Civil Rights has been able to pursue financial penalties for HIPAA violations. Organizations discovered to have violated HIPAA Rules or failed to have implemented policies and procedures in line with HIPAA Rules can face severe financial penalties. But what about individual employees who accidentally or deliberately violate HIPAA and patient privacy? Do Most Healthcare Organizations Consider a HIPAA Violation Grounds for Termination? Not all HIPAA violations are equal, although any violation of HIPAA Rules is a serious matter that warrants investigation and action by healthcare organizations. When a HIPAA violation is reported – by an employee, colleague or patient – healthcare organizations will investigate the incident and will attempt to determine whether HIPAA laws were violated, and if so, how the violation occurred, the implications for...

Read More
What Happens if You Violate HIPAA?
Mar07

What Happens if You Violate HIPAA?

If you work in healthcare you should have a good working knowledge of HIPAA rules, exercise diligence, and ensure that HIPAA Rules are always followed, but what happens if you violate HIPAA? What are the likely repercussions for accidentally or knowingly violating HIPAA Rules? What happens if you violate HIPAA will depend on the type of violation, its severity, the harm caused to others, and the extent to which you knew that HIPAA Rules were being violated. Disciplinary Action and Termination If at the time of the violation you were unaware that you make a mistake, the violation was minor, and no harm has been caused, the violation may be dealt with internally. Verbal or written warnings may be issued and further training on HIPAA compliance would be appropriate. For more serious violations, especially in cases where HIPAA Rules have been knowingly violated, termination is likely. The violation may be reported to licensing boards who can place restrictions on licenses. Suspension and loss of license is a possibility. Civil Penalties The Department of Health and Human Services’...

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
What is HIPAA Certification?
Mar06

What is HIPAA Certification?

Many vendors would like HIPAA certification to confirm they are fully compliant with HIPAA Rules and understand all aspects of the Health Insurance Portability and Accountability Act (HIPAA), but is it possible to obtain HIPAA certification to confirm HIPAA compliance? What is HIPAA Certification? In an ideal world, HIPAA certification would confirm that all aspects of HIPAA Rules are understood and being followed. If a third-party vendor such as a transcription company was HIPAA certified, it would make it easier for healthcare organizations looking for such as service to select an appropriate vendor. Many companies claim they have been certified as HIPAA compliant or in some cases, that they are ‘HIPAA Certified’. However, ‘HIPAA Certified’ is a misnomer. There is no official, legally recognized HIPAA compliance certification process or accreditation. There is a good reason why this is the case. HIPAA compliance is an ongoing process. An organization may be determined to be in compliance with HIPAA Rules today, but that does not mean that they will be tomorrow or at some point in...

Read More
Is Google Slides HIPAA Compliant?
Mar05

Is Google Slides HIPAA Compliant?

Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information. Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint. Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty. Google Slides is a web-based presentation program that is not...

Read More
What Covered Entities Should Know About Cloud Computing and HIPAA Compliance
Feb19

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

Healthcare organizations can benefit greatly from transitioning to the cloud, but it is essential to understand the requirements for cloud computing to ensure HIPAA compliance. In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance. Myths About Cloud Computing and HIPAA Compliance There are many common misconceptions about the cloud and HIPAA compliance, which in some cases prevent healthcare organizations from taking full advantage of the cloud, and in others could result in violations of HIPAA Rules. Some of the common myths about cloud computing and HIPAA compliance are detailed below: Use of a ‘HIPAA compliant’ cloud service provider will ensure HIPAA Rules are not violated False: A cloud service provider can incorporate all the necessary safeguards to ensure the service or platform can be used in a HIPAA compliant manner, but it is...

Read More
$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes
Feb14

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses close the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading. FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations. An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork. That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In...

Read More
Healthcare Industry Scores Poorly on Employee Security Awareness
Feb13

Healthcare Industry Scores Poorly on Employee Security Awareness

A recent report published by security awareness training company MediaPro has revealed there is still a lack of preparedness to deal with common cyberattack scenarios and privacy and security threats are still not fully understood by healthcare professionals. For MediaPro’s 2017 State of Privacy and Security Awareness Report, the firm surveyed 1,009 US healthcare industry employees to assess their level of security awareness. Respondents were asked questions about common privacy and security threats and were asked to provide answers on several different threat scenarios to determine how they would respond to real world threats. Based on the responses, MediaPro assigned respondents to one of three categories. Heroes were individuals who scored highly and displayed a thorough understanding of privacy and security threats by answering 93.5%-100% of questions correctly. Novices showed a reasonable understanding of threats, answering between 77.4% and 90.3% of answers correctly. The lowest category of ‘Risks’ was assigned to individuals with poor security awareness, who scored 74.2% or...

Read More
Is iCloud HIPAA Compliant?
Feb06

Is iCloud HIPAA Compliant?

Is iCloud HIPAA compliant? Can healthcare organizations use iCloud for storing files containing electronic protected health information (ePHI) or sharing ePHI with third-parties? This article assesses whether iCloud is a HIPAA compliant cloud service. Cloud storage services are a convenient way of sharing and storing data. Since files uploaded to the cloud can be accessed from multiple devices in any location with an Internet connection, information is always at hand when it is needed. There are many cloud storage services to choose from, many of which are suitable for use by healthcare providers for storing and sharing ePHI. They include robust access and authentication controls and data uploaded to and stored in the cloud is encrypted. Logs are also maintained so it is possible to tell who accessed data, when access occurred, and what users did with the data once access was granted. iCloud is a cloud storage service that owners of Apple devices can easily access through their iPhones, iPads, and Macs. iCloud has robust authentication and access controls, and data is encrypted in...

Read More
How Can Healthcare Organizations Protect Against Cyber Extortion
Feb06

How Can Healthcare Organizations Protect Against Cyber Extortion

In its January 2018 Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights drew attention to the rise in extortion attempts on healthcare organizations and offered advice on how healthcare organizations can protect against cyber extortion Ransomware Attacks Have Risen Significantly Ransomware attacks on healthcare organizations have increased significantly over the past two years. Healthcare providers are heavily reliant on access to electronic data and any attack that prevents access is likely to have a major impact on patients. The inevitable disruption to services – and the cost of that disruption – makes it more likely that a ransom will be paid. The relatively high probability of a ransom being paid, coupled with the ease of attacking healthcare organizations, has made the industry an attractive target for cybercriminals. It may be more cost effective and better for patients if a ransom to be paid instead of recovering data from backups. That was certainly the view of Hancock Health. A ransom payment of 4 Bitcoin was paid to...

Read More
Analysis of Healthcare Data Breaches in 2017
Jan24

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been? There Were at Least 477 Healthcare Data Breaches in 2017 In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day. There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches. There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was...

Read More
Analysis of Q4 2017 Healthcare Security Breaches
Jan22

Analysis of Q4 2017 Healthcare Security Breaches

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported. There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches. Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.  Largest Q4, 2017 Healthcare Security Breaches   Covered Entity Entity Type Number of Records Breached Cause of Breach Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident Henry Ford Health System Healthcare Provider 43563 Theft Coplin Health Systems Healthcare Provider 43000 Theft Pulmonary...

Read More
Is FaceTime HIPAA Compliant?
Jan19

Is FaceTime HIPAA Compliant?

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate protected health information (PHI) without violating HIPAA Rules? In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary. Will Apple Sign A BAA for FaceTime? An extensive search of the Apple website has revealed no sign that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only mention of its services in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be used by healthcare providers or their business associates to create, receive, maintain or transmit PHI. Since Apple is not prepared to sign a business associate agreement for FaceTime, that would indicate FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be signed by business associates. So, is Apple a business associate? The HIPAA Conduit Exception Rule The...

Read More
HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities
Jan19

HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities

The Office for Civil Rights has sent an email update on the Spectre and Meltdown chip vulnerabilities, urging HIPAA-covered entities to mitigate the vulnerabilities as part of their risk management processes. The failure to address the computer chip flaws could place the confidentiality, integrity, and availability of protected health information at risk. HIPAA-covered entities have been advised to read the latest updates on the Spectre and Meltdown chip vulnerabilities issued by the Healthcare Cybersecurity and Communications Integration Center (HCCIC). What are Spectre and Meltdown? Spectre and Meltdown are computer chip vulnerabilities present in virtually all computer processors manufactured in the past 10 years. The vulnerabilities could potentially be exploited by malicious actors to bypass data access protections and obtain sensitive data, including passwords and protected health information. Meltdown is an attack that exploits a hardware vulnerability (CVE-2017-5754) by tricking the CPU into speculatively loading data marked as unreadable or “privileged,” allowing...

Read More
The HIPAA Conduit Exception Rule and Transmission of PHI
Jan19

The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance. The HIPAA Omnibus Final Rule and Business Associates On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also...

Read More
Summary of Healthcare Data Breaches in December 2017
Jan18

Summary of Healthcare Data Breaches in December 2017

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.     Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.     December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.   Causes of Healthcare Data Breaches in December 2017 As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.     While hacking...

Read More
Deadline for Reporting 2017 HIPAA Data Breaches Approaches
Jan17

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching. HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year. The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018. A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,”...

Read More
HHS Sued by CIOX Health Over Unlawful HIPAA Regulations
Jan16

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records. CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients. Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit. CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their...

Read More
What is Individually Identifiable Health Information?
Jan11

What is Individually Identifiable Health Information?

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule? What is Individually Identifiable Health Information? Before answering the question, what is individually identifiable health information, it is necessary to define health information. HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity. Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual. Individually identifiable health information is a subset of health information, and as the name suggests, is health information...

Read More
Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
CMS Clarifies Position on Use of Text Messages in Healthcare
Jan03

CMS Clarifies Position on Use of Text Messages in Healthcare

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy. SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI. The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms. In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy...

Read More
2017 HIPAA Enforcement Summary
Dec28

2017 HIPAA Enforcement Summary

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. 2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017. In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints. Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases. Summary of 2017 HIPAA Enforcement by OCR Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates....

Read More
Is Google Voice HIPAA Compliant?
Dec28

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Is Google Voice HIPAA Compliant? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use. In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way. That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule. As with SMS, faxing and email, Google Voice is not...

Read More
Scrub Nurse Fired for Photographing Employee-Patient’s Genitals
Dec28

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

A scrub nurse who took photographs of a patient’s genitals and shared the images with colleagues has been fired, while the patient, who is also an employee at the same hospital, has filed a lawsuit seeking damages for the harm caused by the incident. The employee-patient was undergoing incisional hernia surgery at Washington Hospital. She alleges in a complaint filed in Washington County Court, that while she was unconscious, a scrub nurse took photographs of her genitals on a mobile phone and shared the photographs with co-workers. Photographing patients without their consent is a violation of HIPAA Rules, and one that can attract a significant financial penalty. Last Year, New York Hospital settled a HIPAA violation case with the Department of Health and Human Services’ Office for Rights and paid a financial penalty of $2.2 million. In that case, a television crew had been authorized to film in the hospital, but consent from the patients in the footage had not been obtained. In the Washington Hospital HIPAA breach, the patient, identified in the lawsuit only as Jane Doe, claims...

Read More
Is Facebook Messenger HIPAA Compliant?
Dec22

Is Facebook Messenger HIPAA Compliant?

Is Facebook Messenger HIPAA compliant? Is it OK to use the messaging service to send protected health information without violating HIPAA Rules? Many doctors and nurses communicate using chat platforms, but is it acceptable to use the platforms for sending PHI? One of the most popular chat platforms is Facebook Messenger. To help clear up confusion we will assess whether Facebook Messenger is HIPAA compliant and if the platform can be used to send PHI. In order to use any service to send PHI, it must incorporate security controls to ensure information cannot be intercepted in transit. In sort, messages need to be encrypted. Many chat platforms, including Facebook Messenger, do encrypt data in transit, so this aspect of HIPAA is satisfied. However, with Facebook Messenger, encryption is optional and users have to opt in. Provided that setting has been activated, only the sender and the receiver will be able to view the messages. However, there is more to HIPAA compliance than simply encrypting data in transit. There must be access and authentication controls to ensure only...

Read More
HIPAA Compliant Email Providers
Dec22

HIPAA Compliant Email Providers

HIPAA-covered entities must ensure protected health information (PHI) transmitted by email is secured to prevent unauthorized individuals from intercepting messages, and many choose to use HIPAA compliant email providers to ensure appropriate controls are applied to ensure the confidentiality, integrity, and availability of PHI. There are many HIPAA compliant email providers to choose from that provide end-to-end encryption for messages. Some of the solutions require software to be hosted on your own infrastructure; others take care of everything. Changing email provider does not necessarily mean you have to change your email addresses. Many services allow you to keep your existing email addresses and send messages as you normally would from your desktop. All HIPAA compliant email providers must ensure their solution incorporates all of the safeguards required by the HIPAA Security Rule. The solutions need to have access controls 164.312(a)(1), audit controls 164.312(b), integrity controls 164.312(c)(1), authentication 164.312(d), and PHI must be secured in transit 164.312(e)(1)....

Read More
OCR Launches New Tools to Help Address the Opioid Crisis
Dec19

OCR Launches New Tools to Help Address the Opioid Crisis

OCR has launched new tools and initiatives as part of its efforts to help address the opioid crisis in the U.S., and fulfil its obligations under the 21st Century Cures Act. Two new webpages have been released – one for consumers and one for healthcare professionals – that make information relating to mental/behavioral health and HIPAA more easily accessible. OCR resources have been reorganized to make the HHS website more user-friendly, and the new webpages serve as a one-stop resource explaining when, and under what circumstances, health information can be shared with friends, families, and loved ones to help them deal with, and prevent, emergency situations such as an opioid overdose or a mental health crisis. OCR has also released new guidance on sharing information related to substance abuse disorder and mental health with individuals involved in the provision of care to patients. The new resources include fact sheets, decision charts, an infographic, and various scenarios that address the sharing of information when an individual has an opioid overdose.  Some of the materials...

Read More
Is Hotmail HIPAA Compliant?
Dec15

Is Hotmail HIPAA Compliant?

Many healthcare organizations are unsure whether Hotmail is HIPAA compliant and whether sending protected health information via a Hotmail account can be considered a HIPAA compliant method of communication. In this post we answer the question is Hotmail HIPAA compliant, and whether the webmail service can be used to send PHI. Hotmail is a free webmail service from Microsoft that has been around since 1996. Hotmail has now been replaced with Outlook.com. In this post we will determine if Hotmail is HIPAA-complaint, but the same will apply to Outlook.com. For the purposes of this article, Hotmail and Outlook.com will be considered one and the same. HIPAA, Email and Encryption There is a common misconception that all email is HIPAA compliant. In order for any email service to be HIPAA compliant, it must incorporate security controls to prevent unauthorized individuals from gaining access to accounts and for any information sent via the email service to be secured to prevent messages from being intercepted. There must be access controls, integrity controls, and transmission security...

Read More
Noncompliance with HIPAA Costs Healthcare Organizations Dearly
Dec13

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules. The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities. Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed. The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations,...

Read More
AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack
Dec13

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture. The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently. 83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare. 48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium...

Read More
Email Top Attack Vector in Healthcare Cyberattacks
Dec12

Email Top Attack Vector in Healthcare Cyberattacks

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months. Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year. While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector. When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations. 59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations. Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe...

Read More
Is GoToMeeting HIPAA Compliant?
Dec08

Is GoToMeeting HIPAA Compliant?

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules? GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations. In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA. Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance. It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality,...

Read More
How to Make Your Email HIPAA Compliant
Dec07

How to Make Your Email HIPAA Compliant

Many healthcare organizations would like to be able to send protected health information via email, but how do you make your email HIPAA compliant? What must be done before electronic PHI (ePHI) can be sent via email to patients and other healthcare organizations? How to Make Your Email HIPAA Compliant Whether you need to make your email HIPAA compliant will depend on how you plan to use email with ePHI. If you will only ever send emails internally, it may not be necessary to make your email HIPAA compliant. If your email network is behind a firewall, it is not necessary to encrypt your emails.  Encryption is only required when your emails are sent beyond your firewall. However, access controls to email accounts are required, as it is important to ensure that only authorized individuals can access email accounts that contain ePHI. If you want to use email to send ePHI externally – beyond your firewall – you will need to make your email HIPAA-compliant. There are many email service providers that offer an encrypted email service, but not all are HIPAA compliant and incorporate all...

Read More
Second Draft of the Revised NIST Cybersecurity Framework Published
Dec07

Second Draft of the Revised NIST Cybersecurity Framework Published

The second draft of the revised NIST Cybersecurity Framework has been published. Version 1.1 of the Framework includes important changes to some of the existing guidelines and several new additions. Version 1.0 of the NIST Cybersecurity Framework was first published in 2014 with the aim of helping operators and owners of critical infrastructure assess their risk profiles and improve their ability to prevent, detect, and respond to cyberattacks. The Framework establishes a common language for security models, practices, and security controls across all industries. The Framework is based on globally accepted cybersecurity best practices and standards, and adoption of the Framework helps organizations take a more proactive approach to risk management. Since is publication in 2014, the Framework has been adopted by many private and public sector organizations to help them develop and implement effective risk management practices. Following the release of the CSF, NIST has received numerous comments from public and private sector organizations on potential enhancements to improve...

Read More
Medical Records from Pennsylvania Obs/Gyn Clinic Found at Public Recycling Center
Dec04

Medical Records from Pennsylvania Obs/Gyn Clinic Found at Public Recycling Center

Paper files containing names, Social Security numbers, and medical histories, including details of cancer diagnoses and sexually transmitted diseases, have been dumped at a recycling center in Allentown, Pennsylvania. The files appear to have come from Women’s Health Consultants, an obstetrics and gynecology practice that had centers in South Whitehall Township and Hanover Township, PA. Women’s Health Consultants is no longer in business. How the records came to be dumped at the recycling center is unknown as the container where the records were disposed of was not covered by surveillance cameras. The center does have a locked recycling container where sensitive documents containing confidential information can be disposed of securely, but that container was not used. The records were dumped in a container where they could be accessed by unauthorized individuals. The person who discovered the files left an anonymous tip on the non-emergency line of the Allentown communication center. According to The Morning Call, a city employee visited the recycling center and pushed...

Read More
Effective Identity and Access Management Policies Help Prevent Insider Data Breaches
Dec01

Effective Identity and Access Management Policies Help Prevent Insider Data Breaches

The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI. When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end. If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of...

Read More
Survey Reveals Poor State of Email Security in Healthcare
Nov29

Survey Reveals Poor State of Email Security in Healthcare

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard. The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security. For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network. The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC. Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting...

Read More
October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
How to Handle A HIPAA Privacy Complaint
Nov14

How to Handle A HIPAA Privacy Complaint

Healthcare providers need to be prepared to deal with a HIPAA privacy complaint from a patient. In order for an efficient response to be conducted, policies should be developed covering the complaints procedure and staff must be trained to handle HIPAA privacy complaints correctly. Patients must also be clearly informed how they can make a HIPAA privacy complaint if they feel that their privacy has been violated or HIPAA Rules have been breached. This should be clearly stated in your Notice of Privacy Practices. A HIPAA Privacy Complaint Should be Taken Seriously When a HIPAA privacy complaint is filed, it is important that it is dealt with quickly and efficiently. Fast action will help to reassure patients that that you treat all potential privacy and security violations seriously. While patients may be annoyed or upset that an error has been made, in many cases, patients are not looking to cause trouble. They want the issue to be investigated, any risks to be mitigated, the problem to be addressed to ensure it does not happen again, and in many cases, they seek an apology. If the...

Read More
Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails
Nov13

Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails

The banking Trojan Ursnif, one of the most commonly used banking Trojans, has previously been used to attack financial institutions. However, it would appear the actors behind the malware have broadened their horizons, with attacks now being conducted on a wide range of organizations across many different industries, including healthcare. The new version of the Ursnif Trojan was detected by researchers at security firm Barkly. The malware arrived in a phishing email that appeared to have been sent in response to a message sent to another organization. The spear phishing email included the message thread from past conversations, suggesting the email account of the contact had been compromised. The email contained a Word document as an attachment with the message “Morning, Please see attached and confirm.”  While such a message would arouse suspicion if that was the only content in the email body, the inclusion of the message thread added legitimacy to the email. The document contained a malicious macro that ran Powershell commands which tried to download the malicious payload;...

Read More
What is a Limited Data Set Under HIPAA?
Nov07

What is a Limited Data Set Under HIPAA?

A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met. In contrast to de-identified protected health information, which is no longer classed as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still subject to HIPAA Privacy Rule regulations. A HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific purposes, that the PHI will not be disclosed by the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be followed. The data use agreement, which must be accepted prior to the limited data set being shared, should outline the following:...

Read More
How Can Healthcare Organizations Prevent Phishing Attacks?
Nov07

How Can Healthcare Organizations Prevent Phishing Attacks?

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information. Phishing on an Industrial Scale More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years. Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’...

Read More
Is G Suite HIPAA Compliant?
Nov03

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules? Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider. Making G Suite HIPAA Compliant (by default it isn’t) As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules. Obtain a BAA from Google One important requirement of HIPAA is to obtain a signed, HIPAA-compliant...

Read More
What Happens if a Nurse Violates HIPAA?
Nov03

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?   The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules? What are the Penalties if a Nurse Violates HIPAA? Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA...

Read More
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG
Nov03

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur. The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses. The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year. Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no...

Read More
HIMSS Draws Attention to Five Current Cybersecurity Threats
Nov02

HIMSS Draws Attention to Five Current Cybersecurity Threats

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information. Wi-Fi Attacks Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks. BadRabbit Ransomware Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption...

Read More
Survey Reveals Sharing EHR Passwords is Commonplace
Nov02

Survey Reveals Sharing EHR Passwords is Commonplace

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses. The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research. The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password. Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
Who Do You Report HIPAA Violations To?
Nov01

Who Do You Report HIPAA Violations To?

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to implement safeguards to ensure the privacy of patients is protected and protected health information (PHI) is secured, but what happens when those rules are violated? Who do you report HIPAA violations to? Who do You Report HIPAA Violations To? If you suspect that HIPAA Rules have been violated by a HIPAA covered entity – Healthcare providers, health plans, healthcare clearinghouses, business associates of covered entities and their subcontractors – it is important for the violation to be reported to allow an investigation to take place. HIPAA violations frequently occur as a result of human error, a misunderstanding of HIPAA regulations, or in some cases, deliberate or willful violations of HIPAA Rules occur. A covered entity or business associate may not be aware that a HIPAA violation has occurred, and should be given the opportunity to correct errors and prevent similar violations from occurring in the future. How Can Healthcare Employees Report...

Read More
Who Does HIPAA Apply To?
Oct31

Who Does HIPAA Apply To?

Health Insurance Portability and Accountability Act (HIPAA) Rules cover the allowable uses and disclosures of protected health information secure and data security, but who does HIPAA apply to? Which types of organizations must implement HIPAA compliance programs? Who Does HIPAA Apply to? HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses if those organizations transmit health data electronically in connection with transactions for which the Department of Health and Human Services has adopted standards. Healthcare providers that are typically required to comply with HIPAA Rules includes hospitals, health clinics, nursing homes, doctors, dentists, pharmacies, chiropractors, and psychologists. Health plans include HMO’s, health insurance providers, company health plans, government programs that pay for health care such as Medicaid and Medicare, and veterans’ health programs. Self-insured companies that provide health coverage to their employees are also required to comply with HIPAA Rules. Healthcare clearinghouses include entities that process...

Read More
OCR Clarifies HIPAA Rules on Sharing Patient Information on Opioid Overdoses
Oct28

OCR Clarifies HIPAA Rules on Sharing Patient Information on Opioid Overdoses

The U.S. Department of Health and Human Services’ Office for Civil Rights has cleared confusion about HIPAA Rules on sharing patient information on opioid overdoses. The HIPAA Privacy Rule permits healthcare providers to share limited PHI in certain emergency and dangerous situations. Those situations include natural disasters and during drug overdoses, if sharing information can prevent or lessen a serious and imminent threat to a patient’s health or safety. Some healthcare providers have misunderstood the HIPAA Privacy Rule provisions, and believe permission to disclose information to the patient’s loved ones or caregivers must be obtained from the patient before any PHI can be disclosed. In an emergency or crisis situation, such as during a drug overdose, healthcare providers are permitted to share limited PHI with a patient’s loved ones and caregivers without permission first having been obtained from the patient. During an opioid overdose, healthcare providers can share health information with the patient’s family members, close friends, and caregivers if: The healthcare...

Read More
Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017
Oct27

Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails. Report Shows Massive Rise in Phishing Attacks Using Malicious URLs This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months. Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3. While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are...

Read More
Is AWS HIPAA Compliant?
Oct27

Is AWS HIPAA Compliant?

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules. Amazon Will Sign a Business Associate Agreement for AWS Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA. Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case. As part of its efforts to help healthcare organizations use AWS safely and securely without violating...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Oct26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
New Tool Helps Healthcare Organizations Find HIPAA Compliant Business Associates
Oct25

New Tool Helps Healthcare Organizations Find HIPAA Compliant Business Associates

Healthcare organizations are only permitted to use business associates that agree to comply with HIPAA Rules and sign a business associate agreement, but finding HIPAA compliant business associates can be a challenge. Searching for HIPAA compliant business associates is time consuming, although identifying vendors willing to follow HIPAA Rules is only part of the process. Business associate agreements must then be assessed, often incurring legal fees, and healthcare organizations must obtain assurances from new business associate that appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of any PHI they provide. It is also challenging for vendors that wish to take advantage of the opportunities in the healthcare industry. They must be able to demonstrate they have implemented appropriate safeguards and need to provide reassurances that their products and services support HIPAA-compliance. A solution has now been developed that resolves the issues for both parties and streamlines the process of finding HIPAA compliant business...

Read More
Bad Rabbit Ransomware Spread Via Fake Flash Player Updates
Oct25

Bad Rabbit Ransomware Spread Via Fake Flash Player Updates

A new ransomware threat has been detected – named Bad Rabbit ransomware – that has crippled businesses in Russia, Ukraine, and Europe. Some Bad Rabbit ransomware attacks have occurred in the United States. Healthcare organizations should take steps to block the threat. There are similarities between Bad Rabbit ransomware and NotPetya, which was used in global attacks in June. Some security researchers believe the new threat is a NotPetya variant, others have suggested it is more closely related to a ransomware variant called HDDCryptor. HDDCryptor was used in the ransomware attack on the San Francisco Muni in November 2016. Regardless of the source of the code, it spells bad news for any organization that has an endpoint infected. Bad Rabbit ransomware encrypts files using a combination of AES and RSA-2048, rendering files inaccessible. As with NotPetya, changes are made to the Master Boot Record (MBR) further hampering recovery. This new ransomware threat is also capable of spreading rapidly inside a network. The recent wave of attacks started in Russia and Ukraine on...

Read More
FirstHealth Attacked with New WannaCry Ransomware Variant
Oct24

FirstHealth Attacked with New WannaCry Ransomware Variant

FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has been attacked with a new WannaCry ransomware variant. WannaCry ransomware was used in global attacks in May this year. More than 230,000 computers were infected within 24 hours of the global attacks commencing. The ransomware variant had wormlike properties and was capable of spreading rapidly and affecting all vulnerable networked devices. The campaign was blocked when a kill switch was identified and activated, preventing file encryption.  However, FirstHealth has identified the malware used in its attack and believes it is a new WarnnaCry ransomware variant. The FirstHealth ransomware attack occurred on October 17, 2017. The ransomware is believed to have been introduced via a non-clinical device, although investigations into the initial entry point are ongoing to determine exactly how the virus was introduced. FirstHealth reports that its information system team detected the attack immediately and implemented security protocols to prevent the spread of the malware to other networked devices....

Read More
Employees Sue Lincare Over W2 Phishing Attack
Oct23

Employees Sue Lincare Over W2 Phishing Attack

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data. The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker. This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees. Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data. Three former...

Read More
Who Should HIPAA Complaints be Directed to Within the Covered Entity?
Oct23

Who Should HIPAA Complaints be Directed to Within the Covered Entity?

Who should HIPAA complaints be directed to within the covered entity? Any healthcare employee who believes they have witnessed a HIPAA violation should report the incident internally. Typically, the person to report the violation to is your Privacy Officer, if your organization has appointed one. Reporting Potential HIPAA Violations Internally During your HIPAA training, you should have been told who should HIPAA complaints be directed to within the covered entity, and the procedures to follow for making complaints about potential HIPAA violations. Generally speaking, the HIPAA violation should be reported to the person in your organization who is responsible for HIPAA compliance, which is typically your Privacy Officer or CISO. You may feel more comfortable reporting the incident to your supervisor. All HIPAA violations, even HIPAA violations that seem relatively minor, should be reported. They could be indicative of a wider problem, so it is important they are investigated internally. Accidental HIPAA violations should also be reported. It is better to own up to a minor HIPAA...

Read More
Termination for Nurse HIPAA Violation Upheld by Court
Oct19

Termination for Nurse HIPAA Violation Upheld by Court

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’ The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician. Alleged Improper Disclosure of Sensitive Health Information Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked...

Read More
De-identification of Protected Health Information: How to Anonymize PHI
Oct18

De-identification of Protected Health Information: How to Anonymize PHI

Healthcare organizations and their business associates that want to share protected health information must do so in accordance with the HIPAA Privacy Rule, which limits the possible uses and disclosures of PHI, but de-identification of protected health information means HIPAA Privacy Rule restrictions no longer apply. HIPAA Privacy Rule restrictions only covers individually identifiable protected health information. If you de-identify PHI so that the identity of individuals cannot be determined, and re-identification of individuals is not possible, PHI can be freely shared. The de-identification of protected health information enables HIPAA covered entities to share health data for large-scale medical research studies, policy assessments, comparative effectiveness studies, and other studies and assessments without violating the privacy of patients or requiring authorizations to be obtained from each patient prior to data being disclosed. HIPAA-Compliant De-identification of Protected Health Information HIPAA-compliant de-identification of protected health information is possible...

Read More
HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California
Oct17

HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California

The Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires. As was the case with the waivers issued after Hurricanes Irma and Maria, the limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol, and then only for a period of up to 72 hours following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care, even if the 72-hour period has not yet ended. Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule and the Privacy Rule is not suspended.  The HHS simply exercises its authority under the Project Bioshield Act of...

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More
Is Skype HIPAA Compliant?
Oct13

Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules? There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype satisfy all requirements of HIPAA Rules? This article will attempt to answer the question, Is Skype HIPAA compliant? Is Skype a Business Associate? Is Skype a HIPAA business associate? That is a matter that has been much debated. Skype could be considered an exception under the Conduit Rule – being merely a conduit through which information flows. If that is the case, a business associate agreement would not be necessary. However, a business associate agreement is necessary if a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity or one of its business associates....

Read More
How Should You Respond to an Accidental HIPAA Violation?
Oct12

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?
Oct11

Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?

Should covered entities monitor business associates for HIPAA compliance or is it sufficient just obtain a signed, HIPAA-compliant business associate agreement? If a business associate provides reasonable assurances to a covered entity that HIPAA Rules are being followed, and errors are made by the BA that result in the exposure, theft, or accidental disclosure of PHI, the covered entity will not be liable for the BA’s HIPAA violations – provided the covered entity has entered into a business associate agreement with its business associate. It is the responsibility of the business associate to ensure compliance with HIPAA Rules. The failure of a business associate to comply with HIPAA Rules can result in financial penalties for HIPAA violations for the business associate, not the covered entity. A covered entity should ‘obtain satisfactory assurances’ that HIPAA Rules will be followed prior to disclosing PHI. While covered entities are not required by HIPAA to monitor business associates for HIPAA compliance, they should obtain proof that their business associate has performed an...

Read More
53% of Businesses Have Misconfigured Secure Cloud Storage Services
Oct09

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI). However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed. A Business Associate Agreement Does Not Guarantee HIPAA Compliance Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers. Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA...

Read More
Is WhatsApp HIPAA Compliant?
Oct06

Is WhatsApp HIPAA Compliant?

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant? Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI). However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, we believe WhatsApp is not a HIPAA compliant messaging platform. Why Isn’t WhatsApp HIPAA Compliant? First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users. HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is...

Read More
What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity
Oct06

What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity? What Are HIPAA Covered Entities? HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information for transactions covered by HHS standards. Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare, and HMO’s. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information. Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates. Summary of the HIPAA Breach Notification Requirements...

Read More
How Employees Can Help Prevent HIPAA Violations
Oct03

How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be provided regularly to ensure HIPAA Rules are not forgotten. Employees...

Read More
National Cyber Security Awareness Month: What to Expect
Oct02

National Cyber Security Awareness Month: What to Expect

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens. National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners. Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure. DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month: National Cyber Security Awareness Month Summary Week 1: Simple Steps to Online Safety (Oct. 2-6) Week 2:...

Read More
Is OneDrive HIPAA Compliant?
Sep30

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant? Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files. Microsoft Supports HIPAA-Compliance There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules. That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA). Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well...

Read More
Why Dental Offices Should be Worried About HIPAA Compliance
Sep28

Why Dental Offices Should be Worried About HIPAA Compliance

In 2015, Dr. Joseph Beck became the first dentist to be fined for a HIPAA violation, which sent a warning to dental offices about HIPAA compliance.  Until that point, dental offices had avoided fines for noncompliance with HIPAA Rules. The penalty was not issued by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000 was for the alleged mishandling of the protected health information of 5,600 patients. Since then, many settlements have been reached with covered entities for HIPAA violations. No further penalties have been issued to dental offices, although there is nothing to stop OCR or state attorneys general from fining dental offices for failing to comply with HIPAA Rules and settlements for alleged HIPAA violations are now being reached much more frequently than in 2015. Last year was a record year for settlements and 2017 has continued where 2016 left off. The probability of HIPAA violations being discovered has also increased. OCR has already commenced the much-delayed second phase...

Read More
HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance
Sep27

HITRUST/AMA Launch Initiative to Help Small Healthcare Providers with HIPAA Compliance

HITRUST has announced it has partnered with the American Medical Association (AMA) for a new initiative that will help small healthcare providers with HIPAA compliance, cybersecurity, and cyber risk management. Small healthcare providers can be particularly vulnerable to cyberattacks, as they typically lack the resources to devote to cybersecurity and do not tend to have the budgets available to hire skilled cybersecurity staff. This week has underscored the need for small practices to improve their cybersecurity defenses, with the announcement of two cyberattacks on small healthcare providers by the hacking group TheDarkOverlord. Recent ransomware attacks have also shown that healthcare organizations of all sizes are likely to be attacked. Organizations of all sizes must practice good cyber hygiene and have the right defenses in place to improve resilience against ever changing cyber threats. HITRUST and AMA will be hosting 2-hour workshops where physicians and other healthcare staff will be educated on key areas of risk management, HIPAA compliance, and cybersecurity, with the...

Read More
HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
Sep22

HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone

The U.S. Department of Health and Human Services has already issued two partial waivers of HIPAA sanctions and penalties in areas affected by hurricanes this year. Now a third HIPAA waiver has been issued, this time in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands. As was the case with the waivers issued in relation to Hurricane Harvey and Hurricane Irma, the waiver only applies to covered entities in areas where a public health emergency has been declared, only for 72 hours following the implementation of the hospital’s disaster protocol, and only for specific provisions of the HIPAA Privacy Rule: The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. The patient’s right to request privacy restrictions. See 45 CFR 164.522(a). The patient’s right to request confidential...

Read More
OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data
Sep13

OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data

The Department of Health and Human Services’ Office for Civil Rights has launched a new campaign to raise awareness of patients’ right to access their health information and the benefits of doing so. The “Information is Powerful Medicine” campaign informs patients that they have the right to obtain copies of their health data and tells them to “Get it. Check it. Use it.” The benefits to patients are clear. If they obtain copies of the health information they can check their medical records for errors and correct any mistakes. Having access to health data helps patients to make better decisions about their health care and discuss their health more fully with their providers. Armed with their health data, patients can do more to stay healthy. Patients are advised that the HIPAA Privacy Rule allows them to obtain a physical or electronic copy of their health data and that their provider should provide the information as requested within 30 days. It has been explained that they may be charged a nominal fee for obtaining a copy of their health data. Patients are also informed that...

Read More
Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone
Sep12

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma. OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act. In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived: 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care 45 CFR 164.510(a) – Honor requests to opt out of the facility directory. 45 CFR 164.520 – Distribute a notice of...

Read More
Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices
Sep11

Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices

The U.S. Department of Homeland Security (DHS) has issued a warning about vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. The vulnerabilities could potentially be exploited by hackers to alter the performance of the devices. Smiths Medical Medfusion 4000 devices are used to deliver small doses of medication and are used throughout the United States and around the world in acute care settings. Eight vulnerabilities have been identified in three versions of the wireless syringe infusion pumps (V1.1, v1.5 and v1.6), with CVSS v3 scores ranging from 3.7 to 8.1. The vulnerabilities could be exploited remotely, potentially causing harm to patients. Hackers could also exploit the vulnerabilities to gain access to other healthcare IT systems if the devices are not segmented on the network. DHS says the impact to organizations depends on several factors, based on specific clinical usage and hospital’s operational environments. Six of the vulnerabilities relate to hard-coded passwords/credentials, certificate validation issues, and authentication gaps which...

Read More
OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters
Sep08

OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by issuing guidance to covered entities on the HIPAA Privacy Rule and disclosures of patient health information in emergency situations to help healthcare organizations protect patient privacy and avoid violating HIPAA Rules. Allowable disclosures are summarized in this document. Hot on the heels of hurricane Harvey comes hurricane Irma, closely followed by hurricane Jose. Hospitals in other parts of the United States will have to cope with the storm and its aftermath and still comply with HIPAA Rules. OCR has taken the opportunity to remind covered entities of the need to prepare. OCR has explained that the HIPAA Privacy Rule was carefully created to ensure...

Read More
OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017
Sep06

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations on the dangers of failing to follow HIPAA Rules. When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules. At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.” Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA...

Read More
HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone
Aug31

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts. In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need. The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)). In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed. However, disasters often call for a...

Read More
FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers
Aug30

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

The U.S. Food and Drug Administration (FDA) has recommended all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks. Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely. While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products. Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications. There are between 450,000 and 500,000 vulnerable devices currently in use in the United...

Read More
New Ransomware and Phishing Warnings for Healthcare Organizations
Aug30

New Ransomware and Phishing Warnings for Healthcare Organizations

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks. Defray Ransomware A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers. The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists. The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is...

Read More
Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware
Aug24

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

For the first time in 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims. Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected. The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a...

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.” The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security. To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator. NIST suggests...

Read More
Healthcare Hacking Incidents Overtook Insider Breaches in July
Aug18

Healthcare Hacking Incidents Overtook Insider Breaches in July

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports. Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents. The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance. In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on Women’s Health Care Group of PA – impacted 300,000 individuals. While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception....

Read More
August Sees OCR Breach Reports Surpass 2,000 Incidents
Aug16

August Sees OCR Breach Reports Surpass 2,000 Incidents

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009. As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000. The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far...

Read More
Want to Prevent Data Breaches? Time to Go Back to Basics
Aug15

Want to Prevent Data Breaches? Time to Go Back to Basics

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes. Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors. The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge. The blog posts are an ideal starting point to ensure all the security basics are...

Read More
HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs
Aug11

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization. The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas. The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months. While these results are...

Read More
$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching
Aug10

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement. Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states. Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes. The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies. In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly...

Read More
Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available
Aug07

Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available

Warnings have been issued about four vulnerabilities in Siemens PET/CT scanner systems. Siemens is currently developing patches to address the vulnerabilities.  Exploits for the vulnerabilities are already publicly available. The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7. The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied....

Read More
Protenus Provides Insight into 2017 Healthcare Data Breach Trends
Aug03

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends. The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates. In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review. Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the...

Read More
How Often Should Healthcare Employees Receive Security Awareness Training?
Aug01

How Often Should Healthcare Employees Receive Security Awareness Training?

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training? Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails. In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%. In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised....

Read More
47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years
Jul31

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years. The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 million in annual revenue. 47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years. Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred. Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach...

Read More
HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management
Jul27

HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management

HITRUST has launched a new community extension program that will see town hall events taking place in 50 major cities across the United States over the course of the next 12 months. The aim of the community extension program is to improve education and collaboration on risk management and encourage greater community collaboration. With the volume and variety of cyber threats having increased significantly in recent years, healthcare organizations have been forced to respond by improving their cybersecurity programs, including adopting cybersecurity frameworks and taking part in HITRUST programs. Healthcare organizations have been able to improve their resilience against cyberthreats, although the process has not been easy. HITRUST has learned that the process can be made much easier with improved education and collaboration between healthcare organizations. The community extension program is an ideal way to streamline adoption of the HITRUST CSF and other HITRUST programs, while promoting greater collaboration between healthcare organizations and encouraging greater community...

Read More
OCR Data Breach Portal Update Highlights Breaches Under Investigation
Jul25

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal. The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules. OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form. For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display...

Read More
Model HIPAA-Compliant PHI Access Request Form Released by AHIMA
Jul21

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

The American Healthcare Information Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data. The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization. AHIMA claims that until now, a model PHI access request form was not available to healthcare providers. HIPAA-covered entities have had to develop their own forms and there is considerable variation in the forms used by different healthcare organizations. Patients with multiple healthcare providers often find the process of obtaining their health data confusing. AHIMA has listened to feedback from its members and industry stakeholders who explained that the process of accessing medical records was often confusing for patients. Even some healthcare organizations are confused about what is permitted and not permitted under HIPAA Rules when it comes to providing access to health data....

Read More
Is Google Drive HIPAA Compliant?
Jul21

Is Google Drive HIPAA Compliant?

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant? Is Google Drive HIPAA Compliant? The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules. G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users. G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied. The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business...

Read More
U.S. Data Breaches Hit Record High
Jul20

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout. In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches. Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches. ITRC says it is becoming much more common to...

Read More
Are You Blocking Ex-Employees’ PHI Access Promptly?
Jul19

Are You Blocking Ex-Employees’ PHI Access Promptly?

A recent study commissioned by OneLogin has revealed many organizations are not doing enough to prevent data breaches by ex-employees. Access to computer systems and applications is a requirement while employed, but many organizations are failing to block access to systems promptly when employees leave the company, even though ex-employees pose a significant data security risk. Blocking access to networks and email accounts when an employee is terminated or otherwise leaves the company is one of the most basic security measures, yet all too often the process is delayed. 600 IT employees who had some responsibility for security in their organization were interviewed for the study and approximately half of respondents said they do not immediately terminate ex-employees’ network access rights. 58% said it takes longer than a day to delete ex-employees’ login credentials. A quarter of respondents said it can take up to a week to block access, while more than one in five respondents said it can take up to a month to deprovision ex-employees. That gives them plenty of time to gain access...

Read More
Is Dropbox HIPAA Compliant?
Jul14

Is Dropbox HIPAA Compliant?

Healthcare organizations can benefit from using Dropbox, but is Dropbox HIPAA compliant? Can the service be used to store and share protected health information? Is Dropbox HIPAA Compliant? Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant? Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used. That said, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules. The Health Insurance Portability and Accountability Act requires covered entities to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required. Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a HIPAA...

Read More
ONC Offers Help for Covered Entities on Medical Record Access for Patients
Jul13

ONC Offers Help for Covered Entities on Medical Record Access for Patients

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request. Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case. Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other...

Read More
Indiana Senate Passes New Law on Abandoned Medical Records
Jul13

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information. HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely. For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or...

Read More
U.S. Healthcare Providers Affected by Global Ransomware Attack
Jun29

U.S. Healthcare Providers Affected by Global Ransomware Attack

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below. NotPetya Ransomware Attacks Spread to the United States Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems. Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities. While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected The health...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014. After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in...

Read More
Google to Remove Personal Medical Information From Its Search Results
Jun23

Google to Remove Personal Medical Information From Its Search Results

There are only a handful of content categories that Google will not display in its search results. Now the list has grown slightly with the addition of personal medical records, specifically, the ‘confidential, personal medical records of private people.’ The update to its policy was made yesterday, with medical records joining national identification numbers such as Social Security numbers, bank account numbers, credit card numbers, images of signatures, sexual abuse images, revenge porn, and material that has been uploaded to the Internet in violation of the Digital Millennium Copyright Act. Google’s indexing system captures all publicly accessible information that has been uploaded to the Internet, although there has been criticism in recent years about the types of information Google allows to be listed. Even so, it is rare for Google to make changes to its algorithms to block certain types of content. The last addition to the list of material that can be removed automatically by Google was revenge porn – nude or sexually explicit images that have been uploaded to the...

Read More
Healthcare Data Breach Costs Fall to $380 Per Record
Jun21

Healthcare Data Breach Costs Fall to $380 Per Record

Healthcare data breach costs have fallen year-over-year according to the latest IBM Security/Ponemon Institute study.  While there was a slight decline, for the seventh straight year, healthcare data breach costs are still higher than any other industry sector. This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost per record for all industries is now $141, with healthcare data breach costs more than 2.5 times the global average. Last year, average healthcare data breach costs were $402 per record. The average cost of a breach in the United States across all industries is $225 per record, up from $221 in 2016. Data breach costs have risen substantially over the past seven years, although the latest report shows there was a 10% reduction in data breach costs across all industry sectors. This was the first year that data breach costs have shown a decline. The average global cost of a data breach now stands at $3.62 million, having reduced from $4 million last year. The study was conducted globally, with 63...

Read More
May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover
Jun20

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported. So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016. In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly. The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom. While April saw a majority of healthcare data breaches caused by...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected. The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches. Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list. Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently...

Read More
Microsoft Patches Two Critical, Actively Exploited Vulnerabilities
Jun14

Microsoft Patches Two Critical, Actively Exploited Vulnerabilities

Microsoft released a slew of updates this Patch Tuesday, including patches for two critical vulnerabilities that are being actively exploited in the wild. In total, 95 vulnerabilities were addressed yesterday, eighteen of which have been rated critical and 76 as important. The two actively exploited vulnerabilities are of most concern, in fact one is so serious that Microsoft took the decision to issue a patch for Windows XP, even though extended support for the outdated operating system ended in April 2014. As with the emergency patch issued last month shortly after the WannaCry ransomware attacks, the vulnerability was considered so severe it warranted a patch. Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, explained the decision to issue a patch for Windows XP saying, “Due to the elevated risk for destructive cyberattacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.” The flaw – CVE-2017-8543 – exists in...

Read More
OCR Issues Guidance on the Correct Response to a Cyberattack
Jun12

OCR Issues Guidance on the Correct Response to a Cyberattack

Last week, the Department of Health and Human Services’ Office for Civil Rights issued new guidance to covered entities on the correct response to a cyberattack. OCR issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken. Responding to an ePHI Breach Preparation is key. Organizations must have response and mitigation procedures in place and contingency plans should exist that can be implemented immediately following the discovery a cyberattack, malware or ransomware attack. The first stage of the response is to take immediate action to prevent any impermissible disclosure of electronic protected health information. In the case of a network intrusion, unauthorized access to the network – and data – must be blocked and steps taken to prevent data from being exfiltrated. Healthcare organizations may have staff capable of responding to such an incident, although third party firms can be contracted to assist with the response. Smaller healthcare organizations may have little choice...

Read More
Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified
Jun09

Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified

The recent WannaCry ransomware attacks have highlighted the risks from failing to apply patches and update software promptly. BitSight has now published the results of a study that sought to quantify the risk from tardy updates and delayed software upgrades. For the study, BitSight analyzed the correlation between data breaches and the continued to use old operating systems such as Windows 7, Windows Vista and Windows XP and old versions of web browsers. Operating systems and browsers used by approximately 35,000 companies from 20 industries were assessed as part of the study. BitSight checked Apple OS and Microsoft Windows operating systems and Chrome, Internet Explorer, Safari, and Firefox web browsers. 2,000 of the companies studied (6%) had out of date operating systems on more than half of their computers. BitSight said 8,500 companies were discovered to be using out of date web browsers. BitSight used its risk platform to study computer compromises and identified operating system and browser versions at those companies. BitSight was able to determine that organizations...

Read More
WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals
Jun06

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017. Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks. The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded. The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption...

Read More
Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts
Jun02

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization. The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization. If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to...

Read More
OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements
Jun01

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

The ransomware attacks and healthcare IT security incidents last month have prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules on security breaches. In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached. HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time. Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to...

Read More
Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data
May31

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results. Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication. Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved. It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical...

Read More
HIPAA Enforcement Update Provided by OCR’s Iliana Peters
May25

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast. OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again. Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed. Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management...

Read More
Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty
May24

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer. The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested. The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule...

Read More
Leading Cause of Healthcare Data Breaches in April was Hacking
May23

Leading Cause of Healthcare Data Breaches in April was Hacking

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34. The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported within the 60-day time period allowed by the Health Insurance Portability and Accountability Act Breach Notification Rule. While it is good news that the trend for reporting data breaches more promptly is continuing, there is still plenty of room for improvement. Protenus reports that in April, it took an average of 51 days from the date of the breach to discovery, and an average of 59 days from the discovery of a breach to the submission of a breach report to the HHS’ Office for Civil Rights. The data for the Protenus Breach Barometer report was supplied by Databreaches.net, which uncovered one of the worst breaches of the year to date. The theft of...

Read More
HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat. While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat. Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly...

Read More
WannaCry Ransomware Encrypted Hospital Medical Devices
May17

WannaCry Ransomware Encrypted Hospital Medical Devices

The WannaCry ransomware attacks on NHS hospitals in the UK have been widely publicized, but the extent to which U.S. healthcare organizations were affected is unclear. However, news has emerged that WannaCry ransomware has been installed on hospital systems and succeeded in encrypted medical device data. The ransomware targeted older Windows versions and more recent operating systems that had not been updated with the MS17-010 patch that addressed the exploited vulnerability in Server Message Block 1.0 (SMBv1). The attacks claimed more than 200,000 victims around the globe. So far, two healthcare organizations in the United States have confirmed they experienced a WannaCry ransomware attack that affected Bayer MedRad devices. The devices are power injector systems used to monitor contrast agents administered to improve the quality of imaging scans, such as MRIs. Bayer told Forbes, “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.” In both cases that were reported to Bayer, the issue was resolved...

Read More
HIPAA Compliance Best Practices
May16

HIPAA Compliance Best Practices

Questions and Answers to Improve Security and Avoid Penalties By Bill Becker Even after 14 years, public and private sector organizations are still routinely found out of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Security management processes are among the weakest links in compliance. In this article, we’ll look at some of the basics that covered entities and their business partners need to follow to ensure that they are not hit with financial or other penalties. For the uninitiated, HIPAA regulates the use and disclosure of certain information held by health plans, health insurers, and medical service providers that engage in many types of transactions. Enforcement of HIPAA Privacy and Security Rules falls to the Department of Health and Human Services’ Office for Civil Rights (OCR). Enforcement of compliance began in 2005, with OCR becoming responsible for Security Rule enforcement four years later. Since April 2003, over 150,000 HIPAA Privacy Rule complaints have been investigated by OCR. 98% (or 147,826) of the complaints have been...

Read More
WannaCrypt Ransomware Attacks Stopped, But Only Briefly
May15

WannaCrypt Ransomware Attacks Stopped, But Only Briefly

The global WannaCrypt ransomware attacks that hit NHS Trusts in the UK hard on Friday have spread to the United States, affecting some U.S. organizations including FedEx. Figures this morning indicate there were more than 200,000 successful attacks spread across 150 countries over the weekend. Fortunately, the variant of the ransomware used in the weekend attacks has been neutralized. On Saturday afternoon, a blogger and security researcher in the UK identified a kill switch and was able to prevent the ransomware from claiming more victims. While investigating the worm element of the ransomware campaign, the researcher ‘Malware Tech’ found a reference to a domain in the code. That domain had not been registered, so Malware Tech purchased and registered the domain. Doing so stopped the ransomware from encrypting files. The ransomware performs a domain check prior to encrypting files. If the ransomware is able to connect with the domain in the code, the ransomware exists and does not encrypt any files. If the connection fails, the ransomware continues and starts encrypting files. The...

Read More
Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread
May13

Massive Ransomware Attack Hits NHS: Global Warning Issued as Attacks Spread

The UK’s National Health Service (NHS) has experienced its worst ever ransomware attack. The infections spread rapidly to multiple NHS trusts, forcing computer system shutdowns. Affected hospitals cancelled operations with the disruption to patient services still continuing. The attack occurred on Friday and affected 61 NHS hospital trusts, causing chaos for patients. The NHS has been working around the clock to bring its computer systems back online and to recover encrypted data. The massive ransomware attack involved Wanna Decryptor 2.0 ransomware or WannaCry/WanaCryptor as it is also known. There is no known decryptor. The attackers were threatening to delete data if the ransom was not paid within 7 days, with the ransom amount set to double in three days if payment was not made. The ransom demand was reportedly $300 (£230) per infected machine. NHS Trusts saw the ransomware infection rapidly spread to all computers connected to their networks. While the NHS was one of the early victims, the attack has spread globally with the Spanish telecoms company Telefonica also hit, along...

Read More
Security Breach Highlights Need for Patient Portals to be Pen Tested
May11

Security Breach Highlights Need for Patient Portals to be Pen Tested

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information. The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics. The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal. However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website...

Read More
Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine
May11

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff. The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules. However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient...

Read More
Patient-Physician Texting to Be Covered at AMA Annual Meeting
May10

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules. SMS texts are unencrypted, potentially allowing unauthorized individuals to access the messages and view the contents. SMS messages may also be stored on the servers of service providers. Those messages may remain on unsecured servers indefinitely. Copies of SMS texts can remain on the sender’s and recipients phone. In the event that either the sender or recipient’s phone is lost or stolen, PHI/PII in messages may be exposed. With SMS messages, there are no HIPAA-compliant controls to verify the identity of the recipient or for the recipient to verify the identity of the sender. The lack of safeguards in place to ensure the confidentiality and integrity of PHI and limited authentication controls means the sending of any...

Read More
NIST Small Business Cybersecurity Act of 2017 Approved by SST Committee
May08

NIST Small Business Cybersecurity Act of 2017 Approved by SST Committee

Cybercriminals may not be targeting small healthcare practices to the same extent as large health systems, but as the OCR’s data breach portal shows, cyberattacks on small healthcare organizations occur frequently. When cyberattacks occur they can be catastrophic for small businesses. Figures from the National Cybersecurity Alliance suggest 60% of small businesses cease trading within 6 months of experiencing a cyberattack. Faced with the financial burden of resolving a data breach, it is no surprise that so many businesses fail to make it through the next six months. In order to prevent cyberattacks and keep sensitive health data secure, small healthcare organizations must effectively manage cybersecurity risks. However, many cybersecurity resources and security frameworks have been developed for medium to large sized businesses. Smaller organizations typically lack the necessary resources to be able to implement highly effective cybersecurity defenses and few have skilled cybersecurity staff to monitor and manage cybersecurity risks. NIST has developed a cybersecurity framework...

Read More
NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants
May05

NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants

Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert about an emerging sophisticated campaign affecting multiple industry sectors. The attacks have been occurring for at least a year, with threat actors using stolen administrative credentials and certificates to install multiple malware variants on critical systems. A successful attack gives the threat actors full access to systems and data, while the methods used allow the attackers to avoid detection by conventional security solutions. While many organizations have been attacked, one of the main targets has been IT service providers. Gaining access to their systems has allowed the actors to conduct attacks on their clients and gain access to their environments. The method of attack allows the actors to bypass conventional monitoring and detection tools and, in many cases, results in the attackers gaining full access to networks and stored data. NCCIC is still investigating the campaign so full information is not yet available, although an advance warning has been issued to...

Read More
Majority of Organizations Failing to Protect Against Mobile Device Security Breaches
May05

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk. Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks. According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred. The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices. 94% of respondents said cyberattacks on mobile devices will become more...

Read More
Rise in Business Email Compromise Scams Prompts IC3 Warning
May05

Rise in Business Email Compromise Scams Prompts IC3 Warning

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3). In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5 billion. U.S. organizations lost more than $1.5 billion to BEC scams between October 2013 and December 2016. The rise in BEC attacks has prompted IC3 to issue a new warning to businesses, urging them to implement a range of defenses to mitigate risk. What are Business Email Compromise Scams and How Do They Work? A business email compromise scam – also known as an email account compromise – involves an attacker gaining access to an email account of an executive and sending an email request to a second employee via the compromised email account. The request can be a bank transfer or a request to email data. Since the email comes from within an organization,...

Read More
Bitglass Publishes 2017 Healthcare Data Security Report
May04

Bitglass Publishes 2017 Healthcare Data Security Report

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm. For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights. The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans. The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set...

Read More