H-ISAC Publishes Framework for Managing Identity in Healthcare
May26

H-ISAC Publishes Framework for Managing Identity in Healthcare

The Health Information Sharing and Analysis Center (H-ISAC) has published a framework for CISOs to manage identity and defend their organization against identity-based cyberattacks. This is the second white paper to be published by H-ISAC covering the identity-centric approach to security. The first white paper explains why an identity-centric approach to cybersecurity is now needed, with the latest white paper detailing how that approach can be implemented. By adopting the framework, CISOs will be able to manage the full identity lifecycle of employees, patients, practitioners, and business partners in a way that guards against cyberattacks on identity, lowers risk, and increases operational efficiencies. The framework has been developed for CISOs at healthcare organizations of all sizes. As such, it does not offer a one-size-fits-all approach. Instead, components of the framework can be applied differently based on different environments and use cases. CISOs will need to assess the resources available and their unique risks and decide how best to apply the framework. The...

Read More
April 2020 Healthcare Data Breach Report
May20

April 2020 Healthcare Data Breach Report

There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month. While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached. Largest Healthcare Data Breaches in April 2020   Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Beaumont Health Healthcare Provider 112,211 Hacking/IT Incident Email Meridian Health Services Corp. Healthcare Provider 111,372 Hacking/IT Incident Email...

Read More
Guidance on Managing the Cybersecurity Tactical Response in a Pandemic
May19

Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

Joint guidance has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations, such as a pandemic. Threat actors will try to exploit emergency situations to conduct attacks, which has been clearly seen during the COVID-19 pandemic. In many cases, the duration of an emergency will limit the potential for threat actors to take advantage, but in a pandemic the period of exposure is long. The SARS-CoV-2 outbreak was declared a public health emergency on January 30, 2020, giving threat actors ample time to exploit COVID-19 to conduct attacks on the healthcare sector. The key to dealing with the increased level of cybersecurity threat during emergency situations is preparation. Without preparation, healthcare organizations will find themselves constantly fighting fires and scrambling to improve security at a time when resources are stretched thin. The new guidance was created during the COVID-19 pandemic by HSCC’s Cybersecurity...

Read More
Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps
May18

Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps

Two privacy bills have been introduced relating to COVID-19 contact tracing apps that are now being considered by Congress. The competing bills, introduced by Republican and Democratic lawmakers, share some common ground and and introduce measures to protect the privacy of Americans and ensure personal data is not misused. The first bill, the COVID-19 Consumer Data Protection Act, was introduced by Republican senators Roger Wicker (R-Miss), John Thune (R-S.D), Jerry Moran, (R-Kan), and Marsha Blackburn (R-Tenn) last month “to protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data during the coronavirus public health crisis.” The bill would make it illegal for personal health information, proximity data, device data, and geolocation data to be collected unless notice was given to consumers about the purpose of collecting data and consumers are required to give their consent to the collection, processing, and transfer of their data. The bill prohibits the collection, use, or transfer of data for any secondary purposes. The...

Read More
CISA and FBI Publish List of Top 10 Exploited Vulnerabilities
May14

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data. The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches. Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their...

Read More
AMA Publishes Set of Privacy Principles for Non-HIPAA-Covered Entities
May13

AMA Publishes Set of Privacy Principles for Non-HIPAA-Covered Entities

The American Medical Association (AMA) has published a set of privacy principles for non-HIPAA-covered entities to help ensure that the privacy of consumers is protected, even when healthcare data is provided to data holders that do not need to comply with HIPAA Rules. HIPAA only applies to healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates of those entities. HIPAA requires those entities to protect the privacy of patients and implement security controls to keep their healthcare data private and confidential. When the same healthcare data is shared with an entity that is not covered by HIPAA, those protections do not need to be in place. HIPAA also gives patients rights over their health data, but those rights do not apply to health data sent to a non-HIPAA-covered entity. The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONS) have recently published rules to prevent information blocking and improve sharing of healthcare data. One requirement is to allow patients to...

Read More
FTC Seeks Comment on Health Breach Notification Rule
May11

FTC Seeks Comment on Health Breach Notification Rule

The U.S. Federal Trade Commission (FTC) is seeking comment on its breach notification requirements for non-HIPAA-covered entities that collect personally identifiable health information. The FTC’s Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The rule took effect on August 22, 2010 and the FTC started actively enforcing compliance on February 22, 2010. Healthcare data collected, maintained, or transmitted by healthcare providers, health plans, healthcare clearinghouses (HIPAA-covered entities) and their business associates is covered by the Health Insurance Portability and Accountability Act (HIPAA) and is classed as protected health information (PHI). The FTC’s Health Breach Notification Rule applies to personal health records (PHRs), which are electronic records containing personally identifiable health information that are managed, shared, and controlled by or primarily for the individual. The FTC rule applies to vendors of personal health records and PHR-related entities, which are companies that...

Read More
OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities
May06

OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities

The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance. A public health emergency does not change the requirements of the HIPAA Privacy Rule, which remains in effect in emergency situations. OCR has made this clear in the past with enforcement actions against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital in 2018 after it was discovered they had given film crews access to their facilities without first obtaining authorization from patients. They were fined a total of $999,000 for the HIPAA violations. OCR has issued Notices of Enforcement Discretion during the coronavirus pandemic and will not be imposing sanctions and financial penalties on HIPAA-covered entities for certain violations of HIPAA Rules. Penalties can and will be imposed on covered...

Read More
Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance
May04

Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Ciitizen. To compile the report, Ciitizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare data. A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems. The HIPAA Privacy Rule gives patients the right to request a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers are required to provide the patient with a copy of the health data in a designated record set within 30 days to the request being submitted. The data must be provided in the format requested by the patient if the PHI is readily producible in that format. In cases where data cannot be provided in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in an alternative format, as...

Read More
NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources
May01

NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources

The National Security Agency has issued cybersecurity guidance for teleworkers to help improve security when working remotely. The guidance has been released primarily for U.S. government employees and military service members, but it is also relevant to healthcare industry workers providing telehealth services from their home computers and smartphones. There are many consumer and enterprise-grade communication solutions available and the cybersecurity protections offered by each can differ considerably. The guidance document outlines 9 important considerations when selecting a collaboration service. By assessing each service against the 9 criteria, remote workers will be able to choose the most appropriate solution to meet their needs. The NSA strongly recommends conducting high-level security assessments to determine how the security capabilities of each platform performs against certain security criteria. These assessments are useful for identifying risks associated with the features of each tool. The guidance document also provides information on using the collaboration...

Read More
EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology
Apr30

EFF Warns of Privacy and Security Risks with Google and Apple’s COVID-19 Contact Tracing Technology

The contact tracing technology being developed by Apple and Google to help track people who have come into close contact with individuals confirmed as having contracted COVID-19 could be invaluable in the fight against SARS-CoV-19; however, the Electronic Frontier Foundation (EFF) has warned that in its current form, the system could be abused by cybercriminals. Google and Apple are working together on the technology, which is expected to be fully rolled out next month. The system will allow app developers to build contact tracing apps to help identify individuals who may have been exposed to SARS-CoV-2. When a user downloads a contact tracing app, each time they come into contact with another person with the app installed on their phone, anonymous identifier beacons called rolling proximity identifiers (RPIDs) will be exchanged via Bluetooth Low Energy. How Does the Contact-Tracing System Work? RPIDs will be exchanged only if an individual moves within a predefined range – 6 feet – and stays in close contact for a set period of time. Range can be determined by strength of...

Read More
Ransomware Attackers Claim Three More Healthcare Victims
Apr29

Ransomware Attackers Claim Three More Healthcare Victims

Parkview Medical Center in Pueblo, Colorado is recovering from a ransomware attack that started on April 21, 2020. The attack resulted in several IT systems being taken out of action, including its Meditech electronic medical record system, which has been rendered inoperable. The attack is currently being investigated and assistance is being provided by a third-party computer forensics firm. Parkview Medical Center is currently working around the clock to bring its systems back online and recover the encrypted data. In the meantime, medical services continue to be offered to patients, who remain the number one priority. Staff have switched to pen and paper to record patient information until systems can be brought back online. Despite not having access to important systems, the medical center says the level and quality of care provided to patients has not changed. A spokesperson for the medical center said, “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as...

Read More
March 2020 Healthcare Data Breach Report
Apr24

March 2020 Healthcare Data Breach Report

March 2020 saw a 7.69% month-over-month decrease in the number of reported healthcare data breaches and a 45.88% reduction in the number of breached records. In March, 36 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is more than 16% fewer than the average number of monthly breaches over the past 12 months. 828,921 healthcare records were breached in March, which is 194% higher than the monthly average number of breached records. Largest Healthcare Data Breaches in March 2020 The largest healthcare data breach of the month was reported by the genetic testing company, Ambry Genetics Corporation. An unauthorized individual gained access to an employee’s email account that contained the data of 232,772 patients. A major phishing attack was reported by the medical device manufacturer Tandem Diabetes Care. Several employees’ email accounts were compromised and the protected health information of 140,781 patients was exposed. The third largest data breach of the month was reported by Brandywine Urology Consultants, which...

Read More
HHS Delays Enforcement of New Interoperability and Information Sharing Rules
Apr23

HHS Delays Enforcement of New Interoperability and Information Sharing Rules

The HHS will be exercising enforcement discretion in relation to compliance with the new interoperability and information sharing rules that were finalized and issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) on March 9, 2020. The decision to delay enforcement is due to the COVID-19 pandemic. The CMS, ONC, and HHS’ Office of Inspector General (OIG) believe that during a pandemic of the magnitude of COVID-19, healthcare organizations need to be given some flexibility complying with the new interoperability and information sharing rules. The dates for compliance with the new rules remain unchanged, although both agencies will be exercising enforcement discretion to allow healthcare organizations to continue to focus their efforts on addressing the COVID-19 pandemic. “ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19...

Read More
HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking
Apr23

HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking

On Tuesday, the HHS’ Office of inspector General (OIG) proposed a rule that amends civil monetary penalty rules to also cover information blocking. “When implemented, the new CMPs for information blocking will be an important tool to ensure program integrity and the promised benefits of technology and data,” said Christi A. Grimm, OIG Principal Deputy Inspector General. OIG understands that during the COVID-19 public health emergency, healthcare organizations are focused on providing treatment and follow-up care to patients. OIG is fulfilling its obligations by publishing the new rule but is also trying to be as flexible as possible to minimize the burden on healthcare organizations on the front line dealing with the COVID-19 pandemic. OIG is seeking comment from healthcare organizations and industry stakeholders on when information blocking enforcement should begin. OIG explained that all entities and individuals required to comply with the new information blocking regulations will be given time to achieve compliance before enforcement begins. OIG has proposed the...

Read More
FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers
Apr22

FBI Issues Flash Alert About COVID-19 Phishing Scams Targeting Healthcare Providers

The FBI has issued a fresh warning following an increase in COVID-19 phishing scams targeting healthcare providers. In the alert, the FBI explains that network perimeter cybersecurity tools used by US-based healthcare providers started detecting COVID-19 phishing campaigns from both domestic and international IP addresses on March 18, 2020 and those campaigns are continuing. These campaigns use malicious Microsoft Word documents, Visual Basic Scripts, 7-zip compressed files, JavaScript, and Microsoft Executables to gain a foothold in healthcare networks. While the full capabilities of the malicious code are not known, the FBI suggests that the purpose is to gain a foothold in the network to allow follow-on exploitation, persistence, and data exfiltration. In the alert, the FBI provides indicators of compromise for the ongoing phishing campaigns to allow network defenders to take action to block the threats and protect their environments against attack. Indicators of Compromise Email Sender Email Subject Attachment Filename Hash srmanager@combytellc.com PURCHASE ORDER PVT Doc35...

Read More
Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment
Apr16

Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are attempting to steal money from state agencies and healthcare industry buyers that are trying to purchase personal protective equipment (PPE) and medical supplies. Healthcare industry buyers have been told to be on high alert following a rise in the number of scams related to the procurement of PPE and essential medical equipment such as ventilators, which are in short supply due to increased demand. The FBI has received reports of several cases of advance fee scams, where government agencies and healthcare industry buyers have wired funds to brokers and sellers of PPE and medical equipment, only to discover the suppliers were fake. There have also been several reported cases of business email compromise (BEC) scams related to PPE and medical equipment procurement. In these scams, brokers and vendors of goods and services are impersonated. The scammers use email addresses that are nearly identical to the legitimate broker or seller and request wire transfer payments for the goods and services. The...

Read More
Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services
Apr15

Microsoft Patches Three Actively Exploited Flaws and Delays End of Support for Software and Services

On April 2020 Patch Tuesday, Microsoft released updates to correct 113 vulnerabilities in its operating systems and software solutions, 19 of which have been rated critical. This month’s round of updates includes fixes for at least 3 zero-day vulnerabilities that are being actively exploited in real world attacks. Two of the actively exploited vulnerabilities were announced by Microsoft in March and Microsoft suggested workarounds to limit the potential for exploitation. The flaws – CVE-2020-0938 and CVE-2020-1020 – both affect the Adobe Font Manager Library and can lead to remote code execution on all supported Windows versions. The flaws are partially mitigated in Windows 10 and could only result in code execution in an AppContainer sandbox with limited privileges and capabilities. The flaws could be exploited if a user is convinced to open a specially crafted document or if it is viewed in the Windows Preview pane. The third actively exploited zero-day is a Windows Kernel vulnerability that was discovered by Google’s Project Zero team. The flaw, tracked as...

Read More
Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers
Apr13

Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers

The McHenry County Health Department in Illinois has been refusing to provide the names of COVID-19 patients to 911 dispatchers to protect the privacy of patients, as is the case with patients that have contracted other infectious diseases such as HIV and hepatitis. The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule permits disclosures of PHI to law enforcement officers, paramedics, and 911 dispatchers under certain circumstances, which was clarified by the HHS’ Office for Civil Rights in a March 24, 2020 guidance document, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities. In the document, OCR explained that “HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).” OCR also explained that “disclosing PHI such as patient names to first responders is...

Read More
HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites
Apr10

HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites

The HHS has issued a Notice of Enforcement Discretion covering healthcare providers and business associates that participate in the operation of COVID-19 community-based testing sites. Under the terms of the Notice of Enforcement discretion, the HHS will not impose sanctions and penalties in connection with good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is retroactive to March 13, 2020 and will continue for the duration of the COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over. The purpose of the notification is to help pharmacies, other healthcare providers, and their business associates to provide COVID-19 testing services and specimen collection at dedicated walk-up or drive through facilities, without risking a financial penalty for noncompliance with HIPAA Rules. While the Notice of Enforcement Discretion has been issued, the HHS’ Office for Civil Rights is encouraging covered entities and their business associates to ensure reasonable...

Read More
INTERPOL Issues Warning Over Increase in Ransomware Attacks on Healthcare Organizations
Apr09

INTERPOL Issues Warning Over Increase in Ransomware Attacks on Healthcare Organizations

INTERPOL has issued an alert to hospitals over continuing ransomware attacks during the 2019 Novel Coronavirus pandemic. While some ransomware gangs have publicly stated they will be stopping attacks on healthcare providers that are on the front line dealing with COVID-19, many are still conducting attacks. Further, those attacks have increased. Attempted Ransomware Attacks on Healthcare Organizations Increased over the Weekend Last weekend, INTERPOL’s Cybercrime Threat Response (CTR) team detected a significant increase in attempted ransomware attacks on hospitals and other organizations and infrastructure involved in the response to the coronavirus pandemic and issued a ‘Purple Notice’ alerting police forces in all 194 member countries of the increased risk of attacks. “As hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cybercriminals who are looking to make a profit at the expense of sick patients,” said INTERPOL Secretary General...

Read More
FBI Warns of Increase in COVID-19 Related Business Email Compromise Scams
Apr08

FBI Warns of Increase in COVID-19 Related Business Email Compromise Scams

The Federal Bureau of Investigation has issued a warning following a rise in Business Email Compromise (BEC) attacks that are taking advantage of uncertainty surrounding the COVID-19 pandemic. BEC is the term given to an attempt to fool individuals responsible for performing legitimate transfers of funds into sending money to a bank account controlled by the attacker. This is achieved by impersonating an individual within a company that the victim usually conducts business with. A typical attack scenario will see an email sent to an individual in the finance department requesting a change to bank account information for an upcoming payment. Several attacks have recently been reported to the FBI’s Internet Crime Complaint Center (IC3) that have a COVID-19 theme and municipalities are being targeted that are purchasing personal protective equipment (PPE) and other essential supplies to use in the fight against COVID-19. In the alert, the FBI offered two recent examples of COVID-19 BEC scams. The first involved a scammer impersonating the CEO of a company and requesting that a...

Read More
Zoom Security Problems Raise Concern About Suitability for Medical Use
Apr03

Zoom Security Problems Raise Concern About Suitability for Medical Use

Teleconferencing platforms such as Zoom have proven popular with businesses and consumers for maintaining contact while working from home during the COVID-19 crisis, but a slew of Zoom security problems have been identified in the past few days that have raised concerns about the suitability of the platform for medical use. Zoom Security Problems Uncovered by Researchers Several Zoom security problems and privacy issues have been discovered in the past few days. The macOS installer was discovered to use malware-like methods to install the Zoom client without final confirmation being provided by users. This method could potentially be hijacked and could serve as a backdoor for malware delivery. Two zero-day vulnerabilities were identified in the macOS client version of Zoom’s teleconferencing platform, which would allow a local user to escalate privileges and gain root privileges, even without an administrator password, and gain access to the webcam and microphone and intercept and record Zoom meetings. A feature of the platform that is intended to make it easier for business...

Read More
Notice of Enforcement Discretion for Business Associates to Allow PHI Disclosures for Public Health and Health Oversight Activities
Apr02

Notice of Enforcement Discretion for Business Associates to Allow PHI Disclosures for Public Health and Health Oversight Activities

On April 2, 2020, the Department of Health and Human Services announced that with immediate effect, it will be exercising enforcement discretion and will not impose sanctions or financial penalties against healthcare providers or their business associates for good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health emergency, or until the Secretary of the HHS declares the public health emergency no longer exists. The Notice of Enforcement Discretion was issued to support Federal public health authorities and health oversight agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CMS), state and local health departments, and other emergency operation centers that require timely access to COVID-19 related data. While disclosures of PHI by HIPAA-covered entities for public health and health oversight purposes are permitted under the HIPAA Privacy Rule, currently business associates of HIPAA...

Read More
Microsoft Helps Healthcare Organizations Protect Against Human-Operated Ransomware Attacks
Apr02

Microsoft Helps Healthcare Organizations Protect Against Human-Operated Ransomware Attacks

The COVID-19 pandemic is forcing many employees to work from home and the infrastructure used to support those workers is being targeted by human-operated ransomware gangs. While several ransomware operators have stated they will not attack healthcare organizations during the COVID-19 public health emergency, not all cybercrime gangs are taking it easy on the healthcare sector and attacks are continuing. Several cybercrime groups are using the COVID-19 pandemic to their advantage. Tactics, techniques and procedures (TTPs) have been changed in response to the pandemic and they are now using social engineering tactics that prey on fears about COVID-19 and the need for information to gain access to credentials to gain a foothold in healthcare networks. Ransomware attacks on hospitals can cause massive disruption at the best of times. Ransomware attacks that occur while hospitals are trying to respond to the pandemic will severely hamper their efforts to treat COVID-19 patients. Microsoft has committed to help protect critical services during the COVID-19 crisis and has recently...

Read More
CMS Announces Sweeping Regulatory Changes in Response to Surge in COVID-19 Patients
Mar31

CMS Announces Sweeping Regulatory Changes in Response to Surge in COVID-19 Patients

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has announced a set of sweeping regulatory changes and waivers to give healthcare providers maximum flexibility to treat patients during the 2019 Novel Coronavirus pandemic. The new changes will allow healthcare providers to act as healthcare delivery coordinators in their areas. The temporarily changes will ease restrictions are intended to create hospitals without walls, which will make it easier for hospitals and health systems to cope with an expected massive increase in COVID-19 patients over the coming weeks. Under normal circumstances, federal restrictions require hospitals to provide medical services within their existing facilities, but this will cease to be possible as patient numbers increase. As the number of COVID-19 cases grow, hospitals will soon reach capacity. If they do not develop additional sites to provide treatment to patients, they will be overwhelmed. To ensure all patients can receive treatment and no one is left behind, the CMS has relaxed restrictions and has...

Read More
OCR Issues Guidance on Allowable Disclosures of PHI to First Responders During the COVID-19 Crisis
Mar26

OCR Issues Guidance on Allowable Disclosures of PHI to First Responders During the COVID-19 Crisis

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued further guidance on HIPAA and COVID-19, the disease caused by the 2019 Novel Coronavirus, SARS-CoV-2. The new guidance document provides examples of allowable disclosures of protected health information (PHI) by covered entities under the HIPAA Privacy Rule to help make sure first responders and others receive PHI about individuals exposed to SARS-CoV-2 or displaying symptoms of COVID-19. The new guidance document is in Q&A form and explains when covered entities are permitted to disclose PHI such as names and other identifying information to first responders, law enforcement officers, paramedics, and public health authorities without first obtaining a HIPAA authorization. The document confirms that under the HIPAA Privacy Rule, disclosures of PHI are permitted when the information is required to provide treatment, when a disclosure is required by law, when first responders such as paramedics are at risk of contracting COVID-19 and need information to prevent infection, and when a...

Read More
February 2020 Healthcare Data Breach Report
Mar24

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records. Largest Healthcare Data Breaches in February 2020 The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in. The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents. Name of Covered Entity...

Read More
OCR Issues Guidance on Telehealth and HIPAA During Coronavirus Pandemic
Mar23

OCR Issues Guidance on Telehealth and HIPAA During Coronavirus Pandemic

Following on from the announcement from the HHS’ Office for Civil Rights that enforcement of HIPAA compliance in relation to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency has been relaxed, OCR has issued guidance on telehealth and remote communications. Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” These services can be provided through the use of text, audio, or video via secure text messaging platforms, over the internet, using video conferencing solutions, or via landlines and wireless communications networks. The Notification of Enforcement Discretion covers “All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency,” which includes the...

Read More
Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic
Mar20

Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic

There have been several reported cases of cyberattacks on healthcare organizations that are currently working round the clock to ensure patients with COVID-19 receive the medical are they need. These attacks cause major disruption at the best of times, but during the COVID-19 outbreak the attacks have potential to cause even greater harm and place patient safety at risk. Many phishing campaigns have been detected using COVID-19 as a lure, fear about the 2019 Novel coronavirus is being exploited to deliver malware, and more than 2,000 coronavirus and COVID-19-themed domains have been registered, many of which are expected to be used for malicious purposes. One of the largest testing laboratories in the Czech Republic, Brno University Hospital, experienced a cyberattack forcing the shutdown of its computer systems. The attack also affected its Children’s Hospital and Maternity hospital and patients had to be re-routed to other medical facilities. Cyberattacks have also experienced in the United States, with the Champaign-Urbana Public Health District of Illinois suffering a...

Read More
Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency
Mar18

Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency

In an effort to prevent the spread of the 2019 novel coronavirus, patients suspected of being exposed to the virus and individuals with symptoms of COVID-19 have been told to self-isolate at home. It is essential for contact to be maintained with people at risk, especially seniors and people with disabilities. Telehealth services, including video calls, can help healthcare professionals assess and treat patients remotely to reduce the risk of transmission of the coronavirus. Telehealth services can also be used to maintain contact with patients who choose not to visit medical facilities due to the risk of exposure to the virus. On Monday, March 16, 2020, the Trump Administration announced that telehealth services for Medicare beneficiaries have been expanded. Prior to the announcement, doctors were only able to claim payment for telehealth services provided to people living in rural areas and no access to local medical facilities and for patients with established relationships with billing providers. “We are doing a dramatic expansion of what’s known as telehealth for our 62...

Read More
HIPAA Compliance and COVID-19 Coronavirus
Mar16

HIPAA Compliance and COVID-19 Coronavirus

HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered entities no doubt have many questions about HIPAA compliance and COVID-19 coronavirus cases. There may be confusion about the information that can be shared about individuals who have contracted COVID-19, those suspected of exposure to the 2019 Novel Coronavirus, and those with whom information can be shared. HIPAA Compliance and the COVID-19 Coronavirus Pandemic There is understandably concern about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule apply. In the age of HIPAA, no disease outbreak on this scale has ever been experienced. It is important to remember that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against...

Read More
TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic
Mar16

TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic

TigerConnect, the provider of the most widely used secure healthcare communications platform in the United States, has announced that U.S. health systems and hospitals can use its platform free of charge to help support COVID-19 related communications during the novel coronavirus pandemic. TigerConnect has been tracking COVID-19 and the impact it is having on the U.S. healthcare system. Unsurprisingly given the rapid spread of the virus, use of its secure communications platform has surged. The company also reports that it is receiving an increasing number of calls from customers looking to expand licenses to make sure all staff have access to the platform to expedite internal and external communication and support isolation workflows. The TigerConnect platform can be used to create dedicated channels for COVID-19 communications to provide support for patients and staff members. The platform ensures instant and immediate communication of preparedness plans, staff schedules, guidelines on infection control and isolation protocols, and other critical information. Users of the...

Read More
HSCC Publishes Best Practices for Cyber Threat Information Sharing
Mar16

HSCC Publishes Best Practices for Cyber Threat Information Sharing

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published best practices for cyber threat information sharing. The new guidance document is intended to help healthcare organizations develop, implement, and maintain a successful cyber threat information sharing program to reduce cyber risk. The new document builds on previously published guidance – the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) – in which HSCC identified key Information Sharing and Analysis Organizations (ISAOs) for the healthcare sector. The latest guidance document helps organizations determine what information to share, how to share the information, and how to protect any sensitive information they receive, as well as providing best practices for obtaining internal and legal approvals for information sharing processes. One of the main benefits of participating in these programs is to learn about possible attacks and the mitigations to implement to avoid becoming a victim. If an attack occurs at one healthcare organization, it is...

Read More
Maximum Severity SMBv3 Flaw Identified: Patch Released
Mar11

Maximum Severity SMBv3 Flaw Identified: Patch Released

Update 03/12/20: Microsoft has updated its security advisory and has released an out of band update for the flaw for CVE-2020-0796 Windows 10 and Windows Server 1903 / Server 1909:  A critical flaw has been identified in Windows Server Message Block version 3 (SMBv3) which could potentially be exploited in a WannaCry-style attack. The vulnerability is wormable, which means an attacker could combine it with a worm and compromise all other vulnerable devices on the network from a single infected machine. This is a pre-auth remote code execution vulnerability in the SMBv3 communication protocol due to an error that occurs when SMBv3 handles maliciously crafted compressed data packets. If exploited, an unauthenticated attacker could execute arbitrary code in the context of the application and take full control of a vulnerable system. The vulnerability can be exploited remotely by sending a specially crafted packet to a targeted SMBv3 server. The vulnerability, tracked as CVE-2020-0796, affects Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10...

Read More
Q3, 2019 Saw a 350% Increase in Ransomware Attacks on Healthcare Providers
Mar10

Q3, 2019 Saw a 350% Increase in Ransomware Attacks on Healthcare Providers

Ransomware attacks on healthcare providers increased by 350% in Q4, 2019, according to a recently published report from Corvus. The attacks show no sign of letting up in 2020. Already in 2020 attacks have been reported by NRC Health, Jordan Health, Pediatric Physician’s Organization at Children’s, and the accounting firm BST & Co., which affected the medical group Community Care Physicians. To identify ransomware trends in healthcare, Corvus’s Data Science team studied ransomware attacks on healthcare organizations since Q1, 2017. Between Q1, 2017 and Q2, 2019, an average of 2.1 ransomware attacks were reported by healthcare organizations each quarter. In Q3, 2019, 7 attacks were reported, and 9 attacks were reported in Q4, 2019. Corvus identified more than two dozen ransomware attacks on U.S. healthcare organizations in 2019 and predicts there will be at least 12 ransomware attacks on healthcare organizations in Q1, 2020. Reports from other cybersecurity firms similarly show an increase in ransomware attacks on healthcare providers in the second half of the year. One report...

Read More
HHS Releases Final Interoperability and Information Blocking Rules
Mar09

HHS Releases Final Interoperability and Information Blocking Rules

On March 6, 2020, the Office of Information and Regulatory Affairs’ Office of Management and Budget announced it has completed its review of the rules proposed by two HHS agencies in February 2019 to tackle interoperability and information blocking. On March 9, 2020 the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator of Health Information Technology (ONC) released their final rules which change how healthcare delivery organizations, health insurers, and patients exchange health data. The interoperability and information blocking rules were required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016. They are intended to make it easier for healthcare data to be exchanged between providers, insurers, and patients and are a key part of creating a patient-centric healthcare system and put patients in control of their own health records. “These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for...

Read More
Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito
Mar06

Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito

The Protecting Jessica Grubbs Legacy Act (S. 3374) has been reintroduced by Senators Joe Manchin (D-W.V.) and Shelley Moore Capito (R-W.V.). The Protecting Jessica Grubbs Legacy Act aims to modernize the 45 CFR Part 2 regulations to support the sharing of substance abuse disorder treatment records and improve care coordination. 42 CFR Part 2 regulations restrict the sharing of addiction records, which makes it very difficult for information to be shared about patients who are recovering from substance abuse disorder. Currently 45 CFR Part 2 regulations only permit substance abuse patients themselves to decide who has access to their full medical history. While the sharing of highly sensitive information about a patient’s history of substance abuse disorder and treatment is intended to protect the privacy of patients and ensure they are protected against discrimination, not making that information available to doctors can have catastrophic consequences, as happened with Jessica Grubbs. Jessica Grubbs was recovering from substance abuse disorder when she underwent surgery. The...

Read More
Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete
Mar05

Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete

Following the revelation that a considerable volume of patient data had been shared with Google by the Catholic health system Ascension, the second largest health system in the United States, a bipartisan group of Senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google demanding answers about the nature of the agreements and the information the company received. Ascension operates 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has more than 10 million patients. In November 2019, a whistleblower at Google passed information to the Wall Street Journal on the nature of the collaboration and claimed that patient data, including patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been shared with Google and was accessible by more than 150 Google employees. In response to the story, Google announced that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative....

Read More
‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices
Mar05

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

12 vulnerabilities – collectively called SweynTooth – have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) software development kits used by at least 7 manufacturers of software-on-a-chip (SOC) chipsets. SOCs are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. SoCs with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors. It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their SoCs from several sources. Some security researchers believe millions of medical devices could be vulnerable. SoCs are used in around 500 different products. Hundreds of millions of devices could be affected. The vulnerabilities are present in SoCs from Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors,...

Read More
HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020
Mar03

HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation. Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach in November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until Dr. Porter paid the company $50,000. The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI,...

Read More
IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk
Mar03

IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk

An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk. NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations. The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center. NHS has approximately 1,300 physicians, dentists and PhD researchers, 830 nurses, and around 730...

Read More
NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce
Mar02

NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce

The National Institute of Standards and Technology (NIST) has published a cybersecurity education and development roadmap based on data from five pilot Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) Cybersecurity Education and Workforce Development programs. There is a currently a global shortage of cybersecurity professionals and the problem is getting worse. Data from CyberSeek.org shows that between September 2017 and August 2018, 313,735 cybersecurity positions were open and figures from the 2017 Global Information Security Workforce Study indicate that by 2022, 1.8 million cybersecurity professionals will be required to fill open positions. To help address the shortfall, the National Initiative for Cybersecurity Education (NICE), led by NIST, provided funding for the pilot programs in September 2016. The RAMPS cybersecurity education and development pilot programs were concerned with “energizing and promoting a robust network and ecosystem of cybersecurity education, training, and workforce development.” The pilot programs involved forming regional...

Read More
American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths
Feb27

American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths

The American Medical Association (AMA) has published a new HIPAA playbook to help physicians and their practices understand the HIPAA Right of Access and ensure compliance with this important requirement of HIPAA. Misunderstandings about the HIPAA Right of Access can result in financial penalties for noncompliance. The HHS’ Office for Civil Rights launched a new HIPAA Right of Access enforcement initiative in 2019 and has already taken action against two healthcare organizations that were not providing patients with copies of their medical records in a timely manner. Both cases started with a single complaint from a patient who was not provided with a copy of the requested records and ended with a $85,000 financial penalty. Patients need to be able to access their healthcare data to be able to make informed decisions about their own health. HIPAA gives patients the right to obtain a copy of their health records, but healthcare providers can face challenges complying with all of the legal requirements of HIPAA. These challenges, together with misunderstandings about the HIPAA Right...

Read More
2020 Emergency Preparedness and Security Trends in Healthcare Survey
Feb24

2020 Emergency Preparedness and Security Trends in Healthcare Survey

Every year, Rave Mobile Safety conducts a nationwide survey to identify healthcare security trends and assess the state of emergency preparedness and security trends in the healthcare industry. For the 2020 Emergency Preparedness and Security Trends in Healthcare report, Rave Mobile Security is seeking insights from leaders in the healthcare industry on the efforts they have made to prepare for emergency situations. Many HIPAA Journal readers participated in last year’s survey and have provided information on the steps they have taken to improve safety in the workplace in emergency situations. That information has been used to get an overview of emergency preparedness in the United States. The 2020 survey is now being conducted and HIPAA Journal readers have been requested to take part in the study. If you so wish, you can participate completely anonymously. You can participate in the survey by clicking the following link: Click here for the Emergency Preparedness and Security Trends in Healthcare Survey. If you provide your email address, you’ll receive the anonymized survey...

Read More
January 2020 Healthcare Data Breach Report
Feb21

January 2020 Healthcare Data Breach Report

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day. As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day and a 15.78% decrease in reported breaches compared to December 2019. While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years. Largest Healthcare Data Breaches in January 2020 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information PIH Health CA Healthcare Provider...

Read More
Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep
Feb20

Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep

The healthcare industry is digitizing business management and data management processes and is adopting new technology to improve efficiency and cut costs, but that technology, in many cases, has been added to infrastructure, processes, and software from a different era and as a result, many vulnerabilities are introduced. The healthcare industry is being targeted by cybercriminals who are looking for any chink in the armor to conduct their attacks, and many of those attacks are succeeding. The healthcare industry is the most targeted industry sector and one third of data breaches in the United States happen in hospitals. According to the recently published 2020 Healthcare Security Vision Report from CyberMDX almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating that the healthcare industry is struggling to address vulnerabilities and block cyberattacks. Part of the reason is the number of difficult-to-secure devices that connect to healthcare network. The attack surface is huge. It has been estimated that...

Read More
OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions
Feb17

OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions

An audit conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed many pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ data. OIG conducted the audit at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS) to determine whether there was inappropriate access and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals. CMS was concerned that a mail order pharmacy and other healthcare providers were misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to verify Medicare recipients’ eligibility for certain coverage benefits. OIG conducted the audit to determine whether E1 transactions were only being used for their intended purpose. Since E1 transactions contain Medicare beneficiaries’ protected health information (PHI), they could potentially be used for fraud or other malicious or inappropriate purposes....

Read More
2019 Healthcare Data Breach Report
Feb13

2019 Healthcare Data Breach Report

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018. As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009. 37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019. Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen. Largest Healthcare Data Breaches of 2019 The table below shows the largest healthcare data breaches of 2019, based on the entity...

Read More
Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016
Feb13

Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016

A new study by Comparitech has shed light on the extent to which ransomware has been used to attack healthcare organizations and the true cost of ransomware attacks on the healthcare industry. The study revealed there have been at least 172 ransomware attacks on healthcare organizations in the United States in the past three years. 1,446 hospitals, clinics, and other healthcare facilities have been affected as have at least 6,649,713 patients. 2018 saw a reduction in the number of attacks, falling from 53 incidents in 2017 to 31 in 2018, but the attacks increased to 2017 levels in 2019 with 50 reported attacks on healthcare organizations. 74% of healthcare ransomware attacks since 2016 have targeted hospitals and health clinics. The remaining 26% of attacks have been on other healthcare organizations such as nursing homes, dental practices, medical testing laboratories, health insurance providers, plastic surgeons, optometry practices, medical supply companies, government healthcare providers, and managed service providers. Ransom demands can vary considerably from attack to...

Read More
$1.77 Billion Was Lost to Business Email Compromise Attacks in 2019
Feb12

$1.77 Billion Was Lost to Business Email Compromise Attacks in 2019

The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) has published its 2019 Internet Crime Report. The report shows losses to cybercrime exceeded $3.5 million in 2019. More than half of the losses were due to business email compromise (BEC) attacks. BEC, also known as email account compromise (EAC), involves the impersonation of a legitimate person or company to obtain money via email. These sophisticated scams often start with a phishing attack on an executive to obtain email credentials. The email account is then used to send a wire transfer request to an individual in the company with access to corporate bank accounts. Sometimes this step is skipped and the attackers simply spoof an individual’s email account. While BEC attacks mostly involve wire transfer requests, in 2019 there was an increase in attacks on human resources and payroll departments to divert employee payroll funds to attacker-controlled pre-paid card accounts. The potential profit from such an attack is lower than a wire transfer request, but changes to payroll are less likely to be...

Read More
Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records
Feb12

Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records

The HIPAA Breach Notification Rule requires data breaches of 500 or more records to be reported to the Secretary of the Department of Health and Human Services no later than 60 days after the discovery of a breach. Breaches of fewer than 500 records can be reported to the Secretary at any time, but no later than 60 days from the end of the calendar year in which the data breach was experienced – 45 C.F.R. § 164.408. That means smaller healthcare data breaches must usually be reported to the HHS no later than March 1 each year, but this year is a leap year so there is an extra day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have affected fewer than 500 individuals must therefore be reported to OCR no later than February 29, 2020. All breaches must be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach must be reported separately and full information about each breach should be submitted. If several small data breaches have been experienced in the 2020 calendar year,...

Read More
HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs
Feb05

HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs

The Department of Health and Human Services has issued a final rule modifying the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard that requires pharmacies to track partially filled prescriptions for Schedule II drugs. The modification is part of HHS efforts to curb opioid abuse in the United States and will provide a greater quantum of data that may help prevent impermissible refills of Schedule II drugs. The final rule takes effect on March 24, 2020. The compliance date is September 21, 2020. By September 21, 2020, pharmacies will be required to use the Quantity Prescribed (460-ET) field for retail pharmacy transactions for all Schedule II drugs. Pharmacies must distinguish in retail pharmacy transactions whether the full prescribed amount of a Schedule II drug has been dispensed in a refill, or if the prescription has only been partially filled. Background The NCPDP Telecommunication Standard was adopted by the Secretary of the HHS in January 2009 for pharmacy transactions (health care claims or equivalent encounter information,...

Read More
HHS Reminds Covered Entities of HIPAA Data Sharing Provisions in Light of Novel Coronavirus Outbreak
Feb04

HHS Reminds Covered Entities of HIPAA Data Sharing Provisions in Light of Novel Coronavirus Outbreak

The Department of Health and Human Services has issued a bulletin reminding HIPAA covered entities about the ways that patient information can be shared during outbreaks of infectious disease and other emergency situations, in light of the recent Novel Coronavirus (2019-nCoV) outbreak. In the bulletin, the HHS confirms that in such situations, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). Under the HIPAA Privacy Rule, covered entities are permitted to disclose patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for treatment. In situations when patients have contracted an infectious disease such as 2019-nCoV, there is a legitimate need for information to be shared with public health authorities and others responsible for ensuring public health and safety. Those entities may need to be provided with PHI...

Read More
Average Ransomware Payment Increased Sharply in Q4, 2019
Feb03

Average Ransomware Payment Increased Sharply in Q4, 2019

A new report from the ransomware incident response firm Coveware shows payments made by ransomware victims increased sharply in Q4, 2019. The average ransomware payment doubled in Q4, as two of the most prolific ransomware gangs – Sodinokibi and Ryuk – shifted their attention to attacking large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179. The large increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk especially. Ryuk is now heavily focused on attacking large enterprises. The average number of employees at victim companies increased from 1,075 in Q3 to 1,686 in Q4. The largest ransom amount was $779,855.5 in Q4; a considerable jump from the largest demand of $377,027 in Q3. In Q4, the most prevalent ransomware threats were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware variants. Many of the above...

Read More
How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes
Jan30

How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes

2019 Health Statistics published by the Organisation for Economic Co-operation and Development’s (OECD) show healthcare expenditures in the United States are significantly higher than those in other developed countries. A 2018 Harvard study of 11 developed countries showed the United States had the highest healthcare costs relative to its GDP out of all 11 countries studied. Per capita healthcare spending was found to be almost twice that of other wealthy, developed countries. Higher costs are not necessarily bad if they translate into better patient outcomes, but the OECD figures show that is not the case. The United States performed poorly for patient outcomes, even though the costs of healthcare are so high. Reducing the cost of healthcare is a major challenge and there is no silver bullet, but there are ways for costs to be reduced and for patient outcomes to be improved. The Trump Administration is committed to reducing the cost of healthcare through executive orders and HHS rulings. In November 2018 an executive order – Improving Price and Quality Transparency in...

Read More
HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records
Jan29

HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records

The Department of Health and Human Services’ Office for Civil Rights has announced that certain legislative changes made in the HIPAA Omnibus Final Rule of 2013 – Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules – have been reversed. The reversal applies to a portion of the rule that expanded the third-party directive within the individual right of access (45 C.F.R. §164.524) “beyond requests for a copy of an electronic health record with respect to Member Login Username: Password: of an individual … in an electronic format” and guidance issued in 2016 confirming fee limitations for providing a copy of an individual’s PHI – 45 C.F.R. § 164.524(c)(4) – also apply to an individual’s request to send health records to a third party for legal or commercial reasons. Those fee limitations will now only apply to an individual’s request for access to their own records, not for an...

Read More
Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred
Jan28

Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred

Patients want easy access to their health data and for their health information to be presented in a concise, easy to understand format, according to a new poll conducted by Morning Consult on behalf of America’s Health Insurance Plans (AHIP). However, patients and consumers are well aware of the threat of cyberattacks and data breaches and they do not want their private health information to be compromised. A majority (62%) of patients and consumers said they would be willing to forego easy access to their health data if it meant greater privacy protections were in place to protect their health information. In November 2019, President Trump signed an Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First. In response, the Department of Health and Human Services, the Department of Labor, and the Department of the Treasury proposed a new Transparency in Coverage Rule. The rule requires “employer-based group health plans and health insurance issuers offering group and individual coverage to disclose price and cost-sharing information...

Read More
CISA Issues Warning About Increase in Emotet Malware Attacks
Jan23

CISA Issues Warning About Increase in Emotet Malware Attacks

A warning has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about a recent increase in Emotet malware attacks. Emotet was first detected in 2014 and was initially developed to steal banking credentials, but it has seen considerable development over the past five years and is now is a highly sophisticated Trojan. In addition to stealing banking credentials, Emotet can steal passwords stored in web browsers and the credentials files of external drives. Modules have been added that allow it to propagate via email and download other malware variants. The malware has been used to infect devices with cryptocurrency miners and cryptowallet stealers, the TrickBot banking Trojan, and Ryuk ransomware. These additional payloads are often downloaded weeks, months, or even years after the initial Emotet infection. Emotet malware is primarily delivered via spam email. Initially, the malware was spread by JavaScript attachments; however, the threat actors behind the malware have now switched to Office documents with malicious macros that run PowerShell commands...

Read More
December 2019 Healthcare Data Breach Report
Jan21

December 2019 Healthcare Data Breach Report

There were 38 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in December 2019, an increase of 8.57% from November 2019. While the number of breaches increased, there was a major reduction in the number of exposed healthcare records, falling from 607,728 records in November 2019 to 393,189 records in December 2019 – A drop of 35.30%. In December the mean breach size was 10,347 records and the median breach size was 3,650 records. It has been a particularly bad year for healthcare data breaches. 2019 was the second worst ever year for healthcare data breaches in terms of the number of patients impacted by breaches. 41,232,527 healthcare records were exposed, stolen, or impermissibly disclosed in 2019. That’s 195.61% more than 2018. More healthcare records were breached in 2019 than in the previous three years combined. The number of reported data breaches also increased 36.12% year-over-year, from 371 breaches in 2018 to 505 breaches in 2019. That makes 2019 the worst every year in terms of the number...

Read More
Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities
Jan16

Emergency Directives Issued by CISA and OCR to Mitigate Critical Windows Vulnerabilities

Microsoft has issued patches for several critical vulnerabilities in all supported Windows versions that require urgent attention to prevent exploitation. While there have been no reports of exploitation of the flaws in the wild, the seriousness of the vulnerabilities and their potential to be weaponized has prompted both the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) to issue emergency directives about the vulnerabilities. One of the vulnerabilities was discovered by the National Security Agency (NSA), which took the unusual step of reporting the vulnerability to Microsoft. This is the first time that a vulnerability has been reported by the NSA to a software vendor. Windows CryptoAPI Vulnerability Requires Immediate Patching The NSA-discovered vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Server 2016/2019 systems. The vulnerability is due to how the Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. The flaw would allow a remote attacker to sign malicious code with an ECC certificate to...

Read More
Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors
Jan15

Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors

Many group health plan sponsors are not fully compliant with the Health Insurance Portability and Accountability Act Rules, according to a recent survey by the integrated HR and benefits consulting, technology, and administration services firm, Buck. The survey uncovered several areas where group health plan sponsors are noncompliant and revealed many group health plan sponsors are not prepared for a compliance investigation or HIPAA audit. The 2019 HIPAA Readiness Survey was conducted between April 29, 2019 and May 17, 2019 on 31 group health plan sponsors. The survey uncovered several areas where important provisions of HIPAA Rules are not fully understood or are not being followed such as risk analyses, business associate agreements, HIPAA training for staff, and breach notifications. Risk analyses are not being conducted as frequently as they should, so threats to the confidentiality, integrity and availability of ePHI may not be identified and managed. 42% of respondents were unsure when a HIPAA-compliant risk assessment was last conducted or that said it was last conducted...

Read More
Support for Windows 7 Finally Comes to an End
Jan14

Support for Windows 7 Finally Comes to an End

Microsoft is stopping free support for Windows 7, Windows Server 2008, and Windows Server 2008 R2 on January 14, 2020, meaning no more patches will be released to fix vulnerabilities in the operating systems. Support for Office 2010 has also come to an end. The operating systems will be up to date as of January 14, 2020 and all known vulnerabilities will have been fixed, but it will only be a matter of time before exploitable vulnerabilities are discovered and used by cybercriminals to steal data and deploy malware. Even though Microsoft has given a long notice period that the operating system was reaching end of life, it is still the second most used operating system behind Windows 10. According to NetMarketShare, 33% of all laptop and desktop computers were running Windows 7 in December 2019. Many healthcare organizations are still using Windows 7 on at least some devices. The continued use of those devices after support is stopped places them at risk of cyberattacks and violating the HIPAA Security Rule. The natural solution is to update Windows 7 to Windows 10, although that...

Read More
Georgia Man Charged Over False Allegations of HIPAA Violations
Jan13

Georgia Man Charged Over False Allegations of HIPAA Violations

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred. Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period. The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time....

Read More
DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild
Jan13

DHS Warns of Critical Citrix Vulnerability Being Exploited in the Wild

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a recently discovered vulnerability in the Citrix Application Delivery Controller and Citrix Gateway web server appliances. Exploitation of the vulnerability – tracked as CVE-2019-19781 – is possible over the internet and can allow remote execution of arbitrary code on vulnerable appliances. Exploitation of the flaw would allow a threat actor to gain access to the appliances and attack other resources connected to the internal network. Some security researchers have described the bug as one of the most dangerous to be discovered in recent years. The alert, issued on January 8, 2020, urges all organizations using the affected Citrix appliances (formerly NetScaler ADC and NetScaler Gateway) to apply mitigations immediately to limit the potential for an attack, and to apply the firmware updates as soon as they are released later this month. Two proof of concept exploits have already been published on GitHub which makes exploitation of the flaws trivial. Scans for...

Read More
FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S.
Jan07

FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S.

Last week, the Federal Bureau of Investigation (FBI) issued a flash alert warning private companies in the United States about the threat of attacks involving Maze ransomware. The warning came just a few days after the FBI issued an alert about two other ransomware variants, LockerGoga and MegaCortex. The Maze ransomware TLP: Green warning is not intended for public distribution as it provides technical details about the attacks and indicators of compromise which can be used by private firms to prevent attacks. If published in the public domain, it could aid the attackers. In the alert, victims of Maze ransomware attacks were urged to share information with the FBI as soon as possible to help its agents trace the attackers and bring them to justice. Maze ransomware was first identified in early 2019, but it was not until November 2019 when the first attacks hit companies in the United States. Those attacks have been increasing in recent weeks. When network access is gained, data is exfiltrated prior to file encryption. A ransom demand is then issued specific to the organization....

Read More
HIPAA Enforcement in 2019
Jan02

HIPAA Enforcement in 2019

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 saw two civil monetary penalties issued and settlements were reached with 8 entities, one fewer than 2018. In 2019, the average financial penalty was $1,227,400. Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued. This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR...

Read More
Ambulance Company Settles HIPAA Violation Case with OCR for $65,000
Jan01

Ambulance Company Settles HIPAA Violation Case with OCR for $65,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a $65,000 settlement has been reached with West Georgia Ambulance, Inc., to resolve multiple violations of Health Insurance Portability and Accountability Act Rules. OCR launched an investigation into the Carroll County, GA ambulance company after being notified on February 11, 2013 about the loss of an unencrypted laptop computer containing the protected health information of 500 patients. According the breach report, the laptop computer fell from the rear bumper of the ambulance and was not recovered. The investigation uncovered longstanding noncompliance with several aspects of the HIPAA Rules. OCR discovered West Georgia Ambulance had not conducted a comprehensive, organization-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A)), had not implemented a security awareness training program for its employees (45 C.F.R. § 164.308(a)(5)), and had failed to implement HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316.). OCR provided technical assistance to West Georgia Ambulance to...

Read More
FBI Issues Warning Following Spate of LockerGoga and MegaCortex Ransomware Attacks
Dec31

FBI Issues Warning Following Spate of LockerGoga and MegaCortex Ransomware Attacks

The FBI has issued a TLP:Amber alert in response to a spate of cyberattacks involving the ransomware variants LockerGoga and MegaCortex. The threat actors using these ransomware variants have been targeting large enterprises and organizations and typically deploy the ransomware several months after a network has been compromised. LockerGoga was first detected in January 2019 and MegaCortex ransomware first appeared in May 2019. Both ransomware variants exhibit similar IoCs and have similar C2 infrastructure and are both used in highly targeted attacks on large corporate networks. LockerGoga was used in the ransomware attacks on the U.S. chemical companies Hexion and Momentive, the aluminum and energy company Norsk Hydro, and the engineering consulting firm, Altran Technologies. MegaCortex ransomware was used in the attacks on the accounting software firm Wolters Kluwer and the cloud hosting firm iNSYNQ, to name but a few. The threat actors are careful, methodical, and attempt to cause maximum damage to increase the probability that their victim’s will pay. The ransom demands are...

Read More
Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee
Dec24

Discussion Draft of Federal Data Privacy Bill Released by House Energy and Commerce Committee

A discussion draft of a new bipartisan data privacy bill has been released by the House Energy and Commerce Committee. The bill calls for national standards for privacy and security and would place restrictions on the collection, use, and retention of consumer data by U.S. businesses. The draft legislation calls for all businesses to have a privacy program and to publish a privacy policy, written in clear language, which explains what data will be collected, how it will be used, how long it will be retained, and with whom consumer information will be shared. Data security measures would also need to be implemented, which should be appropriate for the size of the business and the nature and complexity of data activities. In the event of a breach of consumer information, businesses would be required to report the breach to the Federal Trade Commission. The Federal Trade Commission has been tasked with creating a Bureau of Privacy which would be responsible for developing rules, issuing guidance, and enforcing compliance. The FTC would also need to set a data retention time frame and...

Read More
DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA
Dec23

DoE and OCR Issue Updated Guidance on Sharing Student Health Records under FERPA and HIPAA

The Department of Education and the Department of Health and Human Services’ Office for Civil Rights have issued updated guidance on the sharing of student health records under the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). The guidance document was first released in November 2008 to help school administrators and healthcare professionals understand how FERPA and HIPAA apply to student educational and healthcare records. The guidance includes several Q&As covering both sets of regulations. Further questions and answers have been added to clear up potential areas of confusion about how HIPAA and FERPA apply to student records, including when it is permitted to share student records under FERPA and the HIPAA Privacy Rule without first obtaining written consent. HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. HIPAA does not usually apply to schools, since health information collected by an educational institution would usually be...

Read More
November 2019 Healthcare Data Breach Report
Dec20

November 2019 Healthcare Data Breach Report

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day. 600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.   Largest Healthcare Data Breaches in November 2019 Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email Saint Francis Medical Center Healthcare...

Read More
Poor RSA Encryption Implementation Opens Door to Attacks on Medical Devices and Implants
Dec18

Poor RSA Encryption Implementation Opens Door to Attacks on Medical Devices and Implants

Encryption renders data inaccessible to unauthorized individuals, provided the private key to decrypt data is not compromised and strong encryption is used. Not all algorithms provide the same level of protection. The strength of encryption relies on the length of the key. The longer the key, the more computational power is required to break the encryption. When strong encryption is used, the computing power and time required to break the encryption renders the data virtually inaccessible. DES was once considered a strong form of encryption but the computing power now available makes cracking the encryption possible even on relatively inexpensive computers. DES used 56-bit keys, which were fine in the 1970’s, but today the keys are nowhere near long enough. Strong encryption today is generally considered to require 256-bit keys, such as those generated by the AES algorithm. With AES-256, for the time being at least, sensitive data can be adequately secured. Providing the key is not disclosed, encrypted data cannot be accessed. RSA is an alternative encryption standard that is...

Read More
Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership
Dec16

Rep. Jayapal Seeks Answers from Google and Alphabet on Ascension Partnership

Pressure is continuing to be applied on Google and its parent company Alphabet to disclose information about how the protected health information (PHI) of patients of Ascension will be used, and the measures put in place to ensure PHI is secured and protected against unauthorized access. The partnership between Google and Ascension was announced on November 11, 2019 following the publication of a story in the Wall Street Journal. A whistleblower at Google had shared information with the WSJ and expressed concern that millions of healthcare records had been shared with Google without first obtaining consent from patients. It was also alleged that Google employees could freely download PHI. In its announcement, Google stated that the collaboration – named Project Nightingale – involved migrating Ascension’s infrastructure to the cloud and that it was helping Ascension implement G Suite tools to improve productivity and efficiency. Patient data was also being provided to Google to help develop AI and machine learning technologies to improve patient safety and clinical quality....

Read More
$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures
Dec13

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule. In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information. The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access...

Read More
Ryuk Ransomware Decryptor Bug May Result in Permanent Data Loss
Dec11

Ryuk Ransomware Decryptor Bug May Result in Permanent Data Loss

Cybersecurity firm Emsisoft has issued a warning about a recently discovered bug in the decryptor used by Ryuk ransomware victims to recover their data. A bug in the decryptor app can cause certain files to be corrupted, resulting in permanent data loss. Ryuk ransomware is one of the most active ransomware variants. It has been used in many attacks on healthcare organizations in the United States, including DCH Health System in Alabama and the recent attack on the IT service provider Virtual Care Provider. Ryuk ransomware is distributed in several ways. Scans are conducted to identify open Remote Desktop Protocol ports, brute force attacks on RDP are also conducted, and the ransomware is downloaded by exploiting unpatched vulnerabilities. Ryuk ransomware is also installed as a secondary payload by Trojans such as TrickBot. There is no free decryptor for Ryuk ransomware, so recovery depends of whether viable backups have been made, otherwise victims must pay a sizeable ransom for the keys to decrypt their files. When Ryuk ransomware victims pay the ransom, they are provided with a...

Read More
Deadline for Upgrading Windows 7 Devices is Fast Approaching
Dec10

Deadline for Upgrading Windows 7 Devices is Fast Approaching

Healthcare organizations still using Windows 7 and Windows 2008 only have a few days to upgrade the operating systems before Microsoft stops providing support. Support for both operating systems will come to an end on January 14, 2020. From January 14, 2020, no more patches and updates will be released by Microsoft so the operating system will potentially be vulnerable to attack. Cyberattacks are unlikely to start the second support is stopped, but any vulnerabilities in the operating system discovered after January 14 will remain unaddressed. Exploits could therefore be developed to exploit Windows 7 flaws and through those compromised devices, attacks could be launched on other devices on the network. As the number of vulnerabilities grow, the risk of a cyberattack will increase. According to Forescout the healthcare industry has the largest percentage of Windows 7 devices of any industry. A report earlier this year suggested 56% of healthcare organizations are still using Windows 7 on at least some devices and 10% of devices used by healthcare organizations are running Windows 7...

Read More
Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices
Dec09

Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed on their networks. The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom. In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware. Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to...

Read More
Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018
Dec04

Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018

Cyberattacks on healthcare organizations have increased in frequency and severity in the past year, according to recently published research from Malwarebytes. In its latest report – Cybercrime Tactics and Techniques: The 2019 State of Healthcare – Malwarebytes offers insights into the main threats that have plagued the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive healthcare data. Cyberattacks on healthcare organizations can have severe consequences. As we have seen on several occasions this year, attacks can cause severe disruption to day to day operations at hospitals often resulting in delays in healthcare provision. In at least two cases, cyberattacks have resulted in healthcare organizations permanently closing their doors and a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates. Even though the attacks can cause considerable harm to patients, attacks are increasing in frequency and severity. Malwarebytes data shows the...

Read More
$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures
Nov28

$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 8th HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle potential violations of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to address areas of noncompliance. Sentara operates 12 acute care hospitals in Virginia and North Carolina and has more than 300 care facilities in both states. OCR launched a compliance investigation in response to a complaint from a patient on April 17, 2017. The patient had reported receiving a bill from Sentara containing another patient’s protected health information. Sentara did report the breach to OCR, but the breach report stated that only 8 individuals had been affected, when the mailing had been misdirected and 577 individuals had had some of their PHI impermissibly disclosed. OCR determined that those 577 patients had their information merged with 16,342 different guarantor’s mailing labels. OCR advised Sentara that under the HIPAA Breach Notification...

Read More
October 2019 Healthcare Data Breach Report
Nov25

October 2019 Healthcare Data Breach Report

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches. This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States. Largest Healthcare Data Breaches in October 2019 Breached Entity Entity Type Individuals Affected Type of Breach Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident Prisma Health – Midlands Healthcare Provider 19,060...

Read More
TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers
Nov18

TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers

TigerConnect has released its 2019 State of Healthcare Communications Report, which shows that continuing reliance on decades-old, inefficient communications technology is negatively impacting patients and is contributing to the increasing cost of healthcare provision. For the report, TigerConnect surveyed more than 2,000 patients and 200 healthcare employees to assess the current state of communications in healthcare and gain insights into areas where communication inefficiencies are causing problems. The responses clearly show that communication in healthcare is broken. 52% of healthcare organizations are experiencing communication disconnects that impact patients on a daily basis or several times a week. Those communication inefficiencies are proving frustrating for healthcare employees and patients alike. The report reveals most hospitals are still heavily reliant on communications technology from the 1970s. 89% of hospitals still use faxes and 39% are still using pagers in some departments, roles, or even across the entire organization. The world may have moved on, but...

Read More
51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access
Nov14

51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access

The Department of Health and Human Services’ Office for Civil Rights is cracking down on noncompliance with the HIPAA Right of Access and for good reason. A recent report from Ciitizen has revealed more than half of healthcare providers (51%) are not fully compliant with this aspect of HIPAA. This is the second such report from Ciitizen, the first having been released on August 14, 2019. For the latest report, an additional 169 healthcare providers were assessed for Right of Access compliance, bringing the total assessed providers to 210. Acting with authorization from patients, Ciitizen made requests for copies of patients records. Each healthcare provider was then given a rating based on their response, from 5 stars being fully compliant and responding within 5 days, down to 1 or 2 stars. A 1- or 2-star rating meant that were it not for multiple escalation calls to supervisors, the provider would not have been compliant. There is some good news in the report. More providers are complying and there is less inconsistency from employee to employee. A growing number of healthcare...

Read More
Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records
Nov12

Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records

Following a report in the Wall Street Journal, Google has confirmed it is collaborating with one of the largest healthcare systems in the United States, which gives it access to a huge volume of patient data. Google has partnered Ascension, the world’s largest catholic health system and the second largest non-profit health system in the United States. Ascension operates more than 2,600 healthcare facilities in 21 states, including 150 hospitals and over 50 senior living facilities. The collaboration has given Google access to patient health information such as names, dates of birth, medical test results, diagnoses, treatment information, service dates, and other personal and clinical information. The project – code name Project Nightingale – had been kept under the radar prior to the WSJ Report, which claimed that at least 150 Google employees have allegedly been able to access patient data as part of the project and that access to patient data had been granted without patients or physicians being informed. Both Google and Ascension made announcements about the Project...

Read More
Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach
Nov12

Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach

U.S. Senator, Mark. R. Warner (D-VA) has written to the Director of the HHS’ Office for Civil Rights, Roger Severino, expressing concern over the HHS response to the mass exposure of medical images by U.S. healthcare organizations. Sen. Warner is the Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus. This is the latest in a series of communications in which he has voiced concerns about cybersecurity failures that have compromised the personal and private information of Americans. In February, Sen. Warner demanded answers from HHS agencies, NIST, and healthcare associations about healthcare cybersecurity following the continued increase in healthcare data breaches. His recent letter to OCR was in response to a September 17, 2019 report about the exposure of millions of Americans’ medical images that were stored in unsecured picture archiving and communications systems (PACS). The report detailed the findings of an investigation by ProPublica, German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm,...

Read More
HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation
Nov11

HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation

The U.S Department of Health and Human Services has increased the civil monetary penalties for HIPAA violations in accordance with the Inflation Adjustment Act. The final rule took effect on Tuesday November 5, 2019. This rule increases the civil monetary penalties for HIPAA violations that occurred on or after February 18, 2009. Under the new penalty structure, the increases from 2018 to 2019 are detailed in the table below: Penalty Tier Level of Culpability Minimum Penalty per Violation (2018 » 2019) Maximum Penalty per Violation (2018 » 2019) New Maximum Annual Penalty (2018 » 2019)* 1 No Knowledge $114.29 » $117 $57,051 » $58,490 $1,711,533 » $1,754,698 2 Reasonable Cause $1,141 » $1,170 $57,051 » $58,490 $1,711,533 » $1,754,698 3 Willful Neglect – Corrective Action Taken $11,410 » $11,698 $57,051 » $58,490 $1,711,533 » $1,754,698 4 Willful Neglect – No Corrective Action Taken $57,051 » $58,490 $1,711,533 » $1,754,698 $1,711,533 » $1,754,698 Penalties for HIPAA violations that occurred prior to February 18, 2009 have increased to $159 per violation, with an annual cap of...

Read More
Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty
Nov08

Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. TX HHSC is a state agency that operates supported living centers, regulates nursing and childcare facilities, provides mental health and substance abuse services, and administers hundreds of state programs for people in need of assistance, such as individuals with intellectual and physical disabilities. OCR launched an investigation following receipt of a breach report from the Department of Aging and Disability Services (DADS), a state agency that was reorganized into TX HHSC in September 2017. On June 11, 2015, DADS reported a security incident to OCR which stated that the electronic protected health information (ePHI) of 6,617 individuals had been exposed over the internet. The exposed information included names, addresses, diagnoses, treatment information, Medicaid numbers, and Social Security numbers....

Read More
Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center
Nov06

Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center

The University of Rochester Medical Center (URMC) has paid a $3 million HIPAA penalty for the failure to encrypt mobile devices and other HIPAA violations. URMC is one of the largest health systems in New York State with more than 26,000 employees at the Medical Center and various other components of the health system, including Strong Memorial Hospital and the School of Dentistry. The Department of Health and Human Services’ Office for Civil Rights (OCR) launched an investigation following receipt of two breach reports from UMRC – The loss of an unencrypted flash drive and the theft of an unencrypted laptop computer in 2013 and 2017. This was not the first time OCR had investigated URMC. An investigation was launched in 2010 following a similar breach involving a lost flash drive. In that instance, OCR provided technical compliance assistance to URMC. The latest investigation uncovered multiple violations of HIPAA Rules, including areas of noncompliance that should have been addressed after receiving technical assistance from OCR in 2010. Under HIPAA, data encryption is not...

Read More
BlueKeep Vulnerability Being Actively Exploited in Real World Attacks
Nov05

BlueKeep Vulnerability Being Actively Exploited in Real World Attacks

In May 2019, Microsoft made an announcement about a critical remote code execution vulnerability in Windows Remote Desktop Services named BlueKeep – CVE-2019-0708. The cybersecurity community predicted that a weaponized exploit would be developed and be used in large-scale attacks. That prediction has now come true. Over the weekend, the first mass attacks using a BlueKeep exploit were discovered. Soon after Microsoft announced the vulnerability, several security researchers developed proof-of-concept exploits for BlueKeep. One such exploit allowed a researcher to remotely take control of a vulnerable computer in just 22 seconds. The researchers held off publishing their PoC’s due to the seriousness of the threat and the number of devices that were vulnerable to attack. Initially, millions of internet-connected devices were at risk, including around a million Internet of Things (IoT) devices. The BlueKeep vulnerability can be exploited remotely by sending a specially crafted RDP request. No user interaction is required to exploit the vulnerability. The flaw is also wormable, which...

Read More
HHS Releases Updated HIPAA Security Risk Assessment Tool
Oct31

HHS Releases Updated HIPAA Security Risk Assessment Tool

The HHS has updated its HIPAA Security Risk Assessment Tool and has added several new user-requested features to improve usability. The HIPAA Security Risk Assessment Tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS’ Office for Civil Rights to help healthcare organizations with this important provision of the HIPAA Security Rule. The risk assessment is a foundational element of compliance with the Health Insurance Portability Act Security Rule. By conducting a risk assessment, healthcare organizations can identify areas where PHI may be at risk. Any risks can then be assessed, prioritized, and reduced to a reasonable and acceptable level. The failure to conduct a comprehensive, organization-wide risk assessment is the most commonly cited HIPAA violation in OCR enforcement actions. This is perfectly understandable. If a risk assessment does not cover all systems that store or touch ePHI, vulnerabilities are likely to be missed and the confidentiality, integrity, and availability of ePHI will remain...

Read More
Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate
Oct28

Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate

Healthcare data breaches lead to a reduction in the quality of care provided to patients, according to a study recently published in Health Services Research. Researchers analyzed data from Medicare Compare which details quality measures at hospitals. Data from 2012-2016 was analyzed and compared with data from the HHS’ Office for Civil Rights on data breaches of more than 500 records over the same period. The researchers analyzed data on 3,025 Medicare-certified hospitals, 311 of which had experienced a data breach. According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected. However, the delays were found to continue for months and years after an cyberattack was experienced. The study showed that 3-4 years after a breach...

Read More
Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System
Oct23

Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System

The Department of Health and Human Services’ Office for Civil Rights has imposed a $2.15 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. In July 2015, OCR became aware of several media reports in which the PHI of a patient was impermissibly disclosed. The individual was a well-known NFL football player. Photographs of an operating room display board and schedule had also been shared on social media by a reporter. OCR launched an investigation in October 2015 and opened a compliance review in relation to the impermissible disclosure. JHS investigated and submitted a report confirming a photograph was taken in which two patients PHI was visible, including the PHI of a well-known person in the community. The internal investigation revealed an employee had been accessing patient information without authorization since 2011. During that time, the employee had accessed the records of 24,188 patients without any legitimate...

Read More
Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet
Oct22

Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet

The sensitive health information of millions of patients has been exposed over the internet as a result of the failure of nine companies to secure their medical databases. The exposed patient data was discovered by security researchers at WizeCase. The research team, led by Avishai Efrat, used publicly available tools to search for exposed data that could be accessed without the need for any usernames or passwords. The firm then offers to help those organizations fix their data leaks and better secure their data. In all cases, the researchers attempted to contact the healthcare organizations concerned to advise them about the misconfigured databases to allow steps to be taken to secure the data and prevent unauthorized access, but in several cases no response was received. The researchers contacted databreaches.net and received assistance in contacting the companies concerned. When no response was received, the researchers contacted local authorities and hosting companies for assistance. Several attempts were made to get the data secured over the space of a month before the...

Read More
September 2019 Healthcare Data Breach Report
Oct21

September 2019 Healthcare Data Breach Report

September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month. 1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks. Largest Healthcare Data Breaches in September 2019 The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico...

Read More
VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives
Oct21

VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives

Internal Department of Veteran Affairs (VA) communications, disability claims, and the health information of thousands of veterans have been exposed and could be accessed by VA employees authorized to view the information, according to the findings of a Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit. VA OIG conducted an audit of the VA’s Milwaukee Regional Office following a tipoff by a whistleblower in September 2018 about the exposure of sensitive information on shared network drives, which the whistleblower claimed could be accessed by employees unauthorized to view the information. VA OIG audit visited the Milwaukee offices in January 2019 and confirmed that sensitive information had been stored on two shared network drives on the VA Enterprise network, which could be accessed by veterans service organization (VSO) officers, even if those officers did not represent those veterans. The auditors determined that any Veterans Benefits Administration employee who had permission to access the VA network remotely could have accessed the files stored on the...

Read More
Roger Severino Gives Update on OCR HIPAA Enforcement Priorities
Oct17

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C. Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost. Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation. More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that...

Read More
Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices
Oct17

Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices

Internet of Medical Things (IoMT) technology is helping to increase efficiency, improve the quality of healthcare, and lower healthcare costs; however, IoMT introduces risks. The failure to reduce those risks to a low and acceptable level leaves IoMT devices vulnerable to cyberattacks. Those attacks can be expensive to resolve, which drives up the cost of healthcare and can result in patients coming to harm. Not only must the devices be secured, cybersecurity must also be managed throughout the entire lifespan of the devices. Software and firmware must be kept up to date, patches must be applied promptly to fix vulnerabilities, and the devices need to be returned when they reach end of life and support comes to an end. Without a thorough understanding of the risks, securing IoMT devices can be a major challenge. The U.S. Department of Veteran Affairs (VA) has taken steps to improve the safety and security of IoMT devices and has been seeking solutions for securing large-scale IoMT device deployments to better protect the 9 million people under its care. The VA, in conjunction with...

Read More
MITA Publishes New Medical Device Security Standard
Oct14

MITA Publishes New Medical Device Security Standard

The Medical Imaging & Technology Alliance (MITA) has released a new medical device security standard which provides healthcare delivery organizations (HDOs) with important information about risk management and medical device security controls to harden the devices against unauthorized access and cyberattacks. The new voluntary standard – Manufacturer Disclosure Statement for Medical Device Security (MDS2) (NEMA/MITA HN 1-2019) – was developed in conjunction with a diverse range of industry stakeholders and aligns with the 2018 U.S. Food and Drug Administration (FDA) Medical Device Cybersecurity Playbook, issued in October 2018. The guidance explains that cybersecurity of medical devices is a shared responsibility. HDOs must collaborate with medical device manufacturers to ensure best practices are adopted. Device manufacturers, HDOs, government entities, and cybersecurity researchers need to work together to ensure threats to medical devices are managed and reduced to reasonable and appropriate levels. The new standard is intended to help streamline communications between...

Read More
HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations
Oct11

HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations

The U.S. Department of Health and Human Services (HHS) has proposed changes to physician self-referral and federal anti-kickback regulations which will see the creation of a new safe harbor covering hospital donations of cybersecurity software and associated services to physicians. The proposed law change is detailed in two new rules issued by the HHS’ Office of Inspector General (OIG) and the Centers for Medicaid and Medicare Services (CMS) which aim to modernize and clarify regulations that interpret the Federal Anti-Kickback Statute and Physician Self-Referral law known as Stark Law. The proposed rules are part of the HHS’s Regulatory Sprint to Coordinated Care which promotes value-based care by eliminating federal regulatory barriers that are impeding efforts to improve the coordination of care between providers. “The digitization of the healthcare delivery system and related rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks,” explained OIG. “The healthcare industry and the...

Read More
New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes
Oct10

New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes

On October 7, 2019, New York Governor Andrew Cuomo signed new legislation into law – S.4119/A.230 – that prohibits first responders and ambulance service personnel from selling or disclosing patient data to third parties for marketing or fundraising purposes. The bill was originally introduced by New York Assembly Member Edward Braunstein in 2014 following reports that ambulance and first response service personnel were selling patient data such as names, addresses, phone numbers and medical histories to third parties such as pharmaceutical firms and nursing homes for marketing and fundraising purposes. Prior to the introduction of the new law, these disclosures and the sale of patient information were permitted in New York. “Patients have a right to privacy and their medical information should never be sold to pharmaceutical companies, insurers, nursing homes, or other businesses,” explained Braunstein. The legislation follows the June 25, 2019 signing of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law, which overhauled state regulations...

Read More
Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors
Oct09

Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors

Vulnerabilities in popular VPN products from Pulse Secure, FortiGuard, and Palo Alto are being actively exploited by advanced persistent threat (APT) actors to gain access to VPNs and internal networks. The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies issued security advisories about multiple vulnerabilities in VPN products over the summer of 2019; however, many organizations have been slow to take action. Weaponized exploits for the vulnerabilities have now been developed and are being used by APT actors and exploit code is freely available online on GitHub and the Metasploit framework. On October 1, 2019, the UK’s National Cyber Security Centre issued a warning about the vulnerabilities following several attacks on government agencies, the military, businesses, and the education and healthcare sectors. The National Security Agency (NSA) also issued a security advisory about the vulnerabilities along with mitigations on October 7. The vulnerabilities are present in outdated versions of the Pulse Secure VPN (CVE-2019-11508 and...

Read More
An Internal Security Operations Center Cuts Data Breach Costs by More Than Half
Oct08

An Internal Security Operations Center Cuts Data Breach Costs by More Than Half

A recent survey conducted by B2B International on behalf of Kaspersky Lab has revealed the average cost of an enterprise-level data breach has risen to $1.41 million from $1.23 million in 2018. The increased risk of a data breach and the increasing remediation costs has prompted enterprises to invest more heavily in cybersecurity. When the Kaspersky Global Corporate IT Security Risks Survey was last conducted in 2018, average IT security budgets were $8.9 million. In 2019, budgets had increased to an average of $18.9 million. The biggest costs from a data breach were found to be damage to the company’s credit rating and increased insurance costs, followed by the cost of hiring external security consultants, loss of business, brand repair, additional wages for internal staff, compensation, and financial penalties and regulatory fines. While there are several things enterprises can do to cut data breach costs, the appointment of a dedicated Data Protection Officer (DPO) and deploying an internal Security Operations Center (SOC) are the two most important for reducing...

Read More
FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed
Oct04

FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed

A recent report from New Zealand-based cybersecurity firm Emsisoft has revealed the extent to which ransomware is being used in cyberattacks in the United States. The first 9 months of 2019 have seen 621 ransomware attacks on government entities, healthcare organizations, and educational institutions. Ransomware attacks can have devastating consequences. This week, a healthcare provider announced that it will be permanently closing its doors as a result of a ransomware attack due to extensive damage to its systems and the permanent loss of patient data. This is the second healthcare provider known to have been forced out of business due to a ransomware attack this year. Even when recovery is possible – by paying the ransom or restoring files from backups – the attacks cause major disruption and result in substantial losses. A ransomware attack on DCH health system forced its three hospitals to temporarily close to all but critical patients while systems were restored. Attacks on municipalities have resulted in essential services grinding to a halt, police departments have lost...

Read More
Dental Practice Fined $10,000 for PHI Disclosures on Yelp
Oct03

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website. Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI. When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information. The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the...

Read More
URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning
Oct02

URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning

Security researchers at Armis have identified 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, a third-party software component used in hospital networks and certain medical devices. The vulnerabilities were reported to the DHS Cybersecurity and Infrastructure Security Agency (CISA) prompting an ICS Medical Advisory and a Food and Drug Administration (FDA) Safety Communication warning patients, healthcare providers, facility staff and manufacturers about the flaws. The FDA alert – named URGENT/11 – explains that the vulnerabilities could be remotely exploited by a threat actor allowing full control to be taken of a vulnerable medical device. An attacker could change the functions of the device, access sensitive information, cause logical flaws or denial of service attack that could stop the device from working. While there have been no reports of the flaws being exploited in the wild, the FDA warns that the software required to exploit the flaws is publicly available. Interpeak IPnet TCP/IP Stack supports network communications between computers, and while it is no longer...

Read More
Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack
Sep30

Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack

Another healthcare provider has announced it will be permanently closing its doors as a direct result of a ransomware attack. The devastating attack occurred at Wood Ranch Medical in Simi Valley, CA, which recently announced that the practice will permanently close on December 17, 2019. The attack occurred on August 10, 2019 and resulted in its servers being infected with ransomware. The attack caused widespread file encryption and prevented medical records from being accessed. The extent of the attack was such that computer systems were permanently damaged making file recovery impossible. The practice had created backups of patient records, but those backups were also encrypted and could not be used to restore patient data. Ransomware attacks are usually conducted with the sole purpose of extorting money. Files are encrypted and a ransom demand is issued. If the ransom is not paid, files remain permanently encrypted. Payment of the ransom comes with no guarantee that file recovery will be possible and encourages further attacks. For these reasons the FBI recommends ransom payments...

Read More
Sen. Rand Paul Introduces National Patient Identifier Repeal Act
Sep27

Sen. Rand Paul Introduces National Patient Identifier Repeal Act

Sen. Rand Paul, M.D., (R-Kentucky) has introduced a new bill that attempts to have the national patient identifier provision of HIPAA permanently removed due to privacy concerns over the implementation of such a system. Today, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the original HIPAA legislation of 1996 as a measure to facilitate data sharing and help reduce wastage in healthcare. The provision called for the HHS to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” However, in 1998, former Congressman Ron Paul (R-Texas), Sen. Rand Paul’s father, introduced a proposal which called for a ban on funding the development and implementation of such a system. The ban was introduced into the Congressional budget for 1999 and has been written into all Congressional budgets ever since. This year there was hope that the ban would finally be removed following a June amendment to...

Read More
Senate Fails to Remove Ban on Funding of National Patient Identifier System
Sep25

Senate Fails to Remove Ban on Funding of National Patient Identifier System

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year. The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement. The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different. The proposed fiscal budget bill includes the text, “None of...

Read More
Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches
Sep24

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches. The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act. The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches. “When the media reports...

Read More
August 2019 Healthcare Data Breach Report
Sep23

August 2019 Healthcare Data Breach Report

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the monthly average in 2018 (29.5 breaches per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.   August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total). Causes of August 2019 Healthcare Data Breaches Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in...

Read More
400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS
Sep18

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks has revealed millions of medical images contained in image storage systems are freely accessible online and require no authentication to view or download the images. Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet. Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers. Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images. PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required...

Read More
Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE
Sep18

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices. Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization. The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data. Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated....

Read More
NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem
Sep17

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem. The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems. PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis. The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives. With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without...

Read More
Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data
Sep17

Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data

The Consumer Technology Association (CTA) has released data privacy guidelines to help companies better protect health and wellness data. The guidelines have been developed to help CTA members address tangible privacy risks and securely collect, use, and share health and wellness data from health/wellness apps, wearable devices, and other digital tools. The guidelines – Guiding Principles for the Privacy of Personal Health and Wellness Information – were developed by the CTA to help members address privacy gaps, discover consumer preferences, and earn consumer trust. “[The] privacy guidelines, developed with consensus among industry stakeholders, will help give both individuals and companies the confidence to invest in innovative technologies which will improve health,” explained CTA president and CEO, Gary Shapiro. “The CTA Privacy Principles demonstrate that health tech companies understand they must be trusted stewards of patient data.” Consumers now have access to a plethora of apps, devices, and digital tools that let them keep track of their health metrics,...

Read More
Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks
Sep13

Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks

The healthcare industry experiences more than its fair share of phishing attacks. Each week, several phishing attacks are reported by healthcare organizations that have resulted in the exposure or theft of protected health information. In the majority of cases, those attacks could be prevented by following basic cybersecurity best practices. Cyberattacks are becoming more sophisticated, but the majority of attacks are not. They involve the use of default and commonly used passwords in brute force attacks or basic phishing emails. Brute force attacks can be thwarted by creating and enforcing strong password policies. It should not be possible for users to use dictionary words as passwords or commonly used weak passwords such as 12345678. Accounts are also commonly breached due to password re-use. Figures from Microsoft suggest 73% of users duplicate passwords on work and personal accounts. If a personal account is breached, the password can be used to access the user’s work account. Many phishing emails succeed in bypassing anti-spam defenses. A recent report from Avanan suggests as...

Read More
HSCC Publishes Guidance on Healthcare Information Sharing Organizations
Sep12

HSCC Publishes Guidance on Healthcare Information Sharing Organizations

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published guidance on cybersecurity information sharing organizations in the healthcare sector. HSCC is a public-private partnership of more than 200 companies and organizations, including health IT companies, medical device manufacturers, laboratories, pharmaceutical companies, health plans, payers and government agencies. Its role is to provide collaborative solutions to help mitigate cybersecurity threats affecting the healthcare industry. The Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) is the fourth cybersecurity resource published by HSCC as mandated by the Health Care Industry Cybersecurity Task Force, which requires HSCC to help improve information sharing of industry threats, risks, and mitigations. Other resources previously published by HSCC cover healthcare industry cybersecurity best practices, developing a medical device joint security plan, and the development of a health industry cybersecurity workforce. “Many health organizations are beginning to...

Read More
Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms
Sep11

Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms

A recent ProPublica investigation has highlighted a growing problem that is fueling the current ransomware epidemic. Insurance companies are opting to pay ransom demands as it is the most cost-effective way of settling claims, even though paying ransoms encourages further attacks. A ransom demand may be high, but it is far cheaper to pay the ransom than cover the cost of rebuilding systems from scratch and restoring data from backups. Paying the ransom demand is a win-win for the insurer and breached entity. The insurer saves money and since most insurance policies only require payment of a small deductible, the breached entity does too. They are also likely to regain access to their files and systems far more quickly, which saves time and money by reducing downtime. The hackers responsible for the attack are also happy, as their demand is met. This has been clearly demonstrated in recent attacks where the breached entity has refused to pay up. The ransomware attack on the city of Atlanta saw the attackers issued a demand of $51,000 for the keys to decrypt files. The city refused...

Read More
OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative
Sep10

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records. The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage. HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty. This week, OCR has announced...

Read More
Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record
Sep06

Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record

A majority of patients are comfortable with sharing their biospecimens and EHR data for research purposes, according to a new study published in JAMA Network Open; however, most patients want to restrict the sharing of at least one part of their medical record. Patients also exhibited preferences as to the institutions with whom their data and biospecimens were shared. Certain legislation covering the use of EHR data and biospecimens allow patient data to be shared for research purposes, either in identifiable or de-identified form, unless the patient explicitly opts out of data sharing. The researchers note that this all or nothing approach is problematic, as many patients are concerned about sharing certain types of information due to fears about secondary uses of their data. The researchers investigated the attitudes of 1,246 adults in the United States about a tiered consent approach to EHR record sharing. This approach splits an individual’s medical records into smaller parts, which allows patients to consent to sharing certain parts of their medical records and restricting...

Read More
Study Confirms Why Prompt Data Breach Notifications Are So Important
Sep05

Study Confirms Why Prompt Data Breach Notifications Are So Important

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential. When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere. According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the...

Read More
Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, North and South Carolina
Sep04

Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, North and South Carolina

Alex Azar, Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency (PHE) in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian.  On September 4, a PHE was also declared in North Carolina, retroactive to September 1, 2019. The announcement follows the presidential PHE in the above areas as the states prepare for when the hurricane makes landfall. The declaration was accompanied by the announcement of a limited waiver of HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule, as mandated by the Project Bioshield Act of 2004 of the Social Security Act. The waiver only applies in the emergency areas and for the period of time covered by the PHE. The waiver applies to hospitals that have implemented their disaster protocol, and only for up to 72 hours from when the disaster protocol was implemented, unless the PHE declaration terminates before that 72-hour period has elapsed. Once the PHE comes to an end, hospitals are required to comply with all requirements of the HIPAA...

Read More
82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices
Sep03

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto. For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study. The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine. When asked about the consequences of a cyberattack on IoT devices, the biggest...

Read More
UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit
Sep02

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data. Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared. Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is...

Read More
73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System
Sep02

73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System

The importance of security awareness training for healthcare employees has been highlighted by a recent phishing attack on Bonita Springs, FL-based NCH Healthcare System. The attack was detected on June 14, 2019 when suspicious email activity was identified in relation to its payroll system. The investigation revealed a staggering 73 employees had responded to phishing emails and disclosed their account credentials to the scammers. It is common for healthcare organizations to identify an email account breach and later discover the attack was more extensive than originally thought. Oftentimes, several emails accounts are discovered to have been compromised, often as a result of lateral phishing – The use of one compromised email account to send phishing emails to other individuals in the organization. However, a breach as extensive as this is fortunately rare. NCH Healthcare system is still investigating the attack and is being assisted by a third-party computer forensics firm. The initial findings of the investigation suggest the attackers were not concerned with obtaining PHI,...

Read More
OCR Offers Advice on Managing Malicious Insider Threats
Aug30

OCR Offers Advice on Managing Malicious Insider Threats

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within. Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain. There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders. Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient...

Read More
Ransomware Attack Impacts More Than 400 U.S. Dental Practices
Aug30

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records. The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks. The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack. PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client. Some dental practices have reported file loss as a result of the attack and others have...

Read More
AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach
Aug28

AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach

The victim count from the American Medical Collection Agency (AMCA) data breach has risen to almost 25 million as yet another healthcare organization has announced it has been impacted by the breach. Wisconsin Diagnostic Laboratories (WDL), a network of 13 medical testing facilities in and around Milwaukee, is notifying 114,985 patients that some of their protected health information was compromised in the AMCA data breach. On June 3, 2019, AMCA informed WDL that some of its patients’ data had been compromised as a result of the hacking of a web payment portal. The hacker gained access to the payment page on August 1, 2018. The breach was detected on March 30, 2019 and unauthorized access was terminated. The types of information in AMCA systems was limited to patients’ names, dates of birth, dates of service, names of lab or medical service providers, referring physician’s name, balances owed to WDL, and other medical information related the services provided by WDL. No Social Security numbers or lab test results were compromised in the breach. A limited number of individuals also...

Read More
OMB Audit Confirms HHS Information Security Program is “Not Effective”
Aug27

OMB Audit Confirms HHS Information Security Program is “Not Effective”

The Office of Management and Budget (OMB) has submitted its annual report to Congress on the state of cybersecurity in federal agencies, as required by the Federal Information Security Modernization Act of 2014 (FISMA). For the report, OMB assessed 4 of the 12 operating divisions of the Department of Health and Human Services (HHS) to assess compliance with FISMA and determined the HHS security program was ‘not effective.’ The agency had not achieved a Managed and Measurable level of maturity for the Identify, Protect, Detect, Respond and Recover functional areas. The HHS was determined to be managing risk in the ‘Detect’ functional area but was at risk in the other four functional areas. The HHS has been working on improving its security posture and progress has been made, but there is still a long way to go. OMB found major weaknesses in multiple areas, including identity and access management, risk management, contingency planning, and incident response. OMB notes that since the HHS is operating in a federated environment, there are many challenges in achieving a ‘Managed and...

Read More
July 2019 Healthcare Data Breach Report
Aug26

July 2019 Healthcare Data Breach Report

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July. July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018. July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July. There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year. Causes of July 2019 Healthcare Data Breaches   The main reason for the increase in...

Read More
HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records
Aug23

HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records

The Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed a new rule that loosens restrictions on substance use disorder (SUD) treatment records, aligning Part 2 regulations more closely with HIPAA. The new rule, proposed on August 22, is the first element of the HHS’s Regulatory Sprint to Coordinated Care initiative, which will also see changes made to HIPAA, the Anti-Kickback Statute, and Stark Law. SUD treatment records are covered by Confidentiality of Substance Use Disorder Patient Records regulations – 42 CFR Part 2 (Part 2). Part 2 pre-dates HIPAA by two decades and was introduced at a time when there were no broader privacy and security standards for health data. Part 2 regulations were required to protect the privacy of patients by severely restricting the allowable uses and disclosures of SUD treatment records. When Part 2 was introduced, there was a stigma associated with SUD and without privacy protections, many individuals suffering from the disorder may have avoided seeking treatment. Since 1975, further privacy and security laws have...

Read More
32% of Healthcare Employees Have Received No Cybersecurity Training
Aug21

32% of Healthcare Employees Have Received No Cybersecurity Training

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches. The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada. The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace. Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA. Even when training is provided, it is often insufficient. 11% of...

Read More
FINAL CALL to Take Part in Emergency Preparedness and Security Trends in Healthcare Survey
Aug19

FINAL CALL to Take Part in Emergency Preparedness and Security Trends in Healthcare Survey

Each year, Rave Mobile Safety conducts a survey to identify healthcare security trends and determine the state of emergency preparedness in the healthcare industry. For the 2020 Emergency Preparedness and Security Trends in Healthcare report, insight is being sought from leaders in the healthcare community. Many HIPAA Journal readers have already participated in last year’s survey and have provided information on the measures that have been deployed to improve safety in emergency situations. Their answers will be used to gain an overview of emergency preparedness throughout the United States. If you have not already participated, you are invited to share your feedback in this anonymous survey (click here). This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next. You can participate completely anonymously. After you complete the survey, you will have the opportunity to enter into a raffle for a $200 gift card from the survey sponsor. If...

Read More
Study Reveals Widespread Noncompliance with HIPAA Right of Access
Aug16

Study Reveals Widespread Noncompliance with HIPAA Right of Access

A recent study conducted by the health manuscript archiving company medRxiv has revealed widespread noncompliance with the HIPAA right of access. For the study, the researchers sent medical record requests to 51 healthcare providers and assessed the experience of obtaining those records. The companies were also assessed on their response versus the requirements of HIPAA. In each case, the record request was a legitimate request for access to patient data. The requests were made to populate a new consumer platform that helps patients obtain their medical records. Record requests were sent for 30 patients at a rate of 2.3 medical requests per patient. Each of the providers was scored based on their response to the request and whether they satisfied four requirements of HIPAA – Accepting a request by email/fax, sending the records in the format requested by the patient, providing records within 30 days, and only charging a reasonable fee. Providers were given a 1-star rating for simply accepting a patient record request. Providers received a second star for satisfying the request and...

Read More
Hackers Demand $1 Million Ransom from Washington Hospital
Aug15

Hackers Demand $1 Million Ransom from Washington Hospital

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption. On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee. Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software,...

Read More
State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA
Aug14

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to the Confidentiality of Substance Use Disorder Patient Records regulations, known as 42 CFR Part 2. The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records. Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient. The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder. NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance...

Read More
GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies
Aug07

GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies

The Government Accountability Office (GAO) conducted a study of 23 federal agencies and found widespread cybersecurity risk management failures. Federal agencies are targeted by cybercriminals, so it is essential for safeguards to be implemented to protect against those threats. Federal law requires government agencies to adopt a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity risks. The GAO was asked to conduct its review to determine whether federal agencies had established the key elements of a cybersecurity risk management program, what challenges were faced when developing those programs, and what steps had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their responsibilities with respect to addressing cybersecurity challenges faced by federal agencies. The study revealed all but one (22) federal agency had appointed a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies assessed for the...

Read More
Judge Approves $74 Million Premera Blue Cross Data Breach Settlement
Aug05

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records. US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation. The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years. Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that...

Read More
First Half of 2019 Sees 31.6 Million Healthcare Records Breached
Aug02

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May. According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been...

Read More
DHS Issues Best Practices to Safeguard Against Ransomware Attacks
Aug01

DHS Issues Best Practices to Safeguard Against Ransomware Attacks

Ransomware appeared to have gone out of fashion in 2018, but that is certainly not the case in 2019. Q1, 2019 saw a 195% increase in ransomware attacks and a further 184% increase in Q2. Judging by the number of ransomware attacks reported in the past few weeks, the Q3 figures are likely to be even worse. States, cities, and local governments have been extensively targeted as has the healthcare industry. Many victims have been forced to pay sizable ransoms to regain access to critical data. Others have been forced to permanently close their doors. In response to the growing number of attacks, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have issued a joint statement in which recommendations are given to help improve resilience to ransomware attacks. The statement was issued primarily to state, local, territorial and tribal governments, although the...

Read More
More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack
Jul30

More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack

More than half a million patients in Bayamón, Puerto Rico have been affected by a ransomware attack on a medical center and its associated hospital. Bayamón Medical Center and Puerto Rico Women and Children’s Hospital discovered on May 21, 2019 that their computer systems had been infected with ransomware. The ransomware encrypted a wide range of files and prevented hospital staff from accessing patient information ‘for a short period of time,’ according to a July 19, 2019 press release announcing the attack. Approximately 522,000 current and former patients are being notified about the ransomware attack as a precautionary measure. The internal investigation into the attack confirmed that patient information was affected, but no evidence of unauthorized data access or theft was identified. The information potentially compromised was limited to names, demographic information, clinical information, financial information, and in some cases, diagnosis information, dates of birth, and Social Security numbers. The ransomware attack only rendered data temporarily inaccessible and...

Read More
HIPAA Compliance and Cloud Computing Platforms
Jul28

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure. Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level. It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform...

Read More
NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices
Jul26

NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has issued draft mobile device security guidance to help organizations improve the security of corporately-owned personally-enabled (COPE) mobile devices and reduce the risk the devices pose to network security. Mobile devices are now essential in modern business. They provide easy access to resources and data and allow employees to work more efficiently. Mobile devices are increasingly being used to perform everyday enterprise tasks, which means they are used to access, view, and transmit sensitive data. The devices introduce new threats to the enterprise that do not exist for traditional IT devices such as desktop computers and mobile devices are subject to different types of attacks. A different approach is therefore required to ensure mobile devices are secured and risks are effectively managed. Mobile devices are typically always on and always connected to the Internet and they are often used to access corporate networks remotely via untrusted networks. Malicious...

Read More
How to Choose the Right Healthcare Cloud Provider
Jul24

How to Choose the Right Healthcare Cloud Provider

Healthcare organizations often turn to a HIPAA compliant cloud vendor or Managed Service Provider to help them ensure electronic patient records are secured and they are in compliance with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA contains an extensive set of rules for healthcare organizations which were introduced in 1996 to improve privacy and security of patient information, eliminate waste in healthcare, and combat fraud. This legislative act introduced new and legally binding requirements for healthcare providers to secure their systems, improve privacy and security protections, and keep health data private and confidential at all times. The Act and its subsequent updates have served to strengthen privacy protections, give patients new rights, and ensure that all healthcare organizations achieve a minimum standard of data security. It may seem that HIPAA is at odds with cloud computing, but there is nothing in HIPAA legislation that prohibits use of the cloud for sharing or storing patient data. HIPAA covered entities can use cloud platforms and...

Read More
2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs
Jul24

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018. The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years. Average Data Breach Costs $3.92 Million Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year. Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors. Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million. Healthcare Data Breaches Cost...

Read More
June 2019 Healthcare Data Breach Report
Jul24

June 2019 Healthcare Data Breach Report

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.   While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June. Largest Healthcare Data Breaches in June 2019 The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by...

Read More
Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case
Jul23

Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data. In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud. Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network. The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door...

Read More
AMCA Victim Count Swells to Almost 25 Million Records
Jul23

AMCA Victim Count Swells to Almost 25 Million Records

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is now nearing 25 million and 18 healthcare providers are now known to have been affected. The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers. AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and...

Read More
Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules
Jul19

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019. The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records. Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden. The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies...

Read More
HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana
Jul17

HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties in Louisiana due to the devastation likely to be caused by Tropical Storm Barry as it made landfall on July 13 as a hurricane. The HHS announced the public health emergency in Louisiana on Friday July 12, 2019. The waiver only applies to healthcare organizations in the emergency area and only for the length of time stated in the declaration. The waiver only applies to specific provisions of the HIPAA Privacy Rule and only for a maximum period of 72 hours after the hospital has implemented its emergency protocol. Once the time period for the waiver ends, healthcare providers will be required once again to comply with all aspects of the HIPAA Privacy Rule, even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired. While a waiver has been issued, the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they...

Read More
Premera Blue Cross Settles Multi-State Action for $10 Million
Jul12

Premera Blue Cross Settles Multi-State Action for $10 Million

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general. The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers. Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit. Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of...

Read More