Another Key to HIPAA Compliance – Have Policies and Procedures and Implement Them, Too – JD Supra (press release)

Another Key to HIPAA Compliance – Have Policies and Procedures and Implement Them, Too
JD Supra (press release)
Both the HIPAA Security Rule and the Privacy Rule require the creation, maintenance, and implementation of reasonable, documented policies and procedures. Under the Privacy Rule, an organization must evaluate “the size and type of activities that ...

Another Key to HIPAA Compliance – Have Policies and Procedures and Implement Them, Too – JD Supra (press release)

Another Key to HIPAA Compliance – Have Policies and Procedures and Implement Them, Too
JD Supra (press release)
Both the HIPAA Security Rule and the Privacy Rule require the creation, maintenance, and implementation of reasonable, documented policies and procedures. Under the Privacy Rule, an organization must evaluate “the size and type of activities that ...

Healthcare Hacking Incidents Overtook Insider Breaches in July

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports.

Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents.

The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance.

In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on
Women’s Health Care Group of PA – impacted 300,000 individuals.

While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception. Protenus reports that 21 times more records were exposed/stolen as a result of hacking incidents than breaches involving insiders. Hacking incidents impacted 516,053 of the 575,142 known victims in July.

There were 8 confirmed insider breaches (22.2% of the total) which resulted in the theft/exposure of 24,212 records. Three were attributed to errors by insiders with five caused by insider wrongdoing. 8.3% of the breaches were due to loss or theft, with three incidents involving the theft of physical records.

At the end of July, the Department of Health and Human Services’ Office for Civil Rights’ cybersecurity newsletter highlighted the risk from phishing attacks, reminding HIPAA-covered entities of the need to conduct security awareness training. July was a particularly bad month for phishing, with 5 phishing incidents reported.

The majority of breaches were experienced by healthcare providers (80.5%) followed by health plans (8.3%) and business associates (5.5%). More business associates may have been involved in the breaches according to Protenus, although insufficient data was available to confirm this. 5.5% of the breaches were attributed to other entities, including one fire dispatch center.

Over the past few months, the time taken by covered entities to report data breaches has improved, with June seeing virtually all breaches reported inside the 60-day window stipulated by the HIPAA Breach Notification Rule. However, there was a slight deterioration in July. The average time to report the breaches was 67.5 days, although the median was 60 days.

It should be noted that unnecessarily delaying breach reports is a violation of HIPAA Rules. Healthcare organizations should not wait until the 60-day deadline arrives before sending notification letters to patients/plan members and informing OCR.

The time taken to discover data breaches is poor in the healthcare industry. In July, the average time to discover a breach was 503 days (median was 79.5 days). The average time was skewed by a single breach that took an astonishing 14 years to discover – a breach involving an insider who had been snooping on patient records.

California, Georgia, and Indiana topped the list for the states worst affected by healthcare data breaches with three incidents apiece.

The post Healthcare Hacking Incidents Overtook Insider Breaches in July appeared first on HIPAA Journal.

Lake Health Informs OB Patients of TriPoint Medical Center Breach

A log book containing the protected health information of approximately 750 obstetrics patients of TriPoint Medical Center in Concord Township, Ohio has been discovered to be missing.

All obstetrics departments are required by the Ohio Department of Health to maintain a log book detailing deliveries. The log book contained only limited protected health information of patients and the loss/theft of the logbook did not result in the exposure of any highly sensitive information such as Social Security numbers, financial information, or details of health insurance.

However, out of an abundance of caution, all individuals affected by the incident have been notified of the breach by mail and have been offered membership to an identity theft protection program for 12 months without charge.

Lake Health, which operates the medical center, was informed of the lost logbook in June and launched an investigation and conducted a risk assessment the same day. While the logbook has not been located, Lake Health has confirmed that none of the information in the log book has been lost. All information is transferred from the log book to its computer system and the digital copies are stored securely.

The Ohio Department of Health does not stipulate that log books be maintained in physical form. To improve security, Lake Health has updated its policies and procedures and the log book is now maintained in secure, digital form. Additionally, the incident has prompted Lake Health to provide further training for all obstetrics department employees on privacy and security.

Marketing and Business Development Senior Vice President Richard D. Cicero issued a statement saying Lake Health “deeply regrets this incident” and is committed to protecting the privacy and security of patients’ sensitive information. He explained, “We have rigorous processes and procedures in place to detect breaches of patients’ rights and to protect patients in the event of a breach.”

The post Lake Health Informs OB Patients of TriPoint Medical Center Breach appeared first on HIPAA Journal.

Ransomware Attack Suffered by Cove Family and Sports Medicine

A ransomware attack on Cove Family and Sports Medicine and Krichev Family Medicine, P.C., in Huntsville, Alabama resulted in the medical records and personal information of 4,300 patients being encrypted.

Ransomware was installed on April 14, 2017. Cove Medicine had backed up its data and was able to reinstall its operating system and recover encrypted files from backups, without having to resort to paying the ransom.

However, while the majority of PHI could be recovered, the backup devices were connected to its system at the time of the attack and some data were encrypted. Consequently, some information could not be recovered. Lost data was restricted to internal notes taken during visits dating back two years. Cove Medicine believes all other data have been recovered and the ability to provide medical services to patients has not been affected.

Some ransomware attacks have involved data theft although, in this case, no evidence of data theft has been uncovered and there was no indication systems were accessed prior to the deployment of ransomware. The purpose of the attack is believed to have solely been an attempt to extort money from the practice.

Notifications have been sent to patients to alert them to the ransomware attack out of an abundance of caution, even though ePHI access is not suspected. The types of information encrypted in the attack included names, addresses, dates of birth, Social Security numbers, patient ID numbers, diagnoses, procedure information, times and dates of treatment, and prescription information.

As with all breaches involving more than 500 records, the Department of Health and Human Services’ Office for Civil Rights conducts an investigation. Provided organizations have implemented controls to reduce the risk of malware and ransomware attacks to the standard required by HIPAA, no further action is likely to be taken.

In this case, OCR was satisfied that Cove Family and Sports Medicine had implemented all appropriate controls and HIPAA Rules had not been violated. The investigation was closed with no further action required.

This ransomware attack clearly demonstrates how important it is for healthcare organizations to ensure back up devices are disconnected after backups have been performed. If backup devices are not air-gapped, backup files can be encrypted along with all other files on the infected computer and network.

If backups are encrypted, healthcare organizations will have little alternative but to pay the ransom. As the NotPetya (ExPetr) wiper attacks clearly showed, it may not be possible to recover data even if a ransom is paid.

The post Ransomware Attack Suffered by Cove Family and Sports Medicine appeared first on HIPAA Journal.

Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere

A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year.

Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators.

When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge.

Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device manufacturers must be prepared to deal with incidents when they occur. When asked how prepared they were to deal with breaches, subsequent litigation or regulatory matters, only 19% of respondents said they were very prepared. 56% said they were somewhat prepared while 13% said they were not prepared at all.

Devices currently being developed can have cybersecurity incorporated at an early stage, which makes securing the devices for the entire lifecycle of the products far easier. For devices already in use, cybersecurity is a major concern. Many of the devices are running on outdated operating systems or are connected to networks that lack appropriate security controls.

Unfortunately, since each device has different cybersecurity requirements and operates in a different way, securing the devices is not straightforward. Cybersecurity controls need to be applied to the device, but also to the networks that the devices connect to. Russell Jones, Deloitte risk and financial advisory partner, Deloitte & Touche LLP. Jones said when it comes to medical device cybersecurity, “There is no magic bullet solution.”

Device manufacturers can certainly do more to incorporate cybersecurity controls into their devices, but to make the devices truly secure, there needs to be collaboration between providers, manufacturers, and suppliers. As Jones explained, “This is a problem that requires the industry as a whole to come together and create a safe space where feedback and information can be shared freely.”

The number of IoT devices now being used has grown considerably and as more devices are connected to healthcare networks, managing the devices and monitoring for vulnerabilities becomes an even bigger problem.

Healthcare organization must have an IoT management and security solution in place as it is simply not possible to manage security manually. Without such a solution that offers IT teams visibility and control over the devices, it is not possible to manage and mitigate vulnerabilities.

Deloitte does offer some suggestions about improving medical device cybersecurity, suggesting healthcare organizations:

  • Implement a domain hierarchy – Formalize, organize, and structure medical device cyber security activities and governance to ensure patient safety and respond more quickly to regulators, legal matters, or internal investigations. Deloitte recommends work instructions and templates be developed for each unique device, while documentation of QMS protocols should be centralized and regularly updated.
  • Conduct product security risk assessments at least on an annual basis, although risk assessment procedures should be an ongoing process with those assessments repeated when business processes change, there are supplier changes or acquisitions and divestitures.
  • Take a forensic approach to incident response – When devices are compromised, the incident timeline must be determined, anomalous behavior should be detected and organizations must determine what data were exposed or accessed.

The post Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere appeared first on HIPAA Journal.