How equipment and security software work together to make sure your business meets HIPAA compliance – Jacksonville Business Journal


Jacksonville Business Journal
How equipment and security software work together to make sure your business meets HIPAA compliance
Jacksonville Business Journal
Privacy rules are only one aspect of HIPAA. While the entire act revolves around patient privacy, it's not only organizations within the healthcare industry that need to be concerned about HIPAA compliance. Any covered entity or business associate that ...

FDA to Increase Scrutiny of Medical Device Cybersecurity

The Department of Health and Human Services’ Office of Inspector General (OIG) has released a report which recommends the Food and Drug Administration (FDA) should scrutinize medical device cybersecurity controls more closely and more fully integrate cybersecurity into the premarket review process for medical devices.

Currently, the FDA reviews cybersecurity documentation in premarket submissions to ensure medical devices have appropriate cybersecurity controls before approval is given for the devices to be marketed. FDA reviewers use 2014 FDA cybersecurity guidance as general principles when conducting reviews of new medical devices and has taken steps to ensure that devices are assessed against new and emerging threats.

The FDA considers cybersecurity risks and threats that affect specific devices and applies that knowledge to all other devices with similar risk profiles. For example, if there is a known threat to a specific cardiac device from one manufacturer, all other manufacturers’ cardiac devices will be assessed against the same threat.

Reviews of cybersecurity controls includes assessments of a hazard analysis, matrices describing the device’s security risks and the controls that have been implemented by the manufacturer to reduce those risks to an acceptable level. Plans for updating software are assessed, software supply chain controls are reviewed, and the manufacturers’ device instructions and recommended cybersecurity controls are evaluated.

In cases where the cybersecurity documentation submitted by manufacturers is insufficient, the FDA requests further information from the manufacturer and seeks clarification on cybersecurity controls when there is any doubt about the level of protection provided. OIG notes that no medical device has been rejected due to cybersecurity issues. In cases where cybersecurity has been a concern, it has been resolved by manufacturers supplying further cybersecurity information.

Overall, the FDA’s assessments of medical device cybersecurity are good, although OIG identified three areas where improvements could be made: The FDA should change internal processes to ensure questions about cybersecurity are asked earlier in the approval process, presubmission meetings should address cybersecurity-related issues, and the FDA’s Refuse-to-Accept checklist should have cybersecurity included in the Smart template. Currently the Smart template does not prompt FDA reviewers to ask specific cybersecurity questions and there is no section where the results of a cybersecurity review can be recorded.

According to OIG, the FDA has welcomed the feedback and has agreed to all three of OIGs recommendations. Two of the recommendations have already been implemented, with only the Refuse-to-Accept checklist outstanding. With respect to the latter, the FDA has accepted that this change could improve efficiency as it will ensure that the file contains all the necessary information prior to review. This will mean that it should not be necessary for FDA reviewers to have to contact the manufacturer to ask for further information on cybersecurity.

The FDA has explained that its review process is not static and is constantly evolving and takes into account the changing threat landscape. The FDA is also considering updating rules on network-capable medical devices to ensure that cybersecurity controls are incorporated at the earliest stages of the design process.

The post FDA to Increase Scrutiny of Medical Device Cybersecurity appeared first on HIPAA Journal.

Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI

Independence Blue Cross is notifying thousands of plan members that some of their protected health information has been exposed online and has potentially been accessed by unauthorized individuals.

The Independence Blue Cross privacy office was informed about the exposed information on July 19 and immediately launched an investigation. A leading forensics investigation firm was hired to investigate the incident and establish whether any plan members’ information was accessed during the time it was exposed.

Independence Blue Cross said an employee had uploaded a file containing plan members’ protected health information to a public facing website on April 23, 2018. The file remained accessible until July 20 when it was removed from the website.

The information contained in the file was limited. No financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed.

Despite a thorough investigation, it was not possible to determine whether any unauthorized individuals accessed the file during the time it was on the website. No reports have been received to date to suggest any protected health information has been misused.

According to a statement from the health insurer, the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1% of plan members – approximately 17,000 individuals – were affected by the breach.

Affected individuals have now been notified of the breach and, out of an abundance of caution, Independence Blue Cross is offering all affected individuals 24 months of free triple-bureau credit monitoring and identity theft protection services.

The Philadelphia-based health insurer has taken steps to prevent further breaches of this nature and ‘appropriate action’ has been taken with the employee who uploaded the file to the website.

The post Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI appeared first on HIPAA Journal.

Two Day Seminar: HIPAA Privacy Rule Compliance-Understanding New Rules and Responsibilities of Privacy Officer … – PR Newswire (press release)

Two Day Seminar: HIPAA Privacy Rule Compliance-Understanding New Rules and Responsibilities of Privacy Officer ...
PR Newswire (press release)
This session is designed to provide an intensive, one and a half-day training in HIPAA Privacy Rule compliance designed for both the seasoned HIPAA professional as well as the individual newly appointed to the position of HIPAA Privacy Officer, covering:.

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy and discovered that some patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent. The hospital was cited for violating patient privacy.

According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others.

After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her entire visit, including her psychiatric evaluation and her changing into hospital scrubs. The videotape only showed the patient’s back as she was getting changed.

The patient was horrified that the entire visit had been recorded without her knowledge and claimed that there were no warning signs in the emergency room advising patients that they were being recorded.

Fairview Southdale Hospital does indicate on its consent form for treatment that patients may be videotaped for the purpose of medical education, but in this case the patient refused to read to sign the consent form as she was not in the hospital of her own free will and had refused treatment.

Fairview Southdale Hospital cooperated fully with the investigation and informed the CMS that an additional 8 video cameras had been installed in rooms in the emergency department that were used for psychiatric evaluations following an increase in the number of incidents in which patients had become violent.

CMS found that cameras were used in those rooms, although there were no signs warning patients that they were being videotaped. The camera footage was visible in the nursing station but was out of public view.

Typically, footage from the cameras is permanently erased, although in this case the footage was retained as the patient had also made a complaint to the hospital about her visit.

Sue Abderholden, executive director of the Minnesota chapter of the National Alliance on Mental Illness, told the Star Tribune, “Healthcare facilities that videorecord patients for security reasons should notify them… If you’re going to do it, there should be a sign and you should orally tell the person.”

Following the investigation, the hospital retrained staff and informed its nurses to instruct patients that they may be filmed during their emergency room visits. Privacy screens have now been installed to prevent patients from being filmed while changing and from September, the hospital has discontinued recording video footage, but will continue to use the cameras for medical education purposes and for safety reasons.

The post CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent appeared first on HIPAA Journal.

Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack

The Fetal Diagnostic Institute of the Pacific (FDIP) in Honolulu, HI, experienced a ransomware attack on June 30, 2018. File-encrypting software was installed on an FDIP server and encrypted a wide range of file types, including patient medical records.

FDIP engaged the services of a leading cybersecurity company to conduct a full investigation into the breach to determine whether patient data was accessed by the attackers and also to assist with breach remediation. The investigation did not uncover any evidence to suggest that patients’ protected health information was accessed, viewed, or stolen by the individuals behind the attack, although it was not possible to rule out data access and data theft with a high level of confidence.

Consequently, the incident is being treated as a HIPAA breach, patients are being notified, and the Department of Health and Human Services’ Office for Civil Rights (OCR) has been informed.

An analysis of the files encrypted by the ransomware revealed they contained a range of protected health information. Patients affected by the security breach may have had their full name, home address, date of birth, account number, diagnoses, and “other types of information” exposed. No financial information was exposed as a result of the attack. The breach report submitted to OCR indicates 40,800 current and former patients have been affected by the breach.

FDIP reports that prompt action was taken to address the breach and remove the malicious software and restore all encrypted files. Its systems have now been cleansed and no trace of any malware remains. Steps have also been taken to improve security protections to prevent any further security breaches and unauthorized disclosures of patient data.

FDIP does not expect patients to experience any harm as a result of the ransomware attack, although patients have been urged to get in touch with FDIP immediately if they become aware of any suspicious activity that they believe is related to the breach.

This is only the fifth data breach of more than 500 records to have been reported to OCR by a Hawaii-based covered entity since data breach summaries first started being published by OCR in 2009.

The post Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack appeared first on HIPAA Journal.

HIPAA Privacy Rule Compliance-Understanding New Rules and Responsibilities of Privacy Officer (Boston, United … – The Courier-Express

HIPAA Privacy Rule Compliance-Understanding New Rules and Responsibilities of Privacy Officer (Boston, United ...
The Courier-Express
This session will focus on understanding what are the challenges that a HIPAA Privacy Officer faces today, and what are the areas of HIPAA that are changing. The session will discuss the latest topics of interest in detail and describe how they relate ...

and more »

HIPAA Privacy Rule Compliance-Understanding New Rules and Responsibilities of Privacy Officer (Boston, United … – Insurance News Net

HIPAA Privacy Rule Compliance-Understanding New Rules and Responsibilities of Privacy Officer (Boston, United ...
Insurance News Net
While the HIPAA rules have been in place for years now, the focus of their application has recently changed as technologies and practices have changed, and changes to the rules are also on the horizon. In addition, there are changes in other ...

and more »