Author Archives: HIPAA Journal

Data Access and Sharing Risks Identified at National Institutes of Health

The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report of the findings of an audit of the National institutes of Health (NIH). The NIH is the primary government biomedical and public health research agency in the United States and one of the foremost medical research centers in the world.

The audit was conducted to determine whether adequate controls had been implemented for permitting and monitoring access to sensitive NIH data. OIG reviewed internal controls, policies, procedures, and supporting documentation, and conducted interviews with internal staff.

While controls had been implemented at NIH to restrict access to sensitive data, OIG identified several areas where improvements could be made to bolster security and several recommendations were made.

OIG recommended NIH should develop a security framework, conduct risk assessments, implement additional security controls to safeguard sensitive data, and should start working with an organization that has expertise and knowledge of misuse of scientific data. NIH did not concur with any of those recommendations.

OIG also recommended that mechanisms should be implemented to ensure that its data security policies remain current and reflect the rapidly changing threat landscape and that security awareness training and security plans should be made a requirement.

NIH concurred with those recommendations but did not agree to implement controls to ensure that training and security plan requirements are fulfilled. NIH explained that it had already established a working group to address risks and vulnerabilities to the confidentiality of intellectual property and protect the integrity of the peer review process.

OIG maintained that the findings of its auditors were accurate and the recommendations were valid. Detailed information on potential actions that could be taken to address its findings and recommendations was provided to NIH. OIG recommended that if NIH decides not to strengthen its controls that the decision should be documented in line with Federal regulations and guidance.

The post Data Access and Sharing Risks Identified at National Institutes of Health appeared first on HIPAA Journal.

16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients

AdventHealth Medical Group’s Pulmonary & Sleep Medicine in Tavares, FL, formerly known as Lake Pulmonary Critical Care, has discovered hackers gained access to its systems and may have viewed or obtained the protected health information of up to 42,161 patients.

Hackers first gained access to the Pulmonary & Sleep Medicine center’s systems in August 2017 as a result of the installation of malware. The malware infection was not discovered until December 27, 2018.

The malware was removed and its systems were secured and an investigation was launched to determine the extent of the breach and which patients had been affected.

The investigation revealed the hackers gained access to parts of its system where patients’ protected health information was stored. The information that was potentially accessed included names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height of patients.

It is unclear how the malware was installed and why it took 16 months to discover the malicious software. AdventHealth has since implemented additional system safeguards to prevent future cyberattacks and has enhanced system audits to ensure that any future breaches are detected more rapidly.

AdventHealth started sending breach notification letters to affected patients on January 25, 2019. All patients whose protected health information was exposed have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services through Kroll for 12 months. Patients have been advised to monitor their explanation of benefits statements from their insurers for any signs of misuse of their insurance information.

The post 16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients appeared first on HIPAA Journal.

Healthcare Email Fraud Attacks Have Increased 473% in 2 Years

A recent report from Proofpoint has revealed healthcare email fraud attacks have increased 473% in the past two years.

Email fraud, also known as business email compromise (BEC), is one of the biggest cyber threats faced by businesses. Successful attacks can result in losses of hundreds of thousands or even millions of dollars. Figures from the FBI suggest that globally, $12.5 billion has been lost to these email fraud attacks since 2013.

These email attacks are highly targeted and typically involve the spoofing of email addresses to make emails appear to have been sent internally or from a trusted individual. They often involve the use of a genuine email account within an organization that has previously been compromised in a phishing or spear phishing attack.

The attacks are usually conducted to obtain sensitive data such as employee tax information or patient information, to obtain credentials to be used in further attacks, and for wire fraud. Wire fraud is the most common form of email fraud in healthcare.

For the report, Proofpoint analyzed more than 160 billion emails sent by organizations in 150 countries between Q1, 2017 and Q4, 2018. 473% more healthcare email fraud attacks were conducted in Q4, 2018 than Q1, 2017.

Healthcare organizations were targeted in an average of 96 email fraud attacks every quarter. 53% of healthcare organizations were attacked more often and experienced between 200% and 600% more attacks. Within targeted healthcare organizations, an average of 65 staff members were attacked in Q4, 2018. None of the healthcare organizations studied experienced a decrease in email fraud attacks over the period of study.

On average, 15 healthcare staff members were spoofed in the attacks with 49% of organizations attacked using at least 5 identities. Over three quarters of healthcare organizations had more than 5 employees targeted in the attacks. The median number was 23. Most employees were targeted due to their role within the company.

95% of targeted healthcare organizations experienced attacks using their own trusted domain and 100% of attacked organizations had their domain spoofed in attacks on their business partners and patients. Proofpoint rated 45% of all emails sent from healthcare domains as suspicious in Q4, 2018, 65% of which were sent internally to employees, 42% to patients, and 15% to business partners.

Proofpoint analyzed email fraud attack in multiple industry sectors. Healthcare was the only industry where there was a correlation between company size and the number of attacks, with larger organizations being targeted much more often than smaller healthcare organizations.

The most commonly used categories of subject line in the emails were ‘Payment’, ‘Request’, and ‘Urgent.’ Blank subject lines were also common. The emails were mostly sent during business hours, Monday to Friday. 70% of messages were sent between 7am and 1pm.

33% of emails were sent from free-to-use email accounts such those offered by Gmail, AOL, Inbox, RR, and Comcast, with the display name changed.

In addition to spoofing a healthcare domain, lookalike domains are often used – Those with misspellings, transposed letters, or additional characters added to the domain name. 67% of healthcare organizations experienced attacks using lookalike domains.

Protecting against email fraud attacks requires multi-layered defenses. Staff should receive training and taught to look for the signs of a possible email fraud attack. Email fraud attack simulations can also help to reinforce training and identify weak links – Individuals who require further training.

DMARC should be adopted to prevent impostors from spoofing domains and healthcare organizations should consider buying and parking variants of their domain. Domains similar to those used by healthcare organizations should be monitored as they may be registered by fraudsters and email filters should be configured to reject messages sent from those risky domains.

The post Healthcare Email Fraud Attacks Have Increased 473% in 2 Years appeared first on HIPAA Journal.

March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches

The deadline for reporting 2018 data breaches of fewer than 500 records is fast approaching. HIPAA covered entities and their business associates must ensure that the Department of Health and Human Services’ Office for Civil Rights (OCR) is notified of all 2018 data breaches of fewer than 500 records before March 1, 2019.

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to report data breaches of 500 or more records within 60 days of discovering the breach. The deadline for reporting small healthcare data breaches is 60 days from the end of the calendar year in which the breach was experienced.

If it is not possible to determine how many individuals have been affected by a data breach, or if the breach investigation has not been concluded before the 60-day deadline, an interim breach report should be submitted. The breach report can then be updated as and when further information becomes available.

If a data breach is not reported within the 60-day reporting window, OCR can issue a financial penalty for noncompliance. While fines for HIPAA violations are typically reserved for particularly egregious cases of noncompliance and extensive HIPAA failures, OCR has taken action against healthcare organizations for breach notification failures in the past.

In January 2017, OCR issued its first fine solely for a HIPAA Breach Notification Rule violation. Presense Health experienced a data breach in 2013 that affected 836 patients. Operating schedules had been removed from its Joliet, IL, surgery center and could not be located. Presence Health learned of the breach on October 22, 2013 but did not send notifications to patients for 101 days – 31 days later than the reporting deadline. OCR was notified 36 days after the deadline had passed. Presence Health agreed to settle the case with OCR for $475,000.

The post March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches appeared first on HIPAA Journal.

Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules

Paperwork containing patient information has been stolen from an employee of Anesthesia Associates of Kansas City.

The incident occurred on December 14, 2018. The employee had left a bag containing patient schedules in his vehicle. Thieves broke into the vehicle and stole the bag and paperwork.

Anesthesia Associates of Kansas City learned of the incident on December 16, 2018 and launched an investigation to determine what paperwork had been stolen.

It was not possible to determine with a high degree of certainty exactly which schedules were in the stolen bag. Consequently, the decision was taken to issue notification letters to all patients who had undergone surgical treatment between April 4, 2018 and December 14, 2018.

The types of information listed in patient schedules includes names, birth dates, types of surgical procedures, dates of surgery, and the name of the surgeon. Schedules do not contain sensitive information such as addresses, Social Security numbers, insurance information, and financial information.

The theft was reported to law enforcement but neither the bag nor the paperwork have been recovered. All patients whose protected health information was potentially detailed in the patient schedules were informed about the breach by mail on February 1, 2019.

All affected patients have been advised to monitor their accounts and explanation of benefits statements for any sign of fraudulent activity.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 3,472 patients’ protected health information may have been compromised.

To prevent further data breaches of this nature in the future, Anesthesia Associates of Kansas City has reinforced its policy of prohibiting the non-essential removal of patient information from its clinics. New policies and procedures have also been developed and implemented to further safeguard patient information when it is necessary to remove it from its facilities.

The post Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules appeared first on HIPAA Journal.

United Hospital District Phishing Attack Impacts 2,143 Patients

Blue Earth, MN-based United Hospital District has discovered patient information was exposed and potentially accessed by an unauthorized individual as a result of a June 2018 phishing attack.

The phishing incident resulted in the compromise of a single email account, the credentials to which were obtained as a result of an employee responding to a phishing email. The substitute breach notice on the healthcare provider’s website indicates the account was compromised between June 10, 2018 and June 27, 2018.

An in-depth analysis of the compromised account was conducted by third-party cybersecurity professionals who determined on December 12, 2018, that patient information had potentially been accessed. Emails and file attachments in the account were found to contain the protected health information of 2,143 patients.

The types of information contained in the email account varied from patient to patient and may have included names, addresses, internal patient identification numbers, health insurance information and, for a limited number of affected patients, diagnoses, treatment information, and/or Social Security numbers.

While data access was possible it was not confirmed. No reports have been received that suggest there has been any misuse of patient information.

All patients affected by the breach have been notified by mail. Individuals whose Social Security number was exposed have been offered a free 12-month subscription to credit monitoring and identity theft restoration services.

In response to the breach, additional email security measures have been implemented and employees have been given further security awareness training.

The post United Hospital District Phishing Attack Impacts 2,143 Patients appeared first on HIPAA Journal.

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018.

The data for the report came from, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.

The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches.

According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018.

In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased each quarter, from 1,175,804 records in Q1 to 6,281,470 healthcare records in Q4.

The largest data breach of the year was a hacking incident at a business associate of a North Carolina health system. Over the space of a week, the hackers gained access to the health records of 2.65 million individuals.

Healthcare hacking incidents have increased steadily since 2016 and were the biggest cause of breaches in 2018, accounting for 44.22% of all tracked data breaches. There were 222 hacking incidents in 2018 compared to 178 in 2017. Data was only available for 180 of those breaches, which combined, resulted in the theft/exposure of 11,335,514 patient records. The hacking-related breaches in 2017 resulted in the theft/exposure of 3,436,742 records. While it was not possible to categorize many of the hacking incidents due to a lack of data, phishing attacks and ransomware/malware incidents were both common.

Insiders were behind 28.09% of breaches, loss/theft incidents accounted for 14.34%, and the cause of 13.35% of breaches was unknown.

Insider breaches included human error and insider wrongdoing. These breaches accounted for a lower percentage of the total than in 2017 when 37% of breaches were attributed to insiders. Information was available for 106 insider-related breaches in 2018. 2,793,607 records were exposed in those breaches – 19% of exposed records for the year. While the total number of insider incidents fell from 176 to 139 year over year, there was a significant increase in the number of records exposed in insider breaches in 2018.

Insider errors resulted in the exposure of 785,281 records in 2017 and 2,056,138 records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018.

Without the proper tools in place, insider breaches can be difficult to detect. In one case, it took a healthcare provider 15 years to discover that an employee was snooping on patient records. Several incidents took over four years to discover.

Snooping by family members was the most common cause of insider breaches, accounting for 67.38% of the total. Snooping co-workers accounted for 15.81% of insider breaches. Protenus notes that there is a high chance of repeat insider offenses. 51% of cases involved repeat offenders.

Overall, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered.

Healthcare providers were the worst affected group with 353 data breaches – 70% of all reporting entities. 62 breaches were reported by health plans (12%) and 39 (8%) were reported by other entities. It was a particularly bad year for business associates of HIPAA covered entities with 49 incidents (10%) reported by business associates. A further 102 incidents (20%) had some business associate involvement.

Protenus expects to trend of more than 1 breach per day to continue in 2019, as has been the case every year since 2016.

The post 2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records appeared first on HIPAA Journal.

ONC and CMS Propose New Rules on Patient Access and Information Blocking

On Monday, February 11, 2019, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) released new rules covering patient data access and information blocking.

The aim of the new rules is to advance interoperability and support the meaningful exchange and use of health information. The rules are intended to increase competition, encourage innovation, and give patients control over their health data.

One of the main goals is to make health information accessible via application programming interfaces (APIs). Currently consumers use a wide range of smartphone apps for paying bills and accessing information. It should be just as easy to gain access to healthcare data through apps and for healthcare data to be provided electronically at no cost.

One of the main requirements of the new rules is for healthcare providers and health plans to implement data sharing technologies that support the transition of care to new healthcare providers and health plans. Whenever a patient wishes to start seeing a new physician or wants to change to a new health plan, their health data should be seamlessly transferred.

The CMS rule proposes that by 2020, all healthcare organizations working with Medicare and Medicaid will be required to share health information and claims data with patients electronically via an API. This would make it easy for patents to change health plan and take their data with them. It will ensure that by 2020, 125 million patients will be able to receive their claims information electronically.

The ONC rule updates its conditions of certification, which require health IT developers to publish APIs that allow access to patient data without any special effort. The goal is for healthcare organizations to adopt standardized APIs to support the accessing of structured and unstructured health data via mobile devices.

The ONC rule implements the 21st Century Cure Act’s information blocking provisions and adds seven new exceptions to the information blocking rule – Actions and activities which are not classed as information blocking.

The new exceptions are:

  • Practices that prevent patients from being harmed
  • Practices that protect the privacy of electronic health information
  • Practices that ensure the security of electronic health information
  • Maintaining and improving health IT performance with user agreement
  • Recovering reasonable costs to allow the exchange, use, and accessing of electronic health information
  • Denying access, exchange, and use of electronic health information because it is unfeasible or would impose a substantial burden, which is unreasonable under the circumstances.
  • Licensing of technical artifacts to support the interoperability of electronic health information on reasonable and non-discriminatory terms

The ONC has proposed that healthcare providers found to be blocking information sharing should be named and shamed to discourage the practice and suggests that those organizations may also face financial penalties. “We are going to expose the bad actors who are purposely trying to keep patients from their own information,” explained CMS Administrator Seema Verma

Comments have also been requested on including pricing information along with electronic health information to allow patients to see exactly how much they are paying for their healthcare.

“These proposed rules strive to bring the nation’s healthcare system one step closer to a point where patients and clinicians have the access they need to all of a patient’s health information, helping them in making better choices about care and treatment,” said HHS Secretary Alex Azar. “By outlining specific requirements about electronic health information, we will be able to help patients, their caregivers, and providers securely access and share health information. These steps forward for health IT are essential to building a healthcare system that pays for value rather than procedures, especially through empowering patients as consumers.”

The post ONC and CMS Propose New Rules on Patient Access and Information Blocking appeared first on HIPAA Journal.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps.

166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018.

This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident.

In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations.

The most common actors implicated in security incidents were online scam artists (28%) and negligent insiders (20%). Online scam artists used tactics such as phishing, spear phishing, whaling, and business email compromise to gain access to healthcare networks and data. Online scam artists often impersonate senior leaders in an organization and make requests for sensitive data and fraudulent wire transfers.

Threat actors use a variety of methods to gain access to healthcare networks and patient data, although a high percentage of security breaches in the past 12 months involved email. 59% of respondents said email was a main source of compromise. Human error was rated as a main source of compromise by 25% of respondents and was the second main cause of security incidents.

HIMSS said it is not surprising that so many healthcare organizations have experienced phishing attacks. Phishing attacks are easy to conduct, they are inexpensive, can be highly targeted, and they have a high success rate. Email accounts contain a trove of sensitive information such as financial data, the personal and health information of patients, technical data, and business information.

Even though email is one of the most common attack vectors, many healthcare organizations are not doing enough to reduce the risk of attacks. The HIMSS Cybersecurity Survey revealed 18% of healthcare organizations are not conducting phishing simulations on their employees to reinforce security awareness training and identify weak links.

While email security can be improved, there is concern that by making it harder for email attacks to succeed, healthcare organizations will encourage threat actors to look for alternative methods of compromise. It is therefore important for security leaders to diligently monitor other potential areas of compromise.

The most common ways that human error leads to the exposure of patient data is posting patient data on public facing websites, accidental data leaks, and simple errors.

HIMSS explained that it is imperative to educate key stakeholders on IT best practices and to ensure those practices are adopted. Significant security incidents caused by insider negligence were commonly the result of lapses in security practices and protocols.

HIMSS suggests that additional security awareness training should be provided to all employees, not just those involved in security operations and management. Individuals in security teams should also be given additional training on current and emerging threats along with regular training to ensure they know how to handle and mitigate security threats.

Email attacks and the continued use of legacy (unsupported) systems such as Windows Server and Windows XP raise grave concerns about the security of the healthcare ecosystem.

69% of respondents said they continue to use at least some legacy systems. 48% are still using Windows Server and 35% are still using Windows XP, despite the security risks that those legacy systems introduce.

While it is encouraging to see that 96% of organizations conduct risk assessments, only 37% of respondents said they conduct comprehensive risk assessments. Only 58% assess risks related to their organization’s website, 50% assess third party risks, and just 47% assess risks associated with medical devices.

HIMSS suggests cybersecurity professionals should be empowered to drive change throughout the organization. “Rather than being “hermetically sealed off” from the rest of the organization they serve, cybersecurity professionals should be both a visible and integral part of the strategic planning and operational infrastructure of their organizations,” a feeling that was shared by 59% of respondents.

It is good to see that in response to the growing threat of attacks, healthcare organizations are allocating more of their IT budgets to cybersecurity. 72% of respondents said their budget for cybersecurity had increased by 5% or more or had remained the same.

You can download the 2019 HIMSS Cybersecurity Survey Report on this link (PDF).

The post HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns appeared first on HIPAA Journal.