Editorial

Editorial: Will Amazon Clinic Put Patient Privacy at Risk?

Amazon has launched a new service that connects patients with doctors – Amazon Clinic. This should come as no surprise given Amazon’s recent acquisitions and the company’s stated ambitions healthcare market. The new service promises to deliver convenience combined with affordability, but Amazon’s latest healthcare venture sets warning bells ringing about patient privacy.

Amazon’s Journey into Healthcare

Amazon is the ultimate disruptor. The company started as an online bookseller and cornered that market, then transitioned into a portal that connects the world with every conceivable product they could want, all of which are available through an easy-to-use website that delivers everything faster than most of its competitors. Amazon products are usually cheaper than the competition and the company is well known for putting the consumer first. Order late one day and your purchases will be with you the next. It is not possible to overstate how successful the company has been. Amazon is now generating revenues of $140 billion a quarter, and that success turned its founder, Jeff Bezos, into the world’s richest man, a position he held from 2017 to 2021.

In 2006, Amazon launched its cloud computing platform, Amazon Web Services (AWS), which has helped many healthcare organizations with their digital transformations, and in recent years, Amazon has been taking greater strides into the lucrative healthcare market. In 2017, Amazon created a healthcare-focused tech lab, 1492, then in 2018 launched its cloud-based service, Amazon Comprehend Medical, which extracts healthcare data from text such as doctors’ notes and clinical trial reports.

Amazon partnered with Berkshire Hathaway and JPMorgan Chase to create the non-profit healthcare organization, Haven, which sought to improve access to primary care for those companies. Haven was later shut down and was replaced by the Amazon Care program for its staff, which provides online and face-to-face medical services. Amazon started rolling out that telemedicine service to employers around the country, although in August announced that it would be shutting down the service by the end of the year as it was not a sustainable solution for its enterprise customers.

Acquisitions of PillPack and One Medical Cement Move into Healthcare

Amazon’s move into healthcare took a major step forward with the $753 million acquisition of the online pharmacy PillPack in 2019, as the retailer looked to crack the prescription market. Amazon Pharmacy was launched in 2020, which offers Amazon Prime members free delivery for their pharmacy orders, packaged to make it easier for patients to remember when to take their medications.

This year, Amazon announced its intention to acquire the primary healthcare organization One Medical in a deal reportedly worth $3.9bn. One Medical provides a membership-based service offering in-person visits and virtual care and currently has around 815,000 members. This deal, if it completes, will cement Amazon’s place in the healthcare sphere.

Amazon’s planned acquisition of One Medical has sent alarm bells ringing throughout the healthcare industry and beyond. Privacy advocates are terrified about Amazon gaining access to large amounts of sensitive medical data and how that data will be used. There are fears that this most sensitive of data could be manipulated and exploited by Amazon in ways that may not become clear for many years to come.

In August, following the announcement about One Medical, Senator Josh Hawley (R-MO) wrote to the Federal Trade Commission (FTC) calling for the FTC to investigate the deal due to privacy and security concerns. Hawley stated that Amazon already wields too much power, and while the company would be required to comply with HIPAA and other healthcare privacy laws, some loopholes could be exploited. One of the biggest concerns with this merger, should it go ahead, is how Amazon plans to draw the line between consumer and patient data, and exactly where that line will be drawn.

Amazon Clinic Launched

The latest venture, Amazon Clinic, brings the convenience of Amazon’s retail empire direct to every home with an Internet connection and every individual with a smartphone. According to Amazon, Amazon Clinic allows everyone to “get treatment for common health concerns at your convenience—no appointments, video calls, or live chat required.” Amazon Clinic is billed as a virtual healthcare service that, like its retail business, delivers convenience and affordability.

Amazon Clinic is a message-based virtual care service, where users can select from a list of common health complaints, answer some questions, have that input reviewed by a licensed clinician, and then be provided with a personalized treatment plan. No appointments are needed, and in contrast to other healthcare services, the user knows the cost of the visit in advance. Pay a flat fee upfront and there are no surprises. Amazon says that the fee charged is less than many co-pays, plus the service offers more convenience as there are no waiting room visits and no telehealth appointments. The service is available 24/7 and prescriptions are filled by Amazon Pharmacy.

At launch, the virtual care service is being provided in 32 U.S. states for adults aged 18-64 and covers 20 common health conditions from acne to yeast infections, and the service can also be used to renew prescriptions for common medications with no visits or live chat required.  The service is aimed at the uninsured market as Amazon does not accept insurance – although payment can be made and users can then try to claim back the cost from their insurer.

Amazon’s Checkered Privacy History

Anyone concerned about providing their most sensitive health data to Amazon need not be worried, as Amazon states, “Your health data is secure – All of your information is protected by our practices and by law… HIPAA and all other applicable laws and regulations.” Amazon also points out that “We have extensive experience protecting data of all kinds appropriately across a variety of businesses and remain focused on the important mission of protecting customers’ health information.”

There is, of course, the question of the extent to which consumers can trust Amazon with their health data, as while its services are much loved by consumers, the company does not have an exemplary record when it comes to data privacy. That “extensive experience” includes some questionable data practices and there have been many allegations of serious privacy violations.

Amazon was investigated for violations of the European Union’s General Data Protection Regulation (GDPR), with the Luxembourg Data Protection Authority determining that the retailer had violated several Articles of the GDPR related to its processing of user data, even though Amazon was well aware of the requirements of the GDPR. The fine imposed in 2021 was a record €746 million ($887 million). Amazon has appealed that decision and maintains there was no data breach or disclosure of personal data to any third parties. The exact nature of the alleged violations has not been disclosed publicly, although it is suspected to be related to the use of personal data internally for advertising purposes without consent.

This year, an Amazon cloud backup service was recently found to be inadvertently exposing RDS snapshots over the public Internet that contained corporate personally identifiable information (PII). Also, this year, Amazon accidentally exposed an internal server to the public Internet that contained data about users’ Prime viewing habits.

One problem for Amazon comes from the sheer volume of data that it collects from many different sources, from search engine and site searches to what is said to Alexa. Amazon has had problems mapping all of that data and does not know exactly where all that data is being held, let alone how all that data is being used. That is a major concern if health information is also collected.

Then there is Amazon’s vast workforce of more than 1.6 million full and part-time employees, which creates a considerable insider privacy risk and questions have long been asked about how customer data is protected against insider threats. A report was published by the Wall Street Journal in 2018 about how Amazon employees were being bribed to provide access to sensitive information such as buying habits, sales volume, and the on-site search terms of customers. Amazon has a history of having employees sharing customer contact information with third parties, and in 2020, disgruntled employees were found to be leaking customer email addresses. An internal application that was used by Amazon to extract data was found to be used as a backdoor, allowing third parties to collect customer data, notably by a Chinese firm that had harvested the information of millions of customers. Questions have also been asked about the ability of the Amazon retail arm to detect security incidents.

Of course, insider threats are a problem for all businesses; however, for a company such as Amazon which has received considerable criticism from employees about working conditions, the threat is greater. Former Amazon chief information security officer Gary Gagnon said in 2018 that there was free-for-all internal access to customer information and that the systems in place made it difficult to track where all of Amazon’s data was going.

Privacy Concerns About Access to Medical Data

Amazon has access to a huge amount of data from the retail side of its business and has the goal of broadening its access to data to include healthcare information, which through Amazon Clinic will help to drive the growth of its online pharmacy business.

Amazon states that it will abide by federal regulations such as HIPAA, but while HIPAA has helped to protect the privacy of patients for two decades, there are considerable gaps. HIPAA has not adapted to changing technology, such as the massive rise in the use of health apps. The data collected through those apps is often the same data that HIPAA protects if collected by a healthcare provider, yet the apps are beyond the protection of HIPAA.

One concern is to what extent the data collected through Amazon Clinic will be used by other parts of the business. Through Amazon Clinic, patients fill out health questionnaires. That information would be valuable for the retail arm. The first health condition on the Amazon Clinic list – Acne – brings up more than 10,000 products on its retail site. Amazon may claim that Amazon Clinic data will be kept separate, but enforcers of the GDPR are likely to have their suspicions about the extent to which that will occur. Will users of the Amazon Clinic find they are offered a range of tailored products to suit their specific health needs?

As Amazon has demonstrated over the years, other players in the markets in which it operates struggle to compete, and that has been seen from the very early days when Amazon started putting booksellers out of business. There are already several players in the telehealth market that offer similar services for common health conditions but lack the reach of Amazon, and they may well struggle to compete. Coupled with its companion One Medical business – if that acquisition goes ahead – could lead to a monopoly on telehealth that would reduce consumer choice.

The Future of Healthcare?

There is no doubt that there is demand for Amazon Clinic, which seeks to bridge the gap between medical complaints that require more than a trip to the drug store and are not sufficiently severe to warrant a costly trip to the doctor. A service that plugs that gap and offers convenience and affordability is almost certain to prove popular.

Amazon Clinic could have a positive impact on the industry from a patient perspective. One of the keys to the success of Amazon is its focus on improving the customer experience. If the service proves to be successful, healthcare providers may also start looking at ways that they can do the same and make their services better and more convenient.

U.S. consumers may be comfortable with Amazon collecting vast amounts of information and building up detailed profiles of consumers in exchange for convenience and low prices, but questions remain about whether Amazon can be trusted with health data. An American Medical Association survey earlier this year suggests there is widespread mistrust in nontraditional healthcare entities. Amazon may find it difficult to earn consumer trust.

Amazon says this new service makes doctor’s visits simpler and affordable and that any privacy fears are unfounded. It remains to be seen whether making health care more convenient and affordable will come at the cost of patient privacy, and it may be some time before that becomes fully apparent.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Will Amazon Clinic Put Patient Privacy at Risk? appeared first on HIPAA Journal.

Editorial: Lessons for American Healthcare Providers from the Australian Medibank Health Record Breach

The U.S. healthcare industry is currently engaged in a cyber war against a widely dispersed set of adversaries, which include hordes of financially-motivated hackers and organized cybercriminal groups, hacktivists, and nation-state-sponsored threat actors. Ransomware has become an epidemic, and while there are signs that attacks are leveling off or decreasing, the healthcare industry has yet to see such a dip, now being the most targeted sector.

One trend that has emerged is an increase in extortion-only attacks. Rather than breaching networks, exfiltrating data, and then encrypting files, ransomware is not used. Sensitive data is stolen and demands are issued for its safe return and to prevent the sale or publication of the data, with the file encryption element of the attack abandoned as it is time-consuming and noisy. One attack that has made the headlines – the cyberattack on the Australian health insurer, Medibank Private Ltd – confirms the global nature of the current cyber war, which healthcare organizations around the world are struggling to win. The attack stands out due to the scale of the data theft and the callousness of the perpetrators.

The Medibank Cyberattack

Medibank Private Ltd. is the largest private health insurer in Australia, covering around one in six Australians. On October 13, 2022, Medibank detected suspicious activity within its network. The unauthorized access was terminated, and initially, Medibank CEO David Koczkar issued a statement saying no evidence was found that customer data was accessed. Medibank was then contacted on October 17, 2022, by the threat actor behind the attack seeking payment to prevent the release of stolen data. Threats were issued to publish the stolen data, starting with a sample of the data of some of the most prominent customers, including politicians, actors, activists, social media personalities, and people with “very interesting diagnoses.” Medibank confirmed data theft had occurred on October 20.

Access to the network was gained, sensitive data was stolen, and a ransom demand was issued to prevent the publication and sale of the stolen data of 9.7 million current and former customers. The ransom demand was $9.7m, or $1 for each of the affected individuals. The attack has been attributed to an unnamed Russian cybercriminal group, with reports suggesting REvil was behind the attack. REvil’s data leak site redirects to the site where the Medibank data is being published. REvil was one of the most prolific cybercriminal groups in operation; however, following the arrests of several alleged key members of the group, Russia’s federal security services (FSB) said REvil no longer exists. Whether this attack signals the rebirth of REvil, or if it was conducted by an affiliated group has yet to be confirmed. The Australian Federal Police (AFP) claims to know which group is behind the attack.

Medibank said the threat actor infiltrated its systems using “high-level credentials,” which had the necessary clearance to access large amounts of data, and that multi-factor authentication was protecting those accounts. How those credentials were stolen and MFA was bypassed has not been made public.

The Hackers Show No Mercy

Medibank said it received council from cybersecurity experts regarding paying the ransom, and the consensus was that if the ransom was paid, there was only a limited chance that the stolen data would be returned, that all copies would be deleted, and that there would be no sale or misuse of the data. The decision was then made not to pay the ransom, the implications of which were felt last week when the threat actor started to publish samples of the stolen data, initially posting two lists of data each containing around 100 records.

One was referred to as a “naughty list” which included the data of individuals who had claimed for treatment for drug addiction and mental health issues, and a “good list” that included claims for more generic hospital procedures. That was followed by the publication of another file that included details of around 300 individuals who had claimed for healthcare services related to the termination of pregnancies, then another file was published containing the details of 240 customers who had claimed for alcoholism-related treatments. The information of more than 480,000 customers has now been leaked. Medibank is standing by its initial decision not to make payment.

Medibank has reported to the Australian Stock Exchange that it is expecting a financial hit of around $25m to $35m, not including any regulatory fines or litigation. In terms of the latter, there could well be several lawsuits filed. Lawyers around the country are currently assessing the potential for suing Medibank over the data breach and are assessing the harm that has come from the exposure of highly sensitive data. The breach mitigation and legal costs will have to be covered by Medibank, as chief financial officer, Mark Rogers, confirmed that there was no cyber insurance policy in place due to the excessive cost.

Lessons US Healthcare Organizations Can Learn from the Medibank Cyberattack

The Medibank cyberattack is horrific – for Medibank and especially the 9.7 million affected individuals, and the repercussions will be felt for a long time to come. The situation is still evolving, but there are already lessons to be learned from this hugely damaging cyberattack.

Cybersecurity must be a board-level issue

Even with considerable investment in cybersecurity, defenses can be breached. The security posture of Medibank at the time of the attack is unclear, but one issue that has come to light is the lack of board involvement in cybersecurity at Medibank. Medibank chairman, Mike Wilkins, confirmed there were no cybersecurity or IT experts on the board, something that is all too common at healthcare organizations. Given the high risk of a cyberattack and its potential implications, board-level oversight of cybersecurity is essential. According to Deloitte, which has been called in to investigate the security breach, “Boards have now started looking at cyber risk as an enterprise-wide risk management issue, rather than a pure IT security issue, owing to its firmwide implications… Cybersecurity oversight has now become the most important topic for the Board after strategic planning.”

Hope for the Best, But Plan for the Worst

It is often only when a cyberattack occurs that cybersecurity gets the investment it needs, yet it should come as no surprise to any healthcare organization about the high risk of an attack occurring, given the frequency with that they are now being reported. Koczkar has stated that Medibank had planned for such an attack and was able to immediately implement its cyber response strategy for exactly this type of event; however, while an incident response plan had been implemented, shareholders have been voicing concerns about Medibank’s level of preparedness for such an attack, not just in terms of incident response, but the measures that had been implemented to prevent such a breach. Healthcare organizations can hope for the best, but they need to assume that a cyberattack is inevitable and ensure appropriate defenses are in place. It is also vital to not just develop and implement a breach response plan, but to practice the incident response with tabletop exercises, involving all teams involved in the response.

The Importance of Transparent Communication with Customers and Shareholders

The decision of whether or not to pay the ransom is not straightforward, and while there are very good reasons for not paying a ransom, there are repercussions for any decision, as this attack has shown. Medibank clearly stated the reasons why the ransom was not paid, and it was clearly communicated that their decision was in line with the recommendations of the Australian government.

Medibank appears to have opted for a strategy of damage limitation to protect the company’s reputation by downplaying the seriousness of the breach, and that approach has backfired. The CEO first issued a statement that no evidence of data theft had been found, then issued another statement that the attack appeared to be a precursor to a ransomware attack, before finally admitting that data theft had occurred.

Shareholders have been demanding answers with share prices falling sharply, forcing three halts on trading. Many are furious about the management of the breach and the level of transparency of Medibank post-breach, with little information or reassurances provided. Transparency and clear communication with shareholders and customers can go a long way toward protecting a company’s reputation after a data breach, especially one where the perpetrators have been telling shareholders to sell all their shares.

Zero-Trust and Phishing Resistant Multi-factor Authentication

It is currently unclear how credentials were obtained and MFA bypassed, but phishing is a reasonable assumption. While it is important to protect all accounts with multi-factor authentication, especially accounts with high levels of privileges, not all forms of MFA provide the same level of protection. Healthcare organizations should follow the advice of CISA and implement phishing-resistant MFA. A change of mindset is also required for security, shifting from traditional perimeter defenses to zero-trust, with the latter assuming that a network has already been breached, with controls implemented to validate all stages of digital interactions to limit the potential for lateral movement.

The Importance of Cyber Insurance

Medibank will face a huge financial hit from the attack, the initial estimates of which appear to be very low. While the average cost of a healthcare data breach is now $10,1 million, according to the IBM Security 2022 Cost of a Data Breach Report, the cost of mega data breaches of 1 million to 10 million records was calculated to be $49 million, and $180 million for breaches of 10M-20M records. Bloomberg Intelligence suggests the breach cost could rise as high as $450 million if customers sue for damages. Cyber insurance is unlikely to pay all breach-related costs, but the failure to have any cyber insurance policy is a serious risk, and that decision could prove to be incredibly costly.

Greater Protection for Highly Sensitive Data

The nature of the data published by the attacker is shocking. In the United States, disclosure of the details of individuals who have had a legal abortion could cause incredible harm and potentially put women at risk of criminal charges. These data types, along with other highly sensitive information such as substance disorder treatment information, data of domestic violence victims, and patients with stigmatized diseases such as HIV, should be subject to far more stringent protections, as far as is possible, due to the harm that can be caused if that information is exposed. In the Medibank attack, patient data in all of those categories was obtained and published.

The Australia Cyber Security Minister, Clare O’Neil, said that the damage caused by the Medibank cyberattack is “potentially irreparable”. It may be too late for Medibank, but as more information about the attack and response comes to light, the lessons learned will be invaluable to healthcare organizations around the world and may help them prevent similar incidents and manage successful attacks better to reduce the damage caused.

Steve Alder 

Editor-in-Chief, HIPAA Journal

The post Editorial: Lessons for American Healthcare Providers from the Australian Medibank Health Record Breach appeared first on HIPAA Journal.

Editorial: 5 Reasons Why HIPAA Training is Important

HIPAA training is important beyond “ticking the box” of HIPAA compliance. In this article, we explain how a fully trained and compliant workforce can deliver multiple benefits for organizations subject to HIPAA and provide 5 reasons why HIPAA training is important.

HIPAA training is a requirement of the Privacy and Security Rules. According to the Privacy Rule, Covered Entities must train workforce members on the HIPAA-related policies and procedures relevant to their roles; while, according to the Security Rule, both Covered Entities and Business Associates must implement a security awareness and training program for all members of the workforce – even those with no access to ePHI.

#1. Reduce the Risk of HIPAA Violations

HIPAA training should be more than a box-checking exercise for compliance. The purpose of training workforces on HIPAA-related policies and security awareness is so they can perform their roles compliantly and avoid making mistakes that could result in a privacy violation. One of the most important reasons for training is to ensure the privacy of protected health information and prevent HIPAA violations.

#2. Demonstrate a Good Faith Effort

Sometimes, despite an organization´s best efforts, employees may violate the HIPAA Rules. All violations must be reported to the HHS´ Office for Civil Rights (OCR) and OCR may choose to investigate. If an investigation is initiated, a HIPAA-regulated entity will need to demonstrate its good faith effort to achieve HIPAA compliance. Providing evidence that training has been provided to the workforce will demonstrate that this was an isolated incident, which could result in the avoidance of sanctions and penalties.

#3. Provide an Efficient Workplace Structure

With effective HIPAA training, members of the workforce not only know what they have to do to be HIPAA compliant but also why they need to act in a specific way with respect to protected health information. This provides an efficient workplace structure in which time-wasting due to a lack of knowledge is minimized. Effectively, the cost of HIPAA training pays for itself in increased productivity, which – in a healthcare setting – can have benefits for patient care, Medicare star ratings, and profitability.

#4. Stronger Defense Against Cyberattacks

HIPAA training is important because all members of the workforce need to understand how to be HIPAA compliant. Security awareness training is important as employees are trained on security best practices to prevent the exposure of protected health information and to make it harder for malicious actors to gain access to patient data. The security awareness training requirements of HIPAA help to improve an organization’s security posture and prevent data breaches.

#5. Encourage Openness by Patients

Research suggests that when patients trust their healthcare providers to keep their personal information private and confidential, they tend to be more open about their symptoms and voice health concerns with their healthcare providers. More openness by patients helps healthcare providers make more accurate diagnoses and better-informed treatment decisions – which can improve patient outcomes. One of the best ways of ensuring patient privacy is HIPAA compliance, and ensuring regular training is provided to the workforce.

Conclusion: HIPAA Training is Important Beyond Ticking the Box

OCR maintains a “breach portal” which is a publicly available record of all data breaches of 500 or more records, all of which are investigated by OCR. The archive contains cases that have been closed, including resolutions with a financial penalty, corrective action plan, or technical assistance. Almost one-third of the resolved cases have included a requirement for the Covered Entity or Business Associate to provide more training or increase the frequency of existing security awareness training.

This shows that many organizations are not taking the importance of HIPAA and security awareness training seriously enough. While the provision of HIPAA and security awareness training doesn´t guarantee violations will not occur, being able to demonstrate an effective training program will lessen the sanctions imposed by OCR. In some cases, this can significantly reduce the indirect costs associated with revising policies and procedures, providing training on the revisions, and the business disruption this will cause.

In addition, HIPAA training can help with the creation of an efficient workplace structure, build stronger defenses against cyberattacks, and encourage openness by patients that results in better patient outcomes. Covered Entities and Business Associates that are unsure about any potential gaps in their training programs should seek professional compliance advice.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: 5 Reasons Why HIPAA Training is Important appeared first on HIPAA Journal.

Editorial: 5 Gaps in HIPAA and How They Are Being Filled

There are – and always have been – gaps in HIPAA and, after more than a quarter of a century, some have yet to be addressed.

Most of the gaps in HIPAA are attributable to omissions from the original Act, provisions of HIPAA and HITECH that have never been enacted, and the increasing use of technology in healthcare. We have identified 5 gaps in HIPAA (there are plenty more) and discuss how these are being – or have been – filled.

The passage of HIPAA resulted in multiple benefits for the health insurance industry, the healthcare industry, and the people that they serve. For example, the Administrative Requirements (Part 162) helped reduce insurance fraud and accelerated eligibility inquiries, authorization requests, and claims processing.

The reduction in insurance fraud meant that plan members did not have to cover the cost of HIPAA´s portability provisions through increased premiums, while patients requiring health services did not have to wait so long for treatment to be provided. Additionally, the passage of HIPAA led to the creation of a federal floor for the privacy of individually identifiable health information.

Despite these benefits, there are gaps in HIPAA, the Rules that evolved from HIPAA, and subsequent legislation that could further benefit the health insurance industry, the healthcare industry, and the people they serve. We look at five of the gaps in HIPAA, explain their consequences, and discuss how they are being – or have been – filled.

#1. Healthcare Providers Not Covered by HIPAA and the Privacy of Health Information

At the time HIPAA was passed in 1996, many healthcare providers did not qualify as Covered Entities because they did not conduct electronic transactions for which the Department of Health and Human Services (HHS) had established standards under the Transactions Rule. Despite the increasing use of technology, there are still some healthcare providers who do not qualify as Covered Entities.

These include – but are not limited to – medical practitioners who only accept direct payments from patients, vendors of personal health records that connect with devices such as exercise trackers, and healthcare facilities that use non-electronic channels for covered transactions. (In 2013, HHS confirmed that paper-to-paper, non-digital faxes are not covered transactions).

This gap in HIPAA – in which not all healthcare providers qualify as Covered Entities – means there are occasions when health information is not covered by the Privacy and Security Rules. Fortunately, this gap is increasingly being filled by state legislators passing privacy laws that provide as many – if not more – privacy protections as HIPAA.

#2. Health Care Data Collected by Personal Health Records

A common misconception about HIPAA is that all healthcare data is subject to its protection. As discussed above, this is not the case because not all healthcare providers qualify as Covered Entities. However, the issue of personal health records deserves its own section in this article because – until recently – the oversight of personal health records has been minimal.

Not only do mHealth apps lack HIPAA-compliant privacy and security protections, but users are also unable to request access to sensitive data stored by the vendor – contrary to the HIPAA rights principles of the Privacy Rule. Furthermore, vendors have been sharing users´ data with third parties – despite promising to keep it private – with no control over how it is further used or disclosed.

This gap in HIPAA is currently being closed by the Federal Trade Commission (FTC) – which has the authority to pursue civil action against any company that discloses sensitive consumer data after promising to keep it private under the Deceptive Trade Practices clause of the FTC Act. The agency also has the authority to pursue enforcement action against vendors of personal health records if they experience a data breach and fail to report it as required by the Breach Notification Rule.

#3. The National Patient Identifier

In the text of HIPAA, there is a section entitled “General Requirements for the Adoption of Standards” which requires the Secretary of the Department of Health and Human Services to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider. While unique health identifiers have been adopted by employers, health plans, and healthcare providers, there is a gap in HIPAA relating to National Patient Identifiers.

The purpose of National Patient Identifiers (NPIs) is to increase efficiency, save costs, facilitate interoperability, support accurate data registries, and improve security (because if a patient´s NPI is compromised, all that is breached is health data and no other identifiers). They also have the potential to improve patient safety by making it more difficult for patient records to be mismatched. Despite these clear benefits, Congress has prevented the HHS from implementing NPIs by withholding funding. Despite the benefits, the cost of implementing NPIs was forecast (in 2008) to be between $1.5 billion and $11.5 billion.

However, in 2015, Congress partially relented its stance by passing the Medicare Access and CHIP Reauthorization Act which requires the Centers for Medicare and Medicaid to remove Social Security Numbers from Medicare cards and replace them with Medicare Beneficiary Numbers. Advocates of NPIs are hoping that the introduction of Medicare Beneficiary Numbers (which went into effect in January 2020) will demonstrate to Congress that the benefits of NPIs far outweigh the costs.

#4. Not Making Business Associates Directly Liable for HIPAA Violations

Prior to the HITECH amendments implemented in the Final Omnibus Rule, Business Associates were not directly liable for HIPAA violations. Additionally, Covered Entities were not required to oversee the means by which Business Associates complied with the Privacy and Security Rules, nor ensure their Business Associates complied with the terms of their Business Associate Agreements.

Consequently, when data breaches occurred due to a lack of compliance by Business Associates, there was no accountability. The HHS´ Office for Civil Rights had no authority to take enforcement action against Business Associates, while the Covered Entities for whom the Business Associates were performing a service could claim they were unaware of the lack of compliance and escape sanctions.

This gap in HIPAA was closed by the HITECH (Omnibus Rule) amendments and the Breach Notification Rule, which requires Business Associates to report data breaches to Covered Entities within sixty days of the discovery of the breach – even if only one record has been breached. Subsequently, multiple Business Associates have been issued with HIPAA violation fines and Corrective Action Plans.

#5. OCR´s Failure to Issue (Enough) Financial Penalties

The HHS´ Office for Civil Rights (OCR) has followed a policy of leniency in enforcement actions for HIPAA violations – often favoring voluntary compliance and technical assistance ahead of civil monetary penalties and financial settlements. To date (September 2022), OCR has imposed civil monetary penalties or reached settlements in only 126 cases. In two rounds of HIPAA compliance audits, widespread non-compliance was identified, yet no financial penalties were issued.

While the risk of financial penalties may have been an incentive for some to get compliant, many HIPAA-regulated entities only made a cursory effort to achieve compliance with the HIPAA Rules, with some HIPAA requirements ignored entirely. While there was a risk of a financial penalty, very few penalties were actually being imposed. Only one penalty was issued in each of 2008 and 2009, 2 in 2010, 3 in 2011, and 6 in 2012. OCR has stepped up HIPAA enforcement in recent years, with 20 issued so far this year.

There is a school of thought that if the HSS will impose financial penalties for data breaches, why go to the expense of ensuring full compliance? The reluctance to invest in security to prevent cyberattacks and data breaches has now been addressed with the introduction of a partial safe harbor for organizations that have adopted ‘recognized security practices’ continuously for 12 months prior to a data breach. The reward is OCR will consider those measures when making determinations about financial penalties, and the extent and length of audits and investigations will be reduced.

Part of the reason for the lack of financial penalties is funding. OCR is a big department with a wide remit, and investigations of HIPAA violations are expensive. Its budget for enforcement is also being stretched further due to the huge number of data breaches that are now occurring. OCR requested a 55% increase in funding for 2023 to support its HIPAA enforcement efforts, but that request is still under review. Had OCR pursued financial penalties more aggressively over the past decade, it would have been easier to justify an increase in funding – notwithstanding that more organizations might have been more motivated to get compliant. OCR will also soon have to share a proportion of the funds it raises through its enforcement actions with victims of HIPAA violations, so without the funding increase, HIPAA enforcement may suffer even more.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: 5 Gaps in HIPAA and How They Are Being Filled appeared first on HIPAA Journal.

Editorial: Why Do Criminals Target Medical Records

The healthcare industry is extensively targeted by cybercriminals, who seek access to healthcare networks for a range of nefarious purposes. Medical records are highly prized, but why are medical records so valuable to criminals?

Hackers are going to great lengths to gain access to healthcare network. Data compiled by HIPAA Journal from breach reports submitted to the HHS’ Office for Civil Rights (OCR) show the number of data breaches reported by HIPAA-regulated entities continues to increase every year. 2021 saw 714 data breaches of 500 or more records reported to the OCR – an 11% increase from the previous year. Almost three-quarters of those breaches were classified as hacking/IT incidents.

Healthcare organizations, especially healthcare providers, are attractive targets for hackers as they store huge amounts of valuable patient data. Large health systems store millions of patient records and even relatively small healthcare providers may store the records of hundreds of thousands of patients. The stored data is highly detailed, including demographic data, Social Security numbers, financial information, health insurance information, and medical and clinical data, and that information can be easily monetized.

How do Hackers Make Money from Stolen Medical Data?

Healthcare records are so valuable because they can be used to commit a multitude of crimes. Social Security numbers, dates of birth, and demographic data can be used to commit identity theft to obtain loans and credit cards in victims’ names. Healthcare data can be used to impersonate patients to obtain expensive medical services, Medicare and Medicaid benefits, healthcare devices, and prescription medications. Healthcare records also contain the necessary information to allow fraudulent tax returns to be filed to obtain rebates.

In contrast to credit card numbers and other financial information, healthcare data has an incredibly long lifespan and can often be misused for long periods undetected. Credit card companies monitor for fraud and rapidly block cards and accounts if suspicious activity is detected, but misuse of healthcare data is harder to identify and can be misused in many ways before any malicious activity is detected. During that time, criminals can run up huge debts – far more than is usually possible with stolen credit card information.

Stolen data can be used to develop convincing spear phishing, smishing, and vishing campaigns, where the attacker impersonates a hospital or health insurer. Medical records contain highly sensitive information about medical conditions, pregnancies, abortions, and sexual health tests, and that information can easily be used for extortion and blackmail.

Patient data stolen from healthcare organizations is often processed and packaged with other illegally obtained data to create full record sets (fullz) that contain extensive information on individuals, often in intimate detail. These full record sets are often sold on dark web sites to other criminals who use the data to obtain documentation such as Social Security cards, driver’s license numbers, and passports. The documentation allows an identity kit to be created, which can then be sold for considerable profit to identity thieves or other criminals to support an extensive range of criminal activities.

Healthcare Data Can be Used as Leverage

Many of the hacking incidents now being reported by healthcare providers involve the use of ransomware. Ransomware is used to encrypt files and prevent access, with the aim of causing massive disruption to business operations. Faced with an inability to operate, businesses are forced to pay the attackers for the keys to decrypt their data. Without access to critical systems, and especially if medical records are encrypted, patient safety is put at risk. Attacks on healthcare providers are therefore more likely to see ransoms paid than attacks on other sectors that are less reliant on data, which is why many ransomware gangs target the healthcare industry.

These attacks prevent access to data, but recovery is possible from backups. In response, the Maze ransomware gang started exfiltrating data before encrypting files and using the stolen data as leverage to pressure victims into paying the ransom. Threats were issued to publish or sell the data if payment was not made.

Even if data can be recovered from backups, many healthcare organizations felt compelled to pay to prevent the misuse of patient data. This tactic has been so successful that many cybercriminal gangs are dispensing with encryption and are now just kidnapping data. It’s faster, attacks are less likely to be detected, and the effort required is much lower, allowing more healthcare organizations to be attacked. There may be no threat of data loss, but the reputational damage that results from the exposure of patient data can be substantial.

Healthcare Organizations are an Easy Target

Healthcare organizations store large amounts of high-value data which makes them an attractive target for hackers and healthcare organizations are often easy to attack. The IT environments of healthcare organizations are often complex and difficult to secure. Devices and software continue to be used that have reached end-of-life, as upgrading is costly and often problematic. Many healthcare providers use software solutions that have been developed to work on specific – and now obsolete – operating systems and cannot be transferred to supported operating systems.

Vast numbers of connected devices are used in hospitals. IBM’s research suggests an average of 10-15 devices are used per hospital bed, with the number of medical and IoT devices growing at a considerable rate. Keeping track of those devices and ensuring they are secured and kept up to date is a major challenge. Securing medical and IoT devices can also be problematic, as many devices have not been developed with security in mind.

Healthcare professionals need easy access to patient data. Members of the care team often work from different locations, so remote access is required, which introduces further risks. Healthcare environments are busy, and employees are often overstretched, which inevitably results in human vulnerabilities, which can be easily exploited. The healthcare industry is particularly susceptible to phishing attacks due to a combination of busy working environments, overstretched staff, and a lack of regular security awareness training. A 2021 study by MediaPro on 850 healthcare employees saw 72% of employees rated as a security risk, with only 28% demonstrating they had the skills to recognize and avoid phishing attacks.

Further, many healthcare organizations are still heavily reliant on traditional security solutions, such as network and endpoint technologies, which are not effective at securing cloud infrastructure and IoT devices.

How Can Healthcare Cybersecurity Be Improved?

Phishing, ransomware, and malware attacks on the healthcare industry are profitable, and that is unlikely to change, so healthcare organizations need to concentrate on improving their defenses and strengthening their cyber posture to make it harder for cyber actors to succeed.

The starting point should be a comprehensive risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI. Audits and investigations by OCR often identify failures with risk analyses, which are commonly not comprehensive in scope. Healthcare organizations need to ensure that they identify all systems, devices, and locations where ePHI is stored and conduct a comprehensive organization-wide risk analysis and manage and reduce the identified risks in a timely manner.

Cybersecurity best practices need to be followed, including conducting regular vulnerability scans, patching promptly, backing up data, implementing network segmentation, creating and maintaining an accurate inventory of all devices connected to the networks, and implementing robust access controls with multi-factor authentication.

Regular security awareness training for the workforce is a vital part of improving security posture. Security awareness training should have a strong emphasis on phishing and other attack methods that target employees and should be accompanied by phishing simulations.

Given the rapidly evolving threat landscape and the difficulty of securing the sprawling attack surface, healthcare organizations should also strongly consider implementing zero-trust architectures to protect systems and data when threat actors succeed in breaching their perimeter defenses.

Steve Alder

Editor-in-Chief, HIPAA Journal

The post Editorial: Why Do Criminals Target Medical Records appeared first on HIPAA Journal.

Editorial: How Does HIPAA Improve Healthcare?

Questions are often sent to HIPAA Journal about the Health Insurance Portability and Accountability Act, one of which is how HIPAA has improved healthcare. In this post, I explain some of the main ways that healthcare has been improved by HIPAA for healthcare providers, health plans, and patients.

How Does HIPAA Improve Healthcare?

There has been a lot of criticism about HIPAA in the past and it continues to be a pain point for many healthcare providers. Compliance with the HIPAA Rules can be challenging, and healthcare professionals may feel that HIPAA unnecessarily limits their ability to deliver healthcare efficiently.

While the HIPAA Rules may be a cause of frustration and seem overly restrictive is some respects, HIPAA has done a great deal to improve healthcare. To appreciate some of the key benefits of this landmark piece of healthcare legislation, you need to cast your mind back to before HIPAA was signed into law in 1996 – Several years prior to the introduction of the HIPAA Privacy and Security Rules, for which HIPAA is now best known.

HIPAA Made Health Insurance Portable and Improved the Continuity of Coverage

The main purposes of HIPAA, at least at the time when the legislation was first introduced, had nothing to do with healthcare data privacy and security. One of the main purposes of HIPAA was to ensure the portability of health insurance and the continuity of health insurance coverage when people lost or changed their jobs. Prior to HIPAA, many people felt they were stuck in their jobs because they rightly felt that if they were to leave their employment, they would lose their health insurance coverage. This was known as job lock and was common, as most Americans have health insurance provided by their employer and an employee could not take those benefits with them when they left employment. The change brought about by HIPAA helped to improve labor market mobility by ensuring healthcare benefits were not lost.

HIPAA Improved Efficiency and Reduced Waste and Fraud

Another important goal of HIPAA was to improve efficiency in the healthcare industry and reduce the considerable administrative burden on healthcare organizations. Prior to HIPAA, a great deal of time and money was wasted on inefficient processes, it was easy to mismatch patient data, and the process of conducting eligibility checks was cumbersome. This was largely due to there being no national standards for all healthcare organizations to adhere to, and that resulted in an incredible amount of wastage. The cost of that inefficiency reduced the profits of healthcare organizations and ultimately meant higher costs for patients.

Inefficient processes and the lack of standards created an environment ripe for abuse, and there were considerable losses to healthcare fraud which contributed to the rising costs of healthcare. The improvements made to efficiency through standardizing healthcare transactions and the use of the same code sets have helped to keep the costs of healthcare down and reduce the potential for fraud. Less wastage means lower costs, which means more money is available for improving healthcare services, and the removal of the inefficiencies has helped health plans keep the costs of health insurance down. Healthcare costs may currently be high, but they would be considerably higher were it not for HIPAA. In the 1980s and 1990s, healthcare costs were rising by around 10% per year, whereas after the introduction of HIPAA the increases have been around half that level.

The improvements to efficiency through the standardization of healthcare transactions have also helped to improve patient safety by reducing medical errors. While patient mismatching does still occur – there is still no national identifier despite it being a requirement of HIPAA in 1996 – HIPAA has helped to improve patient safety.

HIPAA Improved Patient Privacy

HIPAA called for the Secretary of the Department of Health and Human Services to recommend privacy standards, which lead to the introduction of the HIPAA Privacy Rule. While the Privacy Rule has been heavily criticized – sometimes justly – It has greatly improved healthcare for patients by ensuring the privacy of their healthcare data.

The restrictions on uses and disclosures of healthcare data imposed by the HIPAA Privacy Rule have huge benefits for patients. The HIPAA Privacy Rule prohibits disclosures of patient information to people who do not have a legitimate reason for having that information and limits disclosures without patient consent. The Privacy Rule prohibits healthcare workers from discovering the healthcare secrets of their acquaintances, co-workers, and neighbors. It stops receptionists from accessing the intimate healthcare information of patients. By ensuring patient privacy, patients are more likely to feel comfortable sharing sensitive information with their caregivers, knowing that it is not permitted for that information to be discussed or shared outside of the care setting.

The HIPAA Privacy Rule has also allowed patients to restrict with whom their healthcare information can be shared, allowing them to prevent certain family members from accessing their data or having sensitive medical information shared with their employer.

The HIPAA Privacy Rule also gave patients the right to obtain a copy of their healthcare data, which empowers them to take a more active role in their own healthcare and share their healthcare data with whomsoever they wish. If a patient wants to change healthcare providers, they can take their records with them, which means avoiding having to cover the cost of having medical tests repeated.

Patients can check their healthcare information for errors and have those errors corrected. They can identify any misrecording of their information or mismatching of healthcare data. Patient safety has been improved by involving patients more in their healthcare.

Before the HIPAA Privacy Rule was introduced, healthcare providers did not have to provide patients with a copy of their healthcare data at all, and if they did agree to share the information with patients, there were no restrictions on what they could charge for doing so.

HIPAA Protects Electronic Healthcare Data

The move to electronic health records helped to improve efficiency in healthcare but increased the potential for healthcare data to be viewed by unauthorized individuals. In the digital age, many safeguards are required to keep electronic data protected.

The HIPAA Security Rule requires covered entities to anticipate threats and proactively take steps to safeguard against them. The HIPAA Security Rule sets minimum standards for data security that all HIPAA-covered entities are required to implement, which helps to keep electronic healthcare data private and confidential. Many of the healthcare data breaches that are now being reported are due to errors and failures to fully comply with the minimum standards of HIPAA.

Another benefit of HIPAA is patients and health plan members must be told about any breaches of their personal healthcare data, which allows them to take steps to protect themselves against identity theft and fraud. Without the HIPAA Breach Notification Rule, there would be no federal requirement for healthcare organizations to notify patients about breaches. Individual states would be left to decide on whether notifications were necessary and how quickly they would need to be provided.

You only need to look at the current patchwork of laws at the state level to see how much privacy and security protections vary depending on where people live. HIPAA has created standards for the privacy and security of healthcare data that apply across the United States and territories, ensuring minimum standards must be met, no matter where a person lives.

Summary

These are just some of the main ways that HIPAA has improved healthcare: Ensuring the continuity of health insurance coverage, improving efficiency, reducing the potential for medical errors, combatting the considerable amount of fraud and abuse in healthcare, giving patients rights over their healthcare data, and protecting patient privacy and preventing unauthorized access and disclosures of healthcare data.

HIPAA has helped to reduce the cost of healthcare, has improved patient safety, and helps to protect Americans from identity theft and fraud. HIPAA may be far from perfect, but the benefits of the legislation and subsequent amendments are considerable.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: How Does HIPAA Improve Healthcare? appeared first on HIPAA Journal.