Healthcare Cybersecurity

November 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed.

November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November.

To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018.

Healthcare Data Breaches June-November 2018

There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported.

Healthcare Data Breaches June to November 2018

Largest Healthcare Data Breaches in November 2018

The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records.

AccuDoc Solutions discovered hackers had gained access to some of its databases for a week in September 2018. According to AccuDoc, the information in the databases could only be viewed, not downloaded.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 AccuDoc Solutions, Inc. Business Associate 2652537 Hacking/IT Incident
2 HealthEquity, Inc. Business Associate 165800 Hacking/IT Incident
3 New York Oncology Hematology, P.C. Healthcare Provider 128400 Hacking/IT Incident
4 Baylor Scott & White Medical Center – Frisco Healthcare Provider 47984 Hacking/IT Incident
5 Cancer Treatment Centers of America (CTCA) at Western Regional Medical Center Healthcare Provider 41948 Hacking/IT Incident
6 Oprex Surgery (Baytown), L.P. d/b/a Altus Baytown Hospital Healthcare Provider 40000 Hacking/IT Incident
7 Center for Vitreo-Retinal Diseases Healthcare Provider 20371 Unauthorized Access/Disclosure
8 Veterans Health Administration Healthcare Provider 19254 Unauthorized Access/Disclosure
9 Steward Medical Group Healthcare Provider 16276 Hacking/IT Incident
10 Mind and Motion, LLC Healthcare Provider 16000 Hacking/IT Incident

Main Causes of November 2018 Healthcare Data Breaches

As was the case in October, hacking/IT incidents accounted for the highest number of data breaches and the most exposed/stolen healthcare records. There were 18 hacking/IT incidents reported in November. Those breaches impacted 3,138,657 individuals.

There were 11 breaches classified as unauthorized access/disclosure incidents which impacted 65,143 individuals, and 4 loss/theft incidents that resulted in the exposure of 22,333 healthcare records. One improper disposal incident exposed 3,930 healthcare records.

Causes of Healthcare Data Breaches in November 2018

Location of Breached Protected Health Information

Email breaches continue to be a major problem in healthcare. These breaches include phishing attacks, unauthorized accessing of email accounts, and misdirected emails. There were 11 email-related breaches of PHI in November. Up until December 19, 2018, 111 email-related healthcare data breaches have been reported to OCR. Those breaches involved more than 3.4 million healthcare records.

Technical solutions can be implemented to reduce the number of email related breaches. Spam filters will prevent the majority of phishing emails from reaching inboxes, but no technical solution will be 100% effective so employees need to be trained how to recognize phishing attacks and other email threats.

All individuals in an organization from the CEO down should receive regular security awareness training with a particular emphasis on phishing. In addition to regular training sessions, phishing simulation exercises should be conducted. Through phishing simulations, healthcare organizations can assess their security awareness training programs and find out which employees require further training.

Location of Breached Protected Health Information November 2018

Data Breaches by Covered-Entity Type

Healthcare providers were the covered entities worst affected by healthcare data breaches in November 2018 with 29 reported incidents.

Business associates of HIPAA-covered entities reported 5 breaches and there were a further five breaches reported by healthcare providers that had some business associate involvement – Twice the number of breaches involving business associates (to some degree) as October.

There were no health plan data breaches reported in November.

November 2018 healthcare data breaches by Covered-Entity type

Healthcare Data Breaches by State

Texas was the state worst affected by healthcare data breaches in November with 8 reported breaches. New York experienced three healthcare data breaches and there were two breaches reported in each of Georgia, Iowa, Illinois, Missouri, North Carolina, Utah, and Virginia.

One healthcare data breach was reported in Arizona, California, District of Columbia, Massachusetts, Maryland, Nebraska, New Jersey, Pennsylvania, and Washington.

Penalties for HIPAA Violations in November 2018

The Department of Health and Human Services’ Office for Civil Rights settled one HIPAA violation case with a healthcare provider in November.

Allergy Associates of Hartford was fined $125,000 over a physician’s impermissible disclosure of PHI to a TV reporter. The disclosure occurred after the physicians was instructed by the Allergy Associates of Hartford Privacy Officer not to respond to the reporter’s request for information about a patient, or to reply with ‘no comment’. Allergy Associates of Hartford failed to take any action against the physician over the HIPAA violation.

New Jersey also issued a financial penalty to a HIPAA-covered entity in November to resolve a HIPAA violation case. Best Transcription Medical was fined $200,000 for exposing the electronic protected health information of patients over the Internet. The breach affected 1,650 New Jersey residents.

The post November 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

Posted by HIPAA Journal

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past five years and 33% said their organization had experienced multiple ransomware attacks.

In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals.

The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients.

To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding cybersecurity in their organization. 1,758 U.S. and Canadian healthcare employees were surveyed.

81% of small healthcare organizations (1-49 employees), 83% of medium-sized healthcare organizations (50-249 employees), and 81% of large healthcare organizations (250+ employees) said they had experienced between 1 and 4 ransomware attacks.

The cost of mitigating ransomware and malware attacks is considerable. According to the Ponemon Institute/IBM Security’s 2018 Cost of a Data Breach Report, the average cost of a data breach has now risen to $3.86 million. Kaspersky Lab’s 2018 Cost of a Data Breach Report places the average cost at $1.23 million for enterprises and $120,000 for SMBs.

While cybersecurity is important for reducing financial risk, 71% of healthcare employees said it was important for cybersecurity measures to be implemented to protect patients and 60% said it was important to have appropriate cybersecurity solutions in place to protect people and companies they work with.

Even though healthcare organizations have invested heavily in cybersecurity, many employees lack confidence in their organization’s cybersecurity strategy. Only 50% of healthcare IT workers were confident in they cybersecurity strategy, that fell to 29% for management and doctors, 21% for nurses, 23% for finance department employees, and 13% for the HR department.

Many healthcare employees appear to have a false sense of security. Even though healthcare data breaches are being reported on a daily basis, 21% of respondents had total faith in their organization’s ability to prevent cyberattacks and did not believe they would suffer a data breach in the forthcoming year.

While 73% of surveyed employees said they would inform their security team if they received an email from an unknown individual requesting PHI or login credentials, 17% of employees said they would do nothing if they received such a request. 17% of employees also admitted to having received an email request from a third-party vendor for ePHI and provided the ePHI as requested.

“Healthcare companies have become a major target for cybercriminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach,” explained Rob Cataldo, VP of enterprise sales at Kaspersky Lab. “Business leaders and IT personnel need to work together to create a balance of training, education, and security solutions strong enough to manage the risk.”

The post 27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year appeared first on HIPAA Journal.

Vulnerability Identified in Medtronic Encore and Carelink Programmers

Posted by HIPAA Journal

ICS-CERT has issued an advisory about a vulnerability that has been identified in certain Medtronic CareLink and Encore Programmers. Some personally identifiable information (PII) and protected health information (PHI) stored on the devices could potentially be accessed due to a lack of encryption for data at rest.

The programmers are used in hospitals to program and manage Medtronic cardiac devices and may store reports containing patients’ PII/PHI. An attacker with physical access to one of the vulnerable programmers could access the reports and view patients PII/PHI. The vulnerability would require a low level of skill to exploit.

The vulnerability, tracked as CVE-2018-18984 (CWE-311), was identified by security researchers Billy Rios and Jonathan Butts of Whitescope LLC who discovered encryption was either missing or stored PII/PHI was not sufficiently encrypted. The vulnerability has been assigned a CVSS V3 base score of 4.6.

The vulnerability is present in all versions of CareLink 2090 Programmers, CareLink 9790 Programmers, and the 29901 Encore Programmers.

Medtronic has advised all hospitals to stop using CareLink 9790 Programmers for any purpose as they have reached end-of-life and are no longer supported.

Users of CareLink 2090 and 29901 Encore Programmers should ensure that PII/PHI is stored on the Programmers for the shortest possible time. The devices are only intended to be used to store PII/PHI for short periods of time until the information can be transferred to other medical systems or printed to paper reports.

All affected programmers allow reports containing PII/PHI to be manually deleted when they are no longer required. Users of all vulnerable Programmers should ensure that all PII/PHI is deleted from the devices before they are decommissioned.

Medtronic has also advised users to ensure physical control of the Programmers is maintained at all times to prevent unauthorized access and only to use legitimately obtained Programmers and not to use any that are supplied by a third party.

The post Vulnerability Identified in Medtronic Encore and Carelink Programmers appeared first on HIPAA Journal.

Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training

Posted by HIPAA Journal

A new study has revealed the extent to which employees are being fooled by phishing emails and how despite the risk of a data breaches and regulatory fines, many companies are not providing security awareness training to their employees.

For the study, 500 office workers were surveyed by the consultancy firm Censuswide. While all the respondents were based in Ireland, the results of the survey reflect the findings of similar studies conducted in other countries, including the United States.

14% of all surveyed office workers said that they had fallen for a phishing email, which would equate to around 185,000 office workers in Ireland.

There were notable differences in susceptibility to phishing emails across the different age groups: Millennials, generation X, and baby boomers. The age group most likely to be fooled by phishing scams was millennials (17%), followed by baby boomers (7%), and Generation X (6%).

Respondents were asked about how confident they were in their ability to identify phishing scams. Even though almost three times as many millennials had fallen for phishing scams as Generation Xers, millennials had the greatest confidence in their ability to identify phishing scams. That confidence, it would seem, has been somewhat misplaced.

14% of millennials said they would not be certain that they could identify fraud, compared to 17% of Gen Xers, and 26% of baby boomers.

The survey revealed one in five workers had not been given any security awareness training whatsoever, but even when training was provided, many office workers still engaged in unsafe practices such as clicking hyperlinks or opening email attachments in messages from unknown senders. 44% of baby boomers admitted having completed one of those actions in the past, compared with 34% of millennials, and 26% of gen Xers.

The consequences of a successful phishing attack can be severe. Phishing attacks can result in major financial loses, especially when financial information is stolen. Phishing attacks can cause lasting damage to the reputation of a company, business may be lost, and companies can face lawsuits from individuals whose personal information has been exposed or stolen, and regulators can issue substantial civil monetary penalties.

While security solutions can be implemented to block the majority of phishing emails, it is not possible to prevent all phishing emails from being delivered to inboxes. Security awareness training for everyone in the company, from the CEO down, is therefore essential.

Security awareness training needs to be thought of in the same way as health and safety training. It is an organizational and HR matter, not just the responsibility of the IT department.

Simply providing an annual training session for employees is no longer sufficient. Phishing attacks are becoming more sophisticated and cybercriminals are constantly changing tactics. Businesses therefore need to continually educate their employees to ensure training is not forgotten and to keep employees abreast of new threats.

Annual or biannual training sessions should be accompanied by regular refresher training sessions to help develop a security culture. Phishing email simulations are also useful for reinforcing training, gauging the effectiveness of training sessions, and identifying weak links.

The post Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training appeared first on HIPAA Journal.

30% of Healthcare Databases Misconfigured and Accessible Online

Posted by HIPAA Journal

A recent study by the enterprise threat management platform provider Insights has revealed an alarming amount of healthcare data is freely accessible online as a result of exposed and misconfigured databases.

While a great deal of attention is being focused on the threat of cyberattacks on medical devices and ransomware attacks, one of the primary reasons why hackers target healthcare organizations is to steal patient data. Healthcare data is extremely valuable as it can be used for a multitude of nefarious purposes such as identity theft, tax fraud and medical identity theft. Healthcare data also has a long lifespan – far longer than credit card information.

The failure to adequately protect healthcare data is making it far too easy for hackers to succeed.

Healthcare Organizations Have Increased the Attack Surface

The cloud offers healthcare organizations the opportunity to cut back on the costs of expensive in-house data centers. While cloud service providers have all the necessary safeguards in place to keep sensitive data secure, those safeguards need to be activated and configured correctly.

Healthcare organizations that have moved data to the cloud have increased the attack surface, yet a substantial percentage have not effectively managed the risks and have left healthcare data exposed.

The problem is not the use of the cloud, but “a lack of process, training, and cybersecurity best practices,” according to Insights. The problem is also not confined to the healthcare industry, as other industry sectors face the same problems, but healthcare organizations face greater risks as hackers are searching for healthcare data.

The Insights report concentrates on exposed healthcare databases which are increasingly being targeted by hackers due to the large volumes of valuable data that can be obtained and the ease of gaining access to those databases. Many are left totally unprotected. All hackers need to know is where to look.

Insights Identified 16,667 Exposed Medical Records Per Hour

For the study, the researchers looked at two commonly used technologies for handling medical records and well-known commercially available databases.

The researchers wanted to demonstrate just how easy it is to find healthcare data. They used no hacking techniques to find the exposed data, only Google and Shodan searches, technical documentation, subdomain enumeration, and educated guesses about the combination of sites, systems and data.

After 90 hours of research and evaluations of 50 databases, 15 exposed databases were found. Those databases contained 1.5 million health records. That’s a rate of 16,667 medical records per hour. Even with a conservative estimate of a price of $1 per medical record on the black market, that would mean a full-time hacker could earn $33 million per year.  Insights estimated 30% of healthcare databases are exposed online.

“Although our findings were not statistically significant, our [database exposure] rate of 30% is fairly consistent with what we’re seeing across all industries for exposed assets,” explained Insights in the report.

The researchers found healthcare data at rest and in motion. The researchers identified open Elasticsearch databases, which can be found using the search engine Shodan. One of those databases contained the records of 1.3 million patients. The records came from a large healthcare clinic in a major European capital city.

Unsurprisingly, given the number of cases of misconfigured MongoDB databases that have been discovered this year, the researchers found a misconfigured MongoDB database used by a Canadian healthcare provider.

In addition to databases, the researchers noted one healthcare provider was using vulnerable SMB services despite the recent WannaCry attacks and one U.S hospital was using an exposed FTP server. “FTP’s usually hold records and backup data and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists,” wrote Insights.

“Healthcare budgets are tight, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection,” explained Insights analyst, Ariel Ainhoren.

The report – Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry – can be downloaded on this link.

The post 30% of Healthcare Databases Misconfigured and Accessible Online appeared first on HIPAA Journal.

University of Maryland Medical System Discovers 250-Device Malware Attack

Posted by HIPAA Journal

In the early hours of Sunday, December 9, 2018, the University of Maryland Medical System discovered an unauthorized individual had succeeded in installing malware on its network. Prompt action was taken to isolate the infected computers to contain the attack.

According to a statement issued by UMMS senior VP and chief information officer, Jon P. Burns, most of the devices that were infected with the malware were desktop computers. The prompt action taken by IT staff allowed the infected computers to be quarantined quickly. No files were encrypted and there was no impact on medical services.

UMMS should be commended for its rapid response. The attack was detected at 4.30am and by 7am, its networks and devices had been taken offline and affected devices had been quarantined. The majority of its systems were back online and fully functional by Monday morning.

The incident highlights just how important it is for healthcare organizations to have an effective incident response plan that can be immediately implemented in the event of a malware attack.

UMMS runs medical facilities in more than 150 locations and uses more than 27,000 computers. If a breach response plan had not been in place, the malware attack could have been far more serious and could have had a major impact on patients.

“The measures we took to identify the initial threat, isolate it to prevent intrusion, and to counter and combat the attack before it could infiltrate and infect our network worked as designed,” explained Burns.

At this stage, UMMS does not believe that any medical records or other patient data have been compromised. The investigation into the attack is continuing to determine how the malware was introduced. UMMS has enlisted help from computer forensics experts in this regard and the security breach has been reported to law enforcement.

The post University of Maryland Medical System Discovers 250-Device Malware Attack appeared first on HIPAA Journal.

DHS/FBI Issue Fresh Alert About SamSam Ransomware

Posted by HIPAA Journal

In late November, the Department of Justice indicted two Iranians over the use of SamSam ransomware, but there is unlikely to be any let up in attacks.

Due to the high risk of continued SamSam ransomware attacks in the United States, the Department of Homeland Security (DHS) and FBI have issued a fresh alert to critical infrastructure organizations about SamSam ransomware.

To date, there have been more than 200 SamSam ransomware attacks, most of which have been on organizations and businesses in the United States. The threat actors behind SamSam ransomware have received approximately $6 million in ransom payments and the attacks have resulted in more than $30 million in financial losses from computer system downtime.

The main methods of attack have been the use of the JexBoss Exploit Kit on vulnerable systems, and more recently, the use of Remote Desktop Protocol (RDP) to gain persistent access to systems. Access through RDP is achieved through the purchase of stolen credentials or brute force attacks.

Once access is gained, privileges are escalated to gain administrator rights. The threat actors then explore the network and deploy and execute the ransomware on as many devices as possible to maximize the disruption caused. A ransom demand is then placed on the desktop. Ransoms of between $5,000 and $50,000 are usually demanded, depending on the extent of encryption.

The FBI has analyzed the systems of many SamSam ransomware victims and has determined in many cases there has been previous unauthorized network activity unrelated to the SamSam ransomware attacks. This suggests the SamSam ransomware threat actors have purchased stolen credentials that have previously been used by other threat actors.

“Detecting RDP intrusions can be challenging because the malware enters through an approved access point,” explained DHS/FBI in the report, but there are steps that can be taken to make systems more secure.

Summary of DHS/FBI Advice to Improve Network Security

  • Audit the network for systems that use Remote Desktop Protocol for communications and disable RDP, if possible
  • Close open RDP ports on cloud-based virtual machine instances with public IPs, especially port 3389, unless there is a valid reason for keeping ports open
  • Adhere to cloud providers’ best practices for remote access to cloud-based VMs
  • Locate all systems with open RDP ports behind firewalls and ensure VPNs are used to access those systems remotely
  • Ensure third parties that require RDP access adhere to internal remote access policies
  • Enforce the use of strong passwords
  • Use multi-factor authentication, where possible
  • Ensure software is kept up to date and patches are applied promptly
  • Ensure all data are backed up regularly
  • Implement logging mechanisms that captured RDP logins and retain logs for 90 days. Review logs regularly for attempted intrusions
  • Where possible, disable RDP on critical devices and minimize network exposure for all control system devices
  • Regulate and limit external-to-internal RDP connections
  • Restrict user permissions, especially related to the use of unauthorized/unwanted software applications
  • Use spam filtering technology to scan all email attachments and make sure the attachment extensions match file headers
  • Disable file and printer sharing services where possible. If those services are required, use strong Active Directory authentication.

Technical details of four SamSam (MSIL/Samas.A) ransomware variants have been released (Alert: AA18-337A) to help network defenders protect against attacks.

The post DHS/FBI Issue Fresh Alert About SamSam Ransomware appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

Posted by HIPAA Journal

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

ONC Announces Winners of Easy EHR Issues Reporting Challenge

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has announced the winners of its Easy EHR Issues Reporting Challenge.

Currently, reporting EHR safety concerns is cumbersome and causes disruption to clinical workflows. A more efficient and user-friendly mechanism is required to allow EHR users to quickly identify, document, and report issues to their IT teams.

Fast reporting of potential safety issues will allow the root causes of problems to be found more quickly and for feedback to be provided to EHR developers rapidly to ensure problems are resolved in the shortest possible timeframe.

The aim of the challenge was to encourage software developers to create solutions that would help clinicians report EHR usability and safety issues more quickly and efficiently in alignment with their usual clinical workflows and make the reporting of EHR safety issues less burdensome.

After assessing all submissions, ONC chose three winners:

1st Place and $45,000 was awarded to James Madison Advisory Group, which developed a unique solution for documenting and reporting potential EHR safety issues. The tool can be launched using a system tray icon or hotkey without exiting the EHR workflow. The solution works on Windows 8 systems and above and all EHR platforms. The software tool exports data in the HHS Agency for Healthcare Research and Quality (AHRQ) Common Formats XML and PDF, can capture screenshots, and simplifies report delivery.

2nd Place and $25,000 was awarded to Pegwin which developed a software platform that clinicians can use to create and send safety and usability reports with three clicks of a mouse. The solution has an intuitive design, uses contextual menus, and automates Common Formats reporting as far as possible.

3rd Place and $10,000 was awarded to Jared Schwartz and his team for developing a Google Chrome plug-in that integrates with IT ticketing systems. The plug-in allows more consistent capturing of EHR safety issues.

Improving the safety of health IT remains an important priority,” said Andy Gettinger, M.D., ONC chief clinical officer. “We believe that making it easier for end users to report will help in that goal.”

The post ONC Announces Winners of Easy EHR Issues Reporting Challenge appeared first on HIPAA Journal.