Healthcare Cybersecurity

OIG Identified Serious Security Failures at Arizona Managed Care Organizations

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has issued a report on the findings of security audits at two managed care organizations (MCOs) in Arizona. OIG discovered serious security flaws in information systems that could place the confidentiality, integrity, and availability of Medicaid data and systems used to process Medicaid managed care claims at risk.

OIG conducted the audits to determine whether the Arizona Medicaid MCOs were adequately protecting their information systems and Medicaid data, and whether they were in compliance with Health Insurance Portability and Accountability Act (HIPAA) security requirements.

OIG discovered 19 security vulnerabilities in access controls and configuration management spanning 9 security control areas.

5 vulnerabilities were identified in the access controls category and 14 vulnerabilities were identified in the configuration management category. They included vulnerabilities in access controls, administrative controls, patch management, antivirus management, database management, server management, website security, and the configuration of network devices. The vulnerabilities were collectively and, in some cases, individually significant, although OIG did not uncover any evidence to suggest the vulnerabilities had been exploited.

Examples of vulnerabilities in the access control category include the failure to disable user accounts for terminated employees in a timely manner and the lack of two-factor authentication for remote network access.

Examples of vulnerabilities in the configuration management category include the misconfiguration of firewall Secure Shell (SSH) session timeouts. While the default timeout was 5 minutes, at one of the MCOs it had been changed to 30 minutes. Such a long timeframe would allow an attacker to access the system using an authenticated administrator session that had not been terminated.

The MCOs failed to apply patches on workstations promptly. If vulnerabilities persist, they can be exploited to gain access to data as the May 2017 WannaCry attacks on the UK’s National Health Service (NHS) clearly demonstrated.

Antivirus software was not updated at one of the MCOs. Around half of its servers had out of date antivirus definitions, which could have allowed malware to be installed undetected. Unsupported software was still in use on three production servers used by one MCO and there was no encryption used on the claims processing database.

The auditors found that in three security control areas, which accounted for 10 of the 19 vulnerabilities identified, similar vulnerabilities were present at both audited MCOs.

The discovery of similar security vulnerabilities at both MCO’s strongly suggests that other MCOs in the state, and potentially nationwide, could have the same vulnerabilities. OIG also notes that federal regulations covering the security of Medicaid data differ depending on who holds the data. The different application of security measures by state agencies and MCOs could affect state-MCO relationships nationwide and thus increase the risk of exposure of Medicaid data.

OIG recommended the CMS to conduct a documented risk assessment to determine how the disparate application of Federal security requirements creates cybersecurity risks for Medicaid data maintained by MCOs, and suggested the CMS identify actions that could be taken to address the security gaps.

OIG also recommended that the CMS should inform all state agencies of the findings of the audits to raise awareness of the vulnerabilities to enhance nationwide awareness of cybersecurity weaknesses.

The CMS did not concur with the OIG recommendation to conduct a documented risk assessment. “CMS stated that a risk assessment is already a requirement under the jurisdiction of the HHS Office for Civil Rights (OCR) and it would be duplicative of existing risk assessment efforts.”

OIG noted that since the issue concerns the Medicaid program and OCR is not responsible for the disparate application of Federal security requirements, the CMS is in the best position to ensure that security requirements are consistently applied to protect Medicaid data, regardless of who holds the data.  The CMS did concur with the the recommendation to notify state agencies about the cybersecurity vulnerabilities uncovered by the audits.

The post OIG Identified Serious Security Failures at Arizona Managed Care Organizations appeared first on HIPAA Journal.

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

Posted by HIPAA Journal

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years.

The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks.

Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges:

  • Conspiracy to commit fraud and related computer activity
  • Conspiracy to commit wire fraud
  • Intentional damage to a protected computer
  • Transmitting a demand in relation to damaging a protected computer

The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme.

In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on organizations. Most ransomware gangs use spam email and other mass distribution techniques to infect as many individuals as possible.

The SamSam ransomware group exploits vulnerabilities and conducts brute force RDP attacks to gain access to systems, then investigates networks and moves laterally before manually deploying ransomware on as many computers as possible.

This method of attack allows the threat actors to inflict maximum damage. With a large percentage of an organization’s computers and systems taken out of action, the gang can issue large ransom demands. The ransoms demanded are typically in the range of $5,000 to $50,000, with the amount based on the number of devices that have been encrypted.

In the two years that the gang has been deploying SamSam ransomware, approximately $6,000,000 in ransom payments have been collected from around 200 victims. Many victims chose not to pay the ransom demands but still incurred significant costs mitigating the attacks. The DOJ estimates that in addition to the ransom payments, additional losses from downtime due to the attacks has exceed $30 million.

The gang’s list of victims is long and includes the cities of Newark, New Jersey and Atlanta, the Colorado Department of Transportation, and the Port of San Diego. Healthcare industry victims include Hancock Health, Adams Memorial Hospital, Kansas Heart Hospital, Allied Physicians of Michiana, Cass Regional Medical Center, Nebraska Orthopedic Hospital, LabCorp of America, Allscripts, and MedStar Health.

Research by Sophos indicates 26% of attacks were on the healthcare organizations, 13% were on government agencies, 11% were on educational institutions, and 50% were on private companies. The attacks have primarily been conducted on organizations in the United States, with other victims spread across Canada, the UK, and the Middle East.

The DOJ said the SamSam ransomware gang “engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay.”

The DOJ will continue to work with international law enforcement agencies to gather evidence and bring those responsible to justice.

The DOJ has also taken the opportunity to spread the message that all industry sectors are at risk of being attacked. “This indictment highlight[s] the need for businesses, healthcare institutions, universities, and other entities to emphasize cyber security, increase threat awareness, and harden their computer networks,” wrote the DOJ in a press release announcing the indictment.

The post DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks appeared first on HIPAA Journal.

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

Posted by HIPAA Journal

A data breach has been reported by AccuDoc Solutions Inc., a provider of healthcare billing services, that resulted in the exposure of the protected health information of 2,650,000 patients of Atrium Health.

Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia.

On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018.

An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels.

AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has locked out the hackers and has enhanced its security measures to prevent future attacks.

Atrium Health said the information compromised in the attack was limited to patients’ names, addresses, invoice numbers, account balances, service dates, and health insurance information. Approximately 700,000 Social Security numbers were also compromised; however, no sensitive financial information or medical records were affected.

“We are notifying the patients and guarantors who may have been impacted by this incident. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again,” said a spokesperson for Atrium Health. “The fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.”

Atrium Health is now notifying all affected patients and has offered credit monitoring and identity theft protection services to patients impacted by the breach.

AccuDoc serves approximately 50 other healthcare providers; however only one other client was affected by the breach: Baylor Medical Center in Frisco, TX. Approximately 40,000 Baylor Medical Center patients were affected.

Based on the estimated number of individuals affected, this is the largest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc., that was reported to OCR in September 2016. It is the eleventh largest healthcare data breach reported since OCR started publishing breach summaries in 2009.

Largest Ever Healthcare Data Breaches

Rank Entity Entity Type Individuals Affected Breach Type Date
1 Anthem Inc. Health Plan 78,800,000 Hacking/IT Incident Feb-15
2 Premera Blue Cross Health Plan 11,000,000 Hacking/IT Incident Mar-15
3 Excellus Health Plan, Inc. Health Plan 10,000,000 Hacking/IT Incident Sep-15
4 Science Applications International Corporation Business Associate 4,900,000 Loss Nov-11
5 University of California, Los Angeles Health Healthcare Provider 4,500,000 Hacking/IT Incident Jul-15
6 Community Health Systems Professional Services Corporation Business Associate 4,500,000 Hacking/IT Incident Aug-14
7 Advocate Health and Hospitals Corporation, dba Advocate Medical Group Healthcare Provider 4,029,530 Theft Aug-13
8 Medical Informatics Engineering Business Associate 3,900,000 Hacking/IT Incident Jul-15
9 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident Aug-16
10 Newkirk Products, Inc. Business Associate 3,466,120 Hacking/IT Incident Aug-16
11 AccuDoc Solutions Inc. Business Associate 2,650,000 Hacking/IT Incident Nov-18
12 21st Century Oncology Healthcare Provider 2,213,597 Hacking/IT Incident Mar-16

The post 2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach appeared first on HIPAA Journal.

Ransomware Attack Results in Partial Closure of Emergency Rooms at Two Hospitals

Posted by HIPAA Journal

Computer systems used by East Ohio Regional Hospital (EORH) in Martins Ferry, OH, and Ohio Valley Medical Center (OVMC) in Wheeling, WV, were taken out of action over the weekend as a result of a ransomware attack.

The ransomware started encrypting files on the evening of Friday, November 23. While the attackers succeeded in gaining access to certain systems by penetrating the first layer of security, the subsequent layer was not breached, and the protected health information of its patients was not compromised. Even so, the attack resulted in disruption to certain medical services at both hospitals.

Patients walking into the emergency room could still be processed and treated, but the hospitals were unable to accept patients from emergency squads. During the attack the hospitals switched to paper charts to ensure data protection and e-squad patients were diverted to other hospitals.

Several hospital systems were taken offline to protect the integrity of information and IT teams have been working around the clock to eradicate the ransomware, restore files, and bring systems back online. The hospitals chose not to pay the ransom demand and instead restored affected files from backups after rebuilding affected systems.

Initially it was hoped that systems would be restored by Sunday evening; however, e-squad patients were still being diverted to other hospitals on Monday evening while the IT staff restored affected systems. “We’ve made great progress, but we are not there yet,” explained Daniel Dunmyer, CEO of OVMC, “It’s taken hours for significant improvement, but it will take days for finalization.”

Until essential systems are restored, the emergency rooms will remain on yellow diversion and remain partially closed. On yellow diversion, “the EMS can call in to the ER and we can let them know if it’s a case we can taken,” explained Dunmyer. On Tuesday, the software used to read radiology and CT scans and make that information available to ER staff was still being rebuilt. Only when that system is restored will EORH/OVMC go off diversion in the ERs.

The post Ransomware Attack Results in Partial Closure of Emergency Rooms at Two Hospitals appeared first on HIPAA Journal.

NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

Posted by HIPAA Journal

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has released a draft paper covering the privacy and security risks of telehealth and remote monitoring devices and best practices for securing the telehealth and remote monitoring ecosystem.

Patient monitoring systems have traditionally been deployed within healthcare facilities; however, there has been an increase in the use of remote patient monitoring systems in patients’ homes in recent years. While these systems are straightforward to secure in a controlled environment such as a hospital, the use of these systems in patients’ homes introduces new risks.

Managing the risks and ensuring the remote monitoring systems and devices have an equivalent level of security as in-house systems can be a major challenge.

The purpose of the paper is to create a reference architecture which addresses the security and privacy risks and provides practical steps that can be taken to improve the overall security of the remote patient monitoring environment.

The paper addresses cybersecurity concerns related to the use of the devices in patients’ homes, the use of home networks, and patient-owned devices and identifies cybersecurity measures that can be implemented by healthcare organizations with RPM and video telehealth capabilities.

“The project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners,” explained NCCoE.

NCCoE has evaluated the following functions of the devices:

  • Connectivity of devices and applications deployed on patient-owned devices such as smartphones, tablets, laptops, and desktop computers
  • How applications transmit monitoring data to healthcare providers
  • The ability for patients to interact with their point of contact to initiate care
  • The ability for data to be analyzed by healthcare providers to identify trends and issue alerts to clinicians about issues with patients
  • The ability for data to be shared with electronic medical record systems
  • The ability for patients to initiate videoconference sessions through telehealth applications
  • The ability for application patches and updates to be installed
  • How a healthcare provider can establish a connection with a remote monitoring device to obtain patient telemetry data
  • How a healthcare provider can connect to a remote monitoring device to update the device configuration

The paper does not cover risks specific to third party telehealth platform providers nor does it evaluate device vulnerabilities and defects.

Stakeholders have been invited to comment on the draft paper. Comments will be accepted until December.

The guidance document can be downloaded on this link.

The post NIST Releases Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity appeared first on HIPAA Journal.

53% Of Healthcare Data Breaches Due to Insiders and Negligence

Posted by HIPAA Journal

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacks, malware, and ransomware attacks.

Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence.

The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge.

The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between October 21, 2009 and December 31, 2017. Those breaches resulted in the exposure of 164 million healthcare records.

The analysis was limited to breaches of 500 or more records, as OCR does not publish summaries of smaller breaches. The breach reports split data breaches into six categories; hacking/IT incidents, unauthorized access/disclosure incidents, theft, loss, improper disposal, and unknown. 77.6% of breaches were correctly classified and 22.24% were misclassified or the cause was unknown.

The researchers discovered that theft of data by third-parties or unknown individuals was the single leading breach cause, accounting for 32.5% of incidents, with mailing errors in second place (10.5%), followed by theft by current or former employees (9%). Internal/external hacking incidents accounted for around 20% of breaches, although those incidents involved 133.8 million of the 164 million compromised records. 53% of all breaches were found to have originated from inside healthcare organizations.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” said Xuefeng Liang, associate professor of accounting and information systems at MSU’s Eli Broad College of Business and lead author of the study. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

An analysis of the location of breached PHI showed 46.1% of breaches involved mobile devices, paper records were involved in 28.7% of breaches and 29.3% of breaches involved network servers.

Typically, the actions taken by healthcare organizations post-breach were the use of encryption software, restricting the use of mobile devices, switching to digital records, improving physical security, strengthening firewalls and other cybersecurity protections, and enhancing monitoring and auditing.

While many breaches involve little risk to patients – the accidental disclosure of a name and address to another patient – the consequences of some breaches can be severe: For patients as well as the breached entity. Anthem Inc’s 78.8 million record breach in 2015 was used as an example. Many breach victims had tax returns filed in their names, resulting in financial losses.

In addition to the considerable cost of mitigating the breach – improving cybersecurity protections; hiring forensic investigators, cybersecurity consultants, and legal advisors; printing and mailing notification letters; providing credit monitoring services for breach victims – Anthem had to cover the cost of defending multiple class action lawsuits, which were ultimately settled for $115 million. Anthem has also recently been fined $16 million by OCR to resolve the HIPAA violations uncovered during its breach investigation. Anthem’s reputation has also been tarnished by the breach, the cost of which is difficult to calculate.

The findings of the study are important. “Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security,” explained the researchers in the paper.

The post 53% Of Healthcare Data Breaches Due to Insiders and Negligence appeared first on HIPAA Journal.

OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has published its annual report on the top management and performance challenges faced by the HHS.

The report lists 12 major challenges that the HHS must overcome to ensure the department achieves its aims. Given the scale of the current opioid crisis in the United States and its impact, the prevention and treatment of opioid misuse has topped this year’s list.

The report also draws attention to the importance of cybersecurity protections to mitigate threats to be confidentiality, integrity, and availability of health data. Protecting HHS data, systems, and beneficiaries from cybersecurity threats made 10th spot in this year’s list.

In the report, OIG explained that “data management, use, and security are essential to the effective and efficient operation of HHS’ agencies and programs.” Ensuring the integrity of IT systems and the confidentiality and availability of healthcare data are critically important to the health and well-being of Americans.

The HHS has a $5 billion annual budget for IT; a proportion of which is devoted to cybersecurity to ensure data and IT systems are kept secure. The HHS faces major challenges securing its highly complex systems and must store ever increasing volumes of data securely: Data which are spread across multiple locations and are accessible by many entities and individuals. Further, in recent years there has been a major expansion in the use of IoT technology and networked devices, which introduce many new risks. The HHS must ensure its internal systems are protected and is required to oversee the security of cloud data and ensure providers, contractors, and grantees are adhering to cybersecurity best practices.

OIG explained that the types of data used, stored, and transmitted by the HHS are of high value to cybercriminals and are up to ten times more valuable than credit card numbers. Consequently, the HHS is a major target for hackers.

If the HHS fails to secure its data and systems, not only could patients come to harm, it has potential to hinder Federal initiatives such as the NIH ‘All of Us’ Research program, preventing them from achieving their full potential.

OIG reports that the HHS lacks robust resources to prepare cybersecurity staff to respond to cyberattacks and has not thoroughly tested its incident response and recovery procedures, although significant progress has been made in improving cybersecurity protections.

The HHS budget for 2017 allocated $50 million to meet the HHS’s cybersecurity needs and ensure that sensitive data, and the systems on which the information is stored, are kept secure. Part of that budget has been spent on monitoring tools to ensure security compliance, threat hunting technologies have been deployed in some HHS agencies, and the staff of all agencies is now provided with ongoing cybersecurity awareness training.

Cybersecurity testing is conducted in conjunction with the Department of Homeland Security and there is a continuous dialogue across HHS agencies on the cybersecurity and operational challenges faced by the department. While significant progress has been made, there is still a great deal of work to be done.

OIG explained that the HHS needs to develop a well-designed contingency program for cyber-defenses, in addition to those for natural disasters. HHS must also take a more proactive approach to identify and address current and future vulnerabilities before they are exploited, including addressing vulnerabilities that have previously been discovered by OIG and other agencies. HHS must also focus on its capabilities to respond efficiently to a wide range of cybersecurity threats.

The HHS also needs to assist healthcare organizations address threats, which is best achieved through information sharing. Dissemination of threat information and strategies to mitigate threats is essential to ensure that cyberthreats do not result in widespread disruption in the healthcare sector.

The HHS should therefore continuously seek opportunities to partner with other government agencies, academia, private sector companies, and state governments to share cybersecurity information on emerging risks, threats, and best practices.

The HHS must also engage the healthcare and public health sectors to ensure that threat intelligence is communicated effectively and foundational cybersecurity best practices are made available.

The post OIG: Cybersecurity One of Top 10 Management and Performance Challenges Faced by HHS appeared first on HIPAA Journal.

October 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day.

31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches.

Healthcare Data Breaches (by Month)

The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records.

Healthcare Data Breaches (records exposed by month)

Largest Healthcare Data Breaches in October 2018

There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The largest healthcare data breach in October resulted in the exposure of 1.24 million records: An unauthorized access/disclosure incident at Employees Retirement System of Texas. A flaw in its ERS Online portal allowed members to view the PHI of other members.

566,217 records were exposed in a breach at Banker’s Life, a division of CNO Financial Group Inc., also an unauthorized access/disclosure incident. Employee credentials were stolen and used to gain access to company websites, resulting in the exposure and potential theft of policyholder and applicant information.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Employees Retirement System of Texas Health Plan 1248263 Unauthorized Access/Disclosure
2 CNO Financial Group, Inc. Health Plan 566217 Unauthorized Access/Disclosure
3 Health First, Inc Healthcare Provider 42000 Hacking/IT Incident
4 Jones Eye Center, P.C. Healthcare Provider 39605 Hacking/IT Incident
5 Gold Coast Health Plan Business Associate 37005 Hacking/IT Incident
6 The May Eye Care Center Healthcare Provider 30000 Hacking/IT Incident
7 CJ Elmwood Partners, L.P. Healthcare Provider 22416 Hacking/IT Incident
8 Minnesota Department of Human Services Health Plan 20800 Hacking/IT Incident
9 Catawba Valley Medical Center Healthcare Provider 20000 Hacking/IT Incident
10 National Ambulatory Hernia Institute Healthcare Provider 15974 Hacking/IT Incident

Causes of October 2018 Healthcare Data Breaches

Unauthorized access/disclosure breaches resulted in the highest number of compromised records, but hacking/IT incidents were more common in October.  October saw 16 hacking/IT incidents reported, 11 unauthorized access/disclosure incidents, and four theft incidents. There were no reports of lost PHI/ePHI and no improper disposal incidents.

Causes of October 2018 Healthcare Data Breaches

Healthcare Records Exposed by Breach Cause

Healthcare records Exposed by Breach Cause (October 2018)

Location of Breached Protected Health Information

Phishing is arguably the biggest cyber threat faced by healthcare organizations and October saw many phishing attacks reported by healthcare providers. In October, there were 9 incidents involving PHI exposure via email. There were also 9 network server-related breaches, which included hacks, malware, and ransomware attacks.

October 2018 Healthcare data Breach report - Location of Breached PHI

Data Breaches by Covered-Entity Type

In terms of the number of incidents, healthcare providers were the worst hit by data breaches in October with 20 reported breaches, followed by health plans/health insurers with 7. Four HIPAA business associate breaches were reported, three of which were by the same business associate – HealthFitness. One further breach had some business associate involvement.

In terms of the number of exposed records, health plans/insurers fared worse than other HIPAA-covered entities. 1,848,235 healthcare records were exposed at health plans/insurers, 221,994 healthcare records were exposed in healthcare provider breaches, and 39,501 records exposed by business associates.

October 2018 Healthcare Data Breaches by entity type

Healthcare Data Breaches by State

Texas was worst affected by healthcare data breaches in October. 5 breaches were reported by covered entities/business associates based in Texas. California, Connecticut, Illinois, and Washington each had 3 breaches reported. There were two breaches reported in each of Florida, Iowa, Indiana, and Pennsylvania. Minnesota, Missouri, North Carolina, New Mexico, Oklahoma, and Oregon had one breach apiece.

Penalties for HIPAA Violations in October

After a period of quiet on the HIPAA penalty front, the Department of Health and Human Services’ Office for Civil Rights announced three settlements in September related to filming patients without consent. There were followed up in October with a massive fine for Anthem Inc.

The Anthem Inc., HIPAA violation penalty was expected, and given the scale of the breach (78.8 million records), the penalty was likely to be large. After assessing the extent of HIPAA violations, the scale of the breach, and its impact, OCR fined Anthem $16,000,000. The previous largest ever HIPAA penalty was $5,550,000 (Advocate Health Care Network, 2016)

In October, a multi-state action against the health insurer Aetna was concluded and settlements were reached to resolve the HIPAA violations. The penalties related to the impermissible disclosure of 13,160 plan members’ HIV/AIDS diagnoses via a mailing. Settlements were reached with Connecticut, New Jersey, and the District of Columbia totaling $640,170. Washington was also part of the multi-state action, but the settlement amount has not yet been decided.

The post October 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS

Posted by HIPAA Journal

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress.

The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature.

The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service.

The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center.

NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal government civilian agencies.

The new name better reflects the work NPPD does and emphasizes the importance of cybersecurity in securing the nation’s critical infrastructure. The new agency will consolidate information security and physical infrastructure security in a unified agency.

“The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical,” said DHS Secretary Kirstjen M. Nielsen. “It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency.”

Having a single agency in charge of the nation’s cybersecurity will help the U.S. government address current security gaps. At present, each federal agency is responsible for its own IT systems and managing cyber risks. Regardless of size and budget, each government entity must ensure cyber risks are managed and reduced to a minimal level. There are also several government agencies that cover various cybersecurity functions, which is inefficient and results in security gaps.

“Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms,” said Christopher Krebs, current undersecretary of the NPPD. “The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”

The post Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS appeared first on HIPAA Journal.