Healthcare Data Privacy

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C.

Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost.

Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation.

More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that Bayfront Health’s financial penalty was the first in a series of penalties for covered entities that are not providing patients with access to their health data within 30 days of the request being received.

OCR has issued guidance to help covered entities comply with this aspect of HIPAA, but now the time has come “for serious enforcement,” explained Severino.

Severino also explained that patients must be allowed to have their health data sent to health apps. The requests should only be denied if the app poses a security risk to the covered entity. Severino confirmed a covered entity is not liable for what happens to PHI after a disclosure to a health app at the patient’s request.

In many cases, patients are not being denied access to their medical records and requests for copies of medical records are being honored, but patients are being charged excessive amounts. In 2016, OCR issued guidance on the amounts that healthcare organizations can charge for providing copies of medical records and further clarification was also issued on the fee structures that can be adopted. Financial penalties for overcharging for copies of medical records can be expected.

The crackdown on patient access issues is part of the HHS Regulatory Sprint to Coordinated Care initiative and fits in with the Trump Administration’s drive to improve transparency of healthcare costs and the reduction of the cost of healthcare in the United States.

A prop is always useful for getting a point across. In this case Severino used a medical boot that he purchased to aid recovery from a torn Achilles tendon. Severino said he was advised by his doctor to purchase the boot and paid his doctor $430 for the treatment aid. He explained that he later looked online and found the exact same boot for sale on Amazon for $70, saying “This boot represents what’s wrong with price transparency.”

OCR is looking at how HIPAA can be updated to address this problem, such as requiring healthcare providers and health plans to provide information about the expected out-of-pocket costs for medical services or equipment before those items or services are provided to patients.

Contractors provide quotes for work in advance and banks provide customers with information on the costs of mortgages before providing the funds, but that doesn’t always happen in healthcare. That is something that needs to change.

Severino also touched on the issue of cybersecurity. Phishing and ransomware attacks cause a high percentage of healthcare data breaches and in many cases the attacks can be prevented by practicing good cybersecurity hygiene.

Ransomware is often installed through the exploitation of vulnerabilities in Remote Desktop Protocol. The failure to address those RDP vulnerabilities has led to several major healthcare ransomware attacks and data breaches.

Phishing attacks have been a major cause of healthcare data breaches for several years. It is not possible to prevent all attacks, but by complying with HIPAA, risk can be significantly reduced. HIPAA calls for covered entities to provide employees with training to help them identify and avoid phishing threats. Severino explained that training is critical, as is conducting phishing simulation exercises to find out how susceptible employees are to phishing.

Other cybersecurity failures that could prevent data breaches include the lack of multi-factor authentication, poor access controls, and the failure to promptly terminate access to systems when employees leave the company.

2019 may have only seen four OCR financial penalties issued to date to resolve HIPAA violations but the year is far from over. Further penalties will be announced this year, including one $2.1 million civil monetary penalty.

Severino did not confirm the reason for the penalty or provide any details, other than saying a final determination has been reached and the penalty will be announced by the department soon.

The post Roger Severino Gives Update on OCR HIPAA Enforcement Priorities appeared first on HIPAA Journal.

Philadelphia Department of Public Health Data Breach Exposed PHI of Hepatitis Patients

The Philadelphia Department of Public Health (PDPH) has discovered sensitive information of patients with hepatitis B and hepatitis C has been exposed over the internet and could be accessed by anyone without the need for authentication. The breach came to light on Friday October 12, 2019 following notification from a reporter from The Philadelphia Inquirer.

The issue was corrected within minutes of the hospital being notified of the breach. An investigation has now been launched to determine the nature, cause, and extent of the breach.

New cases of hepatitis B and hepatitis C must be reported to PDPH by medical providers to enable tracking and monitoring of the disease. Both diseases can be transmitted through contact with bodily fluids of an infected person. New cases are often the result of sharing of needles by intravenous drug users. New cases of both forms of hepatitis are monitored as part of the PDPH opioids initiative.

The data supplied by healthcare providers had been uploaded to a website tool that allows aggregated data to be visualized through charts using Tableau software. Tableau dashboards are created to allow data to be aggregated and easily displayed in an understandable format. The creators of Tableau dashboards must ensure security controls are implemented to prevent backend data from being accessed. If those controls are not applied, raw data can be viewed and downloaded.

According to The Philadelphia Inquirer, the breach could have affected tens of thousands of patients. The newspaper found data on around 23,000 patients who had contracted hepatitis C.

The exposed data included a patient’s name, along with their gender, address, test results, and in some cases, Social Security number. The data covered new cases of Hepatitis B and Hepatitis C reported to PDPH between 2013 and 2018. It is currently unclear for how long the data was accessible via the PDPH website, how many patients have been affected, and how many unauthorized individuals accessed the information during the time it was exposed.

The post Philadelphia Department of Public Health Data Breach Exposed PHI of Hepatitis Patients appeared first on HIPAA Journal.

New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes

On October 7, 2019, New York Governor Andrew Cuomo signed new legislation into law – S.4119/A.230 – that prohibits first responders and ambulance service personnel from selling or disclosing patient data to third parties for marketing or fundraising purposes.

The bill was originally introduced by New York Assembly Member Edward Braunstein in 2014 following reports that ambulance and first response service personnel were selling patient data such as names, addresses, phone numbers and medical histories to third parties such as pharmaceutical firms and nursing homes for marketing and fundraising purposes. Prior to the introduction of the new law, these disclosures and the sale of patient information were permitted in New York.

“Patients have a right to privacy and their medical information should never be sold to pharmaceutical companies, insurers, nursing homes, or other businesses,” explained Braunstein.

The legislation follows the June 25, 2019 signing of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law, which overhauled state regulations for data privacy and security to better protect the private information of New York residents.

The new law applies to ambulance staff and first responders, but not to healthcare providers, health insurers, and parties acting under appropriate legal authority, such as government health inspectors and law enforcement. Patient information may be disclosed, transferred, or sold to the patient who is the subject of the information or a person authorized to make health care decisions on behalf of the patient.

Ambulance staff and first responders are only permitted to sell, disclose, transfer, exchange, or use patient data for marketing or fundraising purposes if they have obtained written consent from the patient in question prior to the sale or disclosure. The new law does not apply to de-identified patient data.

The new law applies to all individually identifying information which would allow a patient to be identified. Marketing is classed as, but not limited to, “advertising, detailing, marketing, promotion, or any activity that is intended to be or could be used to influence business volume, sales or market share or evaluate the effectiveness of marketing practices or personnel,” and applies to the sale or disclosure of patient data to for-profit, not-for-profit, and governmental entities.

“Nothing is more personal than your health records, and New Yorkers have a right to privacy when it comes to this incredibly sensitive information,” said Governor Cuomo. “This law sets clear guidelines so patient information isn’t sold or used for marketing purposes and most importantly doesn’t end up in the wrong hands.”

“Under no circumstances, when someone is in the middle of a life-threatening crisis, should they have to worry about their information being sold for any reason,” added Senator John Liu.

The post New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes appeared first on HIPAA Journal.

Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors

Vulnerabilities in popular VPN products from Pulse Secure, FortiGuard, and Palo Alto are being actively exploited by advanced persistent threat (APT) actors to gain access to vulnerable VPNs and internal networks.

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies issued security advisories about multiple vulnerabilities in VPN products over the summer of 2019; however, many organizations have been slow to take action. Weaponized exploits for the vulnerabilities have now been developed and are being used by APT actors and exploit code is freely available online on GitHub and the Metasploit framework.

On October 1, 2019, the UK’s National Cyber Security Centre issued a warning about the vulnerabilities following several attacks on government agencies, the military, businesses, and the education and healthcare sectors. The National Security Agency (NSA) also issued a security advisory about the vulnerabilities along with mitigations on October 7.

The vulnerabilities are present in outdated versions of the Pulse Secure VPN (CVE-2019-11508 and CVE-2019-11538), the Palo Alto GlobalProtect VPN (CVE-2019-1579), and the Fortinet Fortigate VPN (CVE 2018-13379, CVE-2018-13382, CVE-2018-13383).

No mention was made about the APT actors responsible for the attacks, although there have been reports that the Chinese APT group APT5 has been conducting attacks on Pulse Secure and Fortinet VPNs.

The weaponized exploits allow APT actors to retrieve arbitrary files, including those containing authentication credentials. Those credentials can then be used to gain access to vulnerable VPNs, change configurations, remotely execute code, hijack encrypted traffic sessions, and connect to other network infrastructure.

The flaws are serious and require immediate action to prevent exploitation. The NSA security advisory urges all organizations using any of the above products to check to make sure they are running the latest versions of VPN operating systems and to upgrade immediately if they are not.

The NSA advisory also provides information on actions to take to check whether the flaws have already been exploited and steps to take if an attack is discovered. If a threat actor has already exploited one of the vulnerabilities and has obtained credentials, upgrading to the latest version of the OS will not prevent those credentials from being used.

The NSA therefore advises all entities running vulnerable VPN versions to reset credentials after the upgrade and before reconnection to the external network as a precaution, since it may be difficult to identify an historic attack from log files.

User, administrator, and service account credentials should be reset, and VPN server keys and certificates should be immediately revoked and regenerated. If a compromise is suspected, accounts should be reviewed to determine whether the attacker has created any new accounts.

The NSA has also provided recommendations for public-facing VPN deployment and long-term hardening controls.

The post Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors appeared first on HIPAA Journal.

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website.

Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI.

When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information.

The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the Elite review page.

In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a), OCR determined Elite had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms, in violation of 45 C.F.R. § 164.530(i). Elite was also discovered not to have included the minimum required content in its Notice of Privacy Practices as required by the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).

OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three potential HIPAA violations could have attracted a substantially higher financial penalty; however, when considering an appropriate financial penalty, OCR took the financial position of the practice, its size, and Elite’s cooperation with the OCR investigation into account.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This is the 4th OCR HIPAA settlement of 2019. In September, OCR fined Bayfront Health St Petersburg $85,000 for a HIPAA Right of Access failure. In May, two settlements were agreed to resolve multiple HIPAA violations at Medical Informatics Engineering ($100,000) and Touchstone Medical Imaging ($3,000,000).

The post Dental Practice Fined $10,000 for PHI Disclosures on Yelp appeared first on HIPAA Journal.

PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN

Jacksonville, FL-based North Florida OB-GYN has discovered hackers gained access to certain parts of its computer system containing patients’ personal and health information and deployed a virus that encrypted files.

Upon discovery of the breach on July 27, 2019, networked computer systems were shut down and breach response and recovery procedures were initiated. Third party IT consultants assisted with the investigation and confirmed that parts of its networked computer systems had been subjected to unauthorized access and a virus had been used to encrypted certain files. The investigation revealed its systems had most likely been compromised on or before April 29, 2019.

While system access was confirmed, no evidence of unauthorized data access or theft of personal or medical information was found; however, unauthorized data access and data exfiltration could not be ruled out.

Protected health information potentially compromised in the attack varied from patient to patient and may have include name, demographic information, birth date, driver’s license number, ID card number, Social Security number, health insurance information, employment information, diagnoses, treatment information, and medical images.

Affected individuals have been advised to remain vigilant and review their account statements to check for unauthorized use of their information. It does not appear that affected individuals are being offered credit monitoring and identity theft protection services.

North Florida OB-GYN has been able to recover virtually all files encrypted in the attack. It is unclear whether a ransom demand was issued and paid, or if the files were recovered from backups. North Florida OB-GYN has already taken steps to strengthen security to prevent similar incidents from occurring in the future.

The breach has been reported to the HHS’ Office for Civil Rights and appropriate state authorities. The breach has yet to appear on the OCR breach portal, so it is currently unclear how many patients have ben affected. This post will be updated as and when further information becomes available.

Tomo Drug Testing Discovers Sensitive Information on Drug Testing Subjects Has Been Compromised

Springfield, MO-based Tomo Drug Testing, a provider of drug screening services, has discovered an unauthorized individual has gained access to a database containing the sensitive information of drug screening subjects, including names, Social Security numbers, driver’s license numbers, state identification numbers, and drug test results.

According to a statement released by the company, the database was accessed on April 23, 2019 and May 9, 2019 by an unidentified individual who claimed to have downloaded and removed certain information from the database.

Tomo Drug Testing learned of the breach on April 23, 2019 and launched an investigation into the breach. Forensics experts were called in to determine whether information had been removed or deleted from the database. While it was not possible to determine whether the database had been copied and stolen, certain items were found to have been removed or deleted from the database.

The database appeared to have been accessed using compromised credentials. Upon discovery of the breach, the password and privileges on the account used to access the database were changed. All data has now been migrated to a more secure system and the previous system has now been decommissioned. Tomo Drug Testing is continuing to implement additional security controls to prevent further incidents from occurring in the future.

Determining who was affected and the types of information in the database was a lengthy process. It took until July 1, 2019 to discover all individuals impacted by the breach and obtained up-to-date contact information. A substitute breach notice has been issued to media outlets as it was not possible find contact information for all individuals affected.

Notification letters have now been sent and affected individuals have been offered complimentary credit monitoring and identity theft protection services as a precaution. It is currently unclear how many individuals have been impacted.

The post PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN appeared first on HIPAA Journal.

Sen. Rand Paul Introduces National Patient Identifier Repeal Act

Sen. Rand Paul, M.D., (R-Kentucky) has introduced a new bill that attempts to have the national patient identifier provision of HIPAA permanently removed due to privacy concerns over the implementation of such a system.

Today, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the original HIPAA legislation of 1996 as a measure to facilitate data sharing and help reduce wastage in healthcare.

The provision called for the HHS to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” However, in 1998, former Congressman Ron Paul (R-Texas), Sen. Rand Paul’s father, introduced a proposal which called for a ban on funding the development and implementation of such a system. The ban was introduced into the Congressional budget for 1999 and has been written into all Congressional budgets ever since.

This year there was hope that the ban would finally be removed following a June amendment to the House of Representative’s appropriation bill for fiscal year 2020. The amendment received strong bipartisan support and it was hoped that the Senate would follow the House’s lead and have the ban finally lifted. However, on September 18, 2019, the Senate appropriations subcommittee’s proposed budget bill for fiscal year 2020 included the same language as previous years and, as it stands, the ban looks set to remain in place for at least another year.

Sen. Rand Paul’s National Patient Identifier Repeal Act seeks to repeal the HIPAA provision, which Sen Paul believes will place the privacy of Americans at risk. He considers the provision to be dangerous, as it would allow a government-issued ID number to be linked with the private medical histories of every man, woman, and child in America.

It is for the very same reason that dozens of healthcare industry stakeholder groups want the national patient identifier introduced, as without such an identifier, it is difficult to accurately match medical records with the correct patient. Those seeking to have the ban lifted believe it will improve the accuracy of health information exchange and improve security and patient safety.

Sen. Paul disagrees, as he believes the potential privacy risks are too great. “As a physician, I know firsthand how the doctor-patient relationship relies on trust and privacy, which will be thrown into jeopardy by a national patient ID,” explained Sen. Paul. “Considering how unfortunately familiar our world has become with devastating security breaches and the dangers of the growing surveillance state, it is simply unacceptable for government to centralize some of Americans’ most personal information.”

Industry associations such as the College of Healthcare Information Management Executives (CHIME) have stepped up efforts to have the ban lifted due to the difficulties matching medical records with patients.

CHIME CEO, Russ Branzell explained that Congress has already approved a healthcare identifier for Medicare beneficiaries, but a national identifier is also required. “The patient identification conversation is one about saving lives and unlocking the potential for technology to revolutionize healthcare while cutting costs.” He has called Sen. Paul’s views on the national patient identifier “antiquated and from some bygone era.”

While many industry associations share Branzell’s view, Sen. Paul’s bill has received support from certain privacy advocacy groups, including the Citizen’s Council for Health Freedom. Advocates of the removal of the HIPAA provision believes the centralization of patient information would greatly increase the risk of security breaches and could allow hackers to steal individuals’ lifelong healthcare records and such a system would allow unprecedented tracking of Americans through their healthcare records.

The post Sen. Rand Paul Introduces National Patient Identifier Repeal Act appeared first on HIPAA Journal.

Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS

Sen. Mark Warner (D-Virginia) has written to TridentUSA demanding answers about a breach of sensitive medical images at one of its affiliates, MobileXUSA.

Sen. Warner is the co-founder of the Senate Cybersecurity Caucus, which was set up as bipartisan educational resource to help the Senate engage more effectively on cybersecurity policy issues. As part of the SCC’s efforts to improve cybersecurity in healthcare, in June Sen. Warner asked NIST to develop a secure file sharing framework and wrote to healthcare stakeholder groups in February requesting they share best practices and the methods they used to reduce cybersecurity risk and improve healthcare data security.

The latest letter was sent a few days after ProPublica published a report of an investigation into unsecured Picture Archiving and Communications Systems (PACS). PACS are used by hospitals and other healthcare organizations for viewing, storing, processing, and transmitting medical images such as MRIs, CT scans, and X-Rays. The report revealed more than 303 medical images of approximately 5 million Americans had been left exposed on the Internet due to PACS security failures. Those medical images were stored on 187 U.S. servers, including those used by MobileXUSA.

In the letter, Sen. Warner said “It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices – no software vulnerabilities were involved, and no explicit hacking was required [to access the images].”

Sen. Warner said HIPAA requires security controls to be applied to keep sensitive data protected, including medial images stored in PACS, and that both TridentUSA and MobileXUSA have a duty under HIPAA to ensure their PACS are not publicly accessible and that proper controls are applied to prevent unauthorized access and data theft.

By October 9, 2019, Sen. Warner requires answers to questions about the cybersecurity practices at both companies to determine how medical images in the PACS were exposed and why the lack of security protections was not detected internally.

Specifically, Sen Warner wants to know about the audit and monitoring tools employed to analyze its HIPAA-mandated audit trails, whether systems that access the PACS and DICOM images comply with current standards and use access management controls, what identify and access management controls are applied for IP-addresses and port filters, if a VPN or SSL is required to communicate with the PACS, the frequency of vulnerability scans and internal HIPAA compliance audits, what server encryption processes are in use, and whether the companies have an internal security team or if security is outsourced.

PACS and the DICOM image format have been designed to facilitate the sharing of medical images within an organization and with authorized third parties, but it is the responsibility of each organization to ensure that those systems are secured to protect patient privacy.

Healthcare organizations can face many challenges securing their PACS without negatively impacting workflows. To help healthcare organizations secure their systems, NCCoE has recently released new NIST guidance for healthcare providers to help them secure the PACS ecosystem.

The post Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS appeared first on HIPAA Journal.

Senate Fails to Remove Ban on Funding of National Patient Identifier

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year.

The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement.

The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different.

The proposed fiscal budget bill includes the text, “None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard.”

The purpose of the national patient identifier is to make it easier for patients to be efficiently matched with their health records. Regardless of where a patient receives treatment, their health data will be tied to them through their unique national patient identifier code. The new identifier would help to ensure that patient information could flow freely between different healthcare organizations and it is seen by many healthcare industry stakeholders to be essential for full interoperability. A national patient identifier could help to improve patient privacy, patient safety, and eliminate considerable waste and misspending in healthcare.

For several years, industry associations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHMIA), and the Health Innovation Alliance (HIA) have been calling for the ban to be lifted.

HIA Executive Director Joel White has called the ban ‘antiquated’ and said studies have suggested that patients are matched with their records as little as 50% of the time. A national patient identifier would instantly solve that problem.

Efforts to have the ban removed have stepped up in recent years, and this year 56 healthcare stakeholder groups urged the Senate to remove the ban. Significant progress was made this year when the amendment receives strong bipartisan support in the House of Representatives.

Convincing the Senate to lift the ban is proving more difficult. As long as privacy concerns remain, the ban is unlikely to be lifted. One of the main issues is a single identifier would be used to tie medical records to an individual from birth until death, and that could allow unprecedented tracking of Americans through their health records. It could also potentially facilitate the sharing, use, and analysis of patient data without patient consent.

While the draft fiscal budget bill has not had the ban removed, it is possible that an amendment could be made at a later date. AHMIA and CHIME leaders remain hopeful that the Senate will follow the House’s lead and have the ban lifted this year.

The post Senate Fails to Remove Ban on Funding of National Patient Identifier appeared first on HIPAA Journal.