Healthcare Data Privacy

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of almost one a day. 30 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is 11% higher than the average of the past 60 months.

HEalthcare data breaches by month

The number of reported breaches fell by 6.67% month over month and there was a 58% decrease in the number of breached healthcare records. March saw the healthcare records of 883,759 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches.

healthcare records exposed by month

Causes of March 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 83.69% of all compromised records (739,635 records).

There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft incidents reported, which involved a total of 23,960 records.

The biggest data breach was reported by Navicent Health – A phishing attack in which the records of 278,016 patients were potentially accessed and copied by the attackers. A similarly sized data breach was reported by ZOLL Services, which impacted 277,319 individuals. The ZOLL Services breach occurred at one of its business associates. It’s email archiving company accidentally removed protections in its network server. It is unclear whether those records were accessed by unauthorized individuals during the time the information was accessible.

Causes of March 2019 healthcare data breaches

Largest Healthcare Data Breaches Reported in March 2019

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Navicent Health, Inc. Healthcare Provider 278,016 Hacking/IT Incident Email
2 ZOLL Services LLC Healthcare Provider 277,319 Hacking/IT Incident Network Server
3 LCP Transportation, Inc Business Associate 54,528 Unauthorized Access/Disclosure Email
4 Superior Dental Care Alliance Business Associate 38,260 Hacking/IT Incident Email
5 Superior Dental Care Health Plan 38,260 Hacking/IT Incident Email
6 St. Francis Physician Services Healthcare Provider 32,178 Hacking/IT Incident Network Server
7 Palmetto Health Healthcare Provider 23,811 Hacking/IT Incident Email
8 Gulfport Anesthesia Services, PA Healthcare Provider 20,000 Theft Other
9 Women’s Health USA, Inc. Business Associate 17,531 Hacking/IT Incident Desktop Computer, Email
10 Verity Medical Foundation Healthcare Provider 14,894 Hacking/IT Incident Email


Location of Breached Protected Health Information

Email incidents dominated the March 2019 healthcare data breach reports with 12 incidents reported that involved ePHI stored in emails and/or email attachments. The vast majority of those email breaches were phishing attacks. There were 7 hacking/IT incidents involving network servers – A combination of ransomware attacks, hacks, and the accidental deactivation of security solutions.

causes of march 2019 healthcare data breaches

March 2019 Healthcare Data Breaches by Covered Entity

Healthcare providers reported the most healthcare data breaches in March with 21 reported incidents. 4 breaches were reported by health plans and there were 5 data breaches reported by HIPAA business associates.  A further three breaches had some business associate involvement.

March 2019 healthcare data breaches by covered entity type

Healthcare Data Breaches by State

Healthcare organizations/business associates based in 18 state reported data breaches in March 2019. Three data breaches were reported in each of California, Ohio, and Pennsylvania. Two breaches were reported in each of Arizona, Idaho, Maryland, Massachusetts, Minnesota, Oregon, and South Carolina. One breach was reported in each of Arizona, Connecticut, Florida, Georgia, Indiana, Mississippi, New York, and Oklahoma.

HIPAA Enforcement in March 2019

The HHS’ Office for Civil Rights did not agree any fines or settlements in March 2019; however, the Texas Department of Aging and Disability Services has agreed to a financial penalty over a 2015 data breach.

Texas approved a settlement of $1.6 million to resolve alleged HIPAA violations discovered during the investigation of an 8-year data breach that was reported in June 2015. OCR has yet to confirm the settlement publicly.

There were no HIPAA-related financial penalties agreed with state attorneys general in March 2019.

The post March 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter.

Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals.

Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation.

There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits.

An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain access to information systems. These attacks are often sophisticated, but even relatively simple attacks are dangerous due to their persistence.

The aim of the attacks is to stealthily gain access to information systems and steal information over a long period of time. “Advanced” comes from the techniques used to access networks and remain undetected, such as the use of malware. “Persistent” refers to the length of time that systems are accessed and information is stolen. Several APT groups have succeeded in gaining access to healthcare IT systems in the United States and have used that access to steal sensitive patient information and propriety healthcare data.

Zero-day exploits – or zero-day attacks – involve the use of previously unknown vulnerabilities to attack organizations. By their very nature, these types of attacks can be difficult to prevent. Since the vulnerabilities are only known to hackers, no patches exist to correct the flaws.

Oftentimes, vulnerabilities are discovered as a result of them being exploited. Patches are promptly released to correct the flaws, but hackers will continue to take advantage of the vulnerabilities until systems are patched. It is therefore essential to apply patches promptly and ensure that all operating systems and software are kept up to date.

Once a zero-day vulnerability is publicly disclosed it doesn’t take long for an exploit to be developed. Oftentimes, exploits for recently discovered vulnerabilities are developed and used in attacks within days of a patch being released.

If patches cannot be applied promptly, such as if extensive testing is required, it is important to implement workarounds or other security controls to prevent the vulnerabilities from being exploited. The use of encryption and access controls can help to ensure that even if access to a network is gained through the exploitation of a vulnerability, damage is minimized.

OCR has warned of the danger of combination attacks involving APTs and zero-day exploits, such as the use of the NSA’s EternalBlue exploit. Within days of the exploit being made available online, it was incorporated into WannaCry ransomware which infected hundreds of thousands of computers around the world. A patch for the vulnerability that EternalBlue exploited was released by Microsoft 2 months before the WannaCry attacks. Organizations that patched promptly were protected against the exploit and WannaCry.

Healthcare organizations and their business associates can Improve their defenses against zero-day exploits and APTs by implementing measures outlined in the HIPAA Security Rule. OCR has draw attention to the following requirements of the Security Rule which can help prevent and mitigate zero-day exploits and APTs:

The post OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits appeared first on HIPAA Journal.

Amazon Launches New System for De-identifying Medical Images

Amazon has announced that it has developed a new system that allows identifying protected health information contained in medical images to be automatically removed to prevent patients from being identified from the images.

Medical images often have patients’ protected health information stored as text within the image, including the patient’s name, date of birth, age, and other metrics. Prior to the images being used for research, authorization must be obtained from the patient or all identifying data must be permanently removed.  Removing PHI from images requires a manual check and alteration of the image to redact the PHI and that can be an expensive and time-consuming process, especially when large number of images must be de-identified.

The new system uses Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly redact any PHI in the images. The system works on PNG, JPEG, and DICOM images.

A confidence score is provided by the service which indicates the level of confidence in the accuracy of the detected entity, which can form the basis of reviews to make sure that information has been correctly identified. The desired confidence level – from 0.00 to 1.00 – can be set by the user. A confidence level of 0.00 will see all text identified by the service be redacted.

Amazon says the system allows healthcare organizations to de-identify large numbers of images quickly and inexpensively. Amazon notes that the system can be used to batch process thousands or millions of images. Also, once an image has been processed and the location of PHI has been identified, it is possible to associate a Lambda function to automatically redact PHI from any new images when they are uploaded to an Amazon S3 bucket.

The post Amazon Launches New System for De-identifying Medical Images appeared first on HIPAA Journal.

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed.

According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego.

During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped.

A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts.

The lawsuit states that, “At times, defendants’ patients had their most sensitive genital areas visible.” The position of the laptop cameras was such that patients’ faces could be seen in the recordings and, as such, patients could be identified from the recordings.

The lawsuit alleges the video recordings could be accessed by multiple individuals including medical and non-medical staff and strangers via desktop computers. Controls had not been implemented to log which users had gained access to the video recordings or why the videos had been viewed.

The plaintiffs allege that many of the computers on which the videos were stored have since been replaced or refreshed and that Sharp has destroyed many of the videos; however, Sharp could not confirm whether those files were securely erased and if they could potentially be recovered.

The lawsuit was originally filed in 2016 but was denied class certification. The case has now been re-filed. 81 women who received surgical procedures in the operating rooms during the period in which the cameras were active have been included in the lawsuit and hundreds more women are expected to join.

The plaintiffs allege their privacy was violated as a result of the unlawful recording of video footage, there was a breach of fiduciary duty, negligent infliction of emotional distress, and that the failure to secure the video footage and ensure it was permanently destroyed amounts to gross negligence.

As a result of the actions of Sharp, “Plaintiffs suffered harm including, but not limited to, suffering, anguish, fright, horror, nervousness, grief, anxiety, worry, shock, humiliation, embarrassment, shame, mortification, hurt feelings, disappointment, depression and feelings of powerlessness,” states the lawsuit.

The plaintiffs are seeking a jury trial.

The post Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations appeared first on HIPAA Journal.

Health Apps Share User Data but Lack Transparency About the Practice

Mobile health apps are commonly used to track health metrics and promote healthier lifestyles, and as such, they record a range of sensitive health information. What consumers may be unaware of is how that data is used and with whom the information is shared.

Information entered into an app is commonly shared with multiple third parties and the data is often monetized, but consumers are left in the dark about the practice.

A study of data sharing practices by medicines-related apps, published in the BMJ, revealed that out of 24 apps that were studied, 19 (79%) shared user data with third parties.

The types of apps that were assessed pertained to dispensing, administration, prescribing or use of medicines. Each app was subjected to simulated real world use with four dummy scripts.

The researchers found user data was shared with 55 different entities, from 46 parent companies, which either received or processed the data. Those entities included app developers, parent companies, and third-party service providers. 67% of the third parties provided services related to the collection or analysis of data, including analytics and advertising, and 33% provided infrastructure related services.

71% of apps transmitted user data outside of the app, including information such as the name of the device, the operating system, email address, and browsing behavior. Some of the apps transmitted sensitive information such as the user’s drug list and location.

While some of the data that was shared was not particularly sensitive, such as the Android ID or device name, the information could be aggregated with other information that could allow a user to be identified. Several companies within the network had the ability to aggregate and re-identify user data.

104 transmissions were detected in the study, 94% of which were encrypted and 6% were sent in cleartext. 13% of tested aps leaked at least some user data in cleartext.

A network analysis was also performed which revealed that first and third parties received a median of three unique transmissions of user data and third parties were discovered to advertise the ability to share user data with 216 fourth parties.

Many of the apps also requested permissions which the researchers rated as dangerous. On average, the apps requested four ‘dangerous’ permissions, including permissions to read and write to device storage (79%), view Wi-Fi connections (46%), read accounts listed on the device (29%), access phone status data, including network information, phone number, and when the user received a phone call (29%), and the location of the user (25%).

While the apps were legitimate and data sharing is legal, the researchers noted that there was a lack of transparency about the use of user data. “The lack of transparency, inadequate efforts to secure users’ consent, and dominance of companies who use these data for the purposes of marketing, suggests that this practice is not for the benefit of the consumer.”

The researchers also issued a warning about medicine related apps, saying “Clinicians should be conscious about the choices they make in relation to their app use and, when recommending apps to consumers, explain the potential for loss of personal privacy as part of informed consent. Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services.”

The post Health Apps Share User Data but Lack Transparency About the Practice appeared first on HIPAA Journal.

Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices

Earlier this month, the eHealth Initiative Foundation and Manatt Health issued a brief that calls for the introduction of a values framework to better protect health information collected, stored, and used by organizations that are not required by law to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules.

Health information is increasingly being collected by a wide range of apps and consumer devices. In many cases, the types of data collected by these apps and devices are the same as those collected and used by healthcare organizations. While healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of health information and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by other entities.

It doesn’t matter what type of organization stores or uses the data. If that information is exposed it can cause considerable harm, yet this is currently something of a gray area that current regulations do not cover properly.

At the time when HIPAA and the subsequent Privacy and Security Rules were enacted, the extent to which health information would be collected and used by apps and consumer devices could not have been known. Now, new rules are required to ensure that health information is not exposed and remains private and confidential when collected by non-HIPAA covered entities.

Laws have been introduced that do extend to health data collected by apps and consumer devices, including the California Consumer Privacy Act (CCPA), but these laws only apply at the state level and protections for consumers can vary greatly from state to state.

HIPAA was updated by the HITECH Act of 2009, which does cover electronic medical records and health IT, but does not extend to apps and consumer devices. GDPR covers consumer data collected by apps and consumer devices, but only for companies doing business with EU residents.

The Brief, entitled, Risky Business? Sharing Data with Entities Not Covered by HIPAA explores the problem, the extent of data now being shared, and aims to clear up some of the confusion about when HIPAA applies to apps and consumer devices and when it does not and explores other federal guidance and regulations that has been issued by the FDA, FTC, and CMS covering mobile apps and consumer devices.

HIPAA does apply to business associates of HIPAA covered entities that provide apps and devices on behalf of the covered entity. However, if the app or device is not provided by a vendor acting as a business associate of a HIPAA covered entity, HIPAA Rules do not apply. Many healthcare organizations struggle to make the determination about whether a vendor is a business associate and if devices and apps are offered on behalf of the covered entity. The brief attempts to explain the often-complex process.

One area of particular concern is the growing number of people who are using genealogy services and are supplying companies with their DNA. Individuals are voluntarily providing this information, yet many are unaware of the implications of doing so and are unaware of the lucrative DNA market and the potential sale of their DNA profiles.

“Privacy and security in healthcare are at a critical juncture, with rapidly changing technology and laws that are struggling to keep pace,” explained Jennifer Covich Bordenick, Chief Executive Officer, eHealth Initiative Foundation. “Even as new laws like CCPA and GDPR emerge, many gray areas for the use and protection of consumer data need to be resolved. We hope the insights from papers like this help industry and lawmakers to better understand and address the world’s changing privacy challenges.”

The post Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices appeared first on HIPAA Journal.

$1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients.

The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015.

OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules.

DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.

There had also been a failure to implement appropriate technical policies and procedures for systems containing ePHI to only allow authorized individuals to access those systems, in violation of 45 C.F.R. § 164.308(a)(4) and 45 C.F.R. § 164.312(a)(1).

Appropriate hardware, software, and procedural mechanisms to record and examine information system activity had not been implemented, which contributed to the duration of exposure of ePHI – A violation of 5 C.F.R. § 164.312(b).

As a result of these violations, there was an impermissible disclosure of ePHI, in violation of 45 C.F.R. § 164.502(a).

The severity of the violations warranted a financial penalty and corrective action plan. Both were presented to the State of Texas and DADS was given the opportunity to implement the measures outlined in the CAP to address the vulnerabilities to ePHI.

The functions and resources that were involved in the breach have since been transferred to the Health and Human Services Commission (HHSC), which will ensure the CAP is implemented.

The State of Texas presented a counter proposal for a settlement agreement to OCR which will see the deduction of $1,600,000 from sums owed to HHSC from the CMS. The settlement releases HHSC from any further actions related to the breach and HHSC has agreed not to contest the settlement or CAP.

The settlement has yet to be announced by OCR, but it has been approved by the 86th Legislature of the State of Texas. This will be the first 2019 HIPAA settlement between OCR and a HIPAA covered entity.

The post $1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach appeared first on HIPAA Journal.

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach.

On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach.

Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers.

If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information.

Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches similar to the one experienced by Equifax. That breach affected 143 million individuals globally and 350,000 D.C. residents.

Additionally, the Security Breach Protection Amendment Act requires companies that collect, own, license, handle, or otherwise possess the ‘personal information’ of District residents to implement safeguards to ensure personal information remains private and confidential.

The Security Breach Protection Amendment Act also requires companies to explain to consumers the types of information that have been breached and the steps consumers can take to protect their identities, including the right to place a security freeze on their accounts at no cost.

In the event of a breach of Social Security numbers, companies would be required to offer a minimum of two years membership to identity theft protection services free of charge. The D.C. attorney general would also need to be notified about a breach of personal information, although the timescale for doing so is not stated in the bill.

Violations of the Security Breach Protection Amendment Act would be considered a violation of the D.C. Consumer Protection Procedures Act and could attract a significant financial penalty.

This is not the first time that Attorney General Racine has sought to increase protections for consumers in the event of a data breach. A similar bill was introduced in 2017 but it failed to be passed by the D.C Council.

The Security Breach Protection Amendment Act must first be approved by the Mayor and D.C. Council, then it will be passed to Congress which will have 30 days to complete its review.

The update follows similar amendments that have been proposed in several states and territories over the past few months. While the updates are good news for Americans whose sensitive information is exposed, the current patchwork of state laws can be complicated for businesses, especially those that operate in multiple states.

What is needed is a federal breach notification law that standardizes data breach notification requirements and uses a common definition for ‘personal information’. Such a bill has been proposed in the House and Senate on three occasions in the past three years, but each time it has failed to be passed and signed into law.

The post D.C. Attorney General Proposes Tougher Breach Notification Laws appeared first on HIPAA Journal.