Healthcare Data Privacy

Senator Wicker Introduces U.S. Consumer Data Privacy Act of 2019

Senator Roger Wicker (R-Miss), Chair of the Commerce Committee, has released a draft copy of the United States Consumer Data Privacy Act of 2019 (CDAP), a federal data privacy bill that is intended to replace the patchwork of state privacy laws in the United States. CDAP will ensure that all U.S. citizens receive the same rights and privacy protections regardless of where they live. If the bill becomes law it will override state privacy laws, including the California Consumer Privacy Act (CCPA) that is due to take effect on January 1, 2020.

CCPA gives California residents new privacy rights and has been likened to the General Data Protection Regulation in the EU, albeit with fewer security requirements for companies. Similar to GDPR, CCPA allows consumers to see what data is held on them by a company and find out with whom their data has been shared. It also includes a private cause of action, so consumers are permitted to sue companies that are in breach of the CCPA. CCPA will, however, only apply to certain companies – Those with revenues in excess of $25 million as well as any company, any company that holds the data of 50,000 or more individuals, and companies that collect more than half of their revenues from the sale of personal data.

Sen. Wicker’s CDAP goes further than CCPA as it will apply to a much broader range of companies. It also goes into greater detail on the protections that must be in place to protect consumers. Under CDAP, companies would be required to publish clear privacy policies covering the collection, use, and sharing of personal data, including details of the purpose for which data is being collected, the data retention period, and they would also need to include a description of the company’s security practices.

CDAP allows consumers to see what data is held on them by a company and find out with whom their data has been shared. Companies would be required to provide access to the data free of charge up to two times a year and honor requests within 45 days.

Consent to collect personal data would also need to be obtained from consumers by an affirmative action before data could be used for any other purpose than those detailed in a company’s privacy practices, and also before any personal data could be sold on. Sen. Wicker’s CDAP does not include a private cause of action, so consumers would not be permitted to take legal action for violations of COPR.

Similar to HIPAA, CDAP also includes a ‘minimum necessary’ provision, which requires companies to restrict the collection of data to the minimum necessary amount to achieve the purpose for which information is being collected. CDAP would also require companies to implement security measures to protect personal data, adopt security best practices, and practice data minimization. Similar to GDPR, companies would be required to designate privacy and security officers to coordinate compliance and develop and implement privacy policies and practices. Sen. Wicker says CDPA is “better, stronger, and clearer” than CCPA.

Sen. Wicker’s CDAP is one of two national privacy laws that have been introduced recently. The other bill – the Consumer Online Privacy Rights Act (COPRA) – was introduced by Sen. Maria Cantwell (D-Wash). COPRA also gives consumers rights over their personal data and introduces GDPR-style protections.

While Sen. Wicker’s bill aligns with Cantwell’s, COPRA does not pre-empt state laws. The Republican camp is keen to introduce new legislation to replace the current patchwork of state privacy laws, but the Democrats don’t want to replace state laws, which may provide greater protections for consumers.

Sen. Wicker’s CDAP and Sen. Cantwell’s COPRA were discussed during a Senate Commerce Committee hearing on Wednesday, December 4, 2019. While both Sens. agreed that a bipartisan privacy bill is required and that it should be enforced by the FTC, agreement has not been reached on the content of the bill, including whether there should be a private cause of action and if the federal privacy law should supersede state privacy laws such as CCPA and the New York Privacy Act.

The post Senator Wicker Introduces U.S. Consumer Data Privacy Act of 2019 appeared first on HIPAA Journal.

Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018

Cyberattacks on healthcare organizations have increased in frequency and severity in the past year, according to recently published research from Malwarebytes.

In its latest report – Cybercrime Tactics and Techniques: The 2019 State of Healthcare – Malwarebytes offers insights into the main threats that have plagued the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive healthcare data.

Cyberattacks on healthcare organizations can have severe consequences. As we have seen on several occasions this year, attacks can cause severe disruption to day to day operations at hospitals often resulting in delays in healthcare provision. In at least two cases, cyberattacks have resulted in healthcare organizations permanently closing their doors and a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates. Even though the attacks can cause considerable harm to patients, attacks are increasing in frequency and severity.

Malwarebytes data shows the healthcare industry was the seventh most targeted industry sector from October 2018 to September 2019, but if the current attack trends continue, it is likely to be placed even higher next year.

Healthcare organizations are an attractive target for cybercriminals as they store a large volume of valuable data in EHRs which is combined, in many cases, with the lack of a sophisticated security model. Healthcare organizations also have a large attack surface to defend, with large numbers of endpoints and other vulnerable networked devices. Given the relatively poor defenses and high value of healthcare data on the black market it is no surprise that the industry is so heavily targeted.

Detection of threats on healthcare endpoints were up 45% in Q3, 2019, increasing from 14,000 detections in Q2 to 20,000 in Q3. Threat detections are also up 60% in the first three quarters of 2019 compared to all of 2018.

Many of the detections in 2019 were Trojans, notably Emotet in early 2019 followed by TrickBot in Q3. TrickBot is currently the biggest malware threat in the healthcare industry. Overall, Trojan detections were up 82% in Q3 from Q2, 2019. These Trojans give attackers access to sensitive data but also download secondary malware payloads such as Ryuk ransomware. Once data has been stolen, ransomware is often deployed.

Trojan attacks tend to be concentrated on industry sectors with large numbers of endpoints and less sophisticated security models, such as education, the government, and healthcare.  Trojans are primarily spread through phishing and social engineering attacks, exploits of vulnerabilities on unpatched systems, and as a result of system misconfigurations. Trojans are by far the biggest threat, but there have also been increases in detections of hijackers, which are up  98% in Q3, riskware detections increased by 85%, adware detections were up 34%, and ransomware detections increased by 15%.

Malwarebytes identified three key attack vectors that have been exploited in the majority of attacks on the healthcare industry in the past year: Phishing, negligence, and third-party supplier vulnerabilities.

Due to the high volume of email communications between healthcare organizations, doctors, and other healthcare staff, email is one of the main attack vectors and phishing attacks are rife. Email accounts also contain a considerable amount of sensitive data, all of which can be accessed following a response to a phishing email. These attacks are easy to perform as they require no code or hacking skills. Preventing phishing attacks is one of the key challenges faced by healthcare organizations.

The continued use of legacy systems, that are often unsupported, is also making attacks far too easy. Unfortunately, upgrading those systems is difficult and expensive and some machines and devices cannot be upgraded. The problem is likely to get worse with support for Windows 7 coming to an end in January 2020. The sow rate of patching is why Malwarebytes is still detecting WannaCry ransomware infections in the healthcare industry. Many organizations have still not patched the SMB vulnerability that WannaCry exploits, even though a patch was released in March 2017.

Negligence is also a key problem, often caused by the failure to prioritize cybersecurity at all levels of the organization and provide appropriate cybersecurity training to employees. Malwarebytes notes that investment in cybersecurity is increasing, but it often doesn’t extend to brining in new IT staff and providing security awareness training.

As long as unsupported legacy systems remain unpatched and IT departments lack the appropriate resources to address vulnerabilities and provide end user cybersecurity training, cyberattacks will continue and the healthcare industry will continue to experience high numbers of data breaches.

The situation could also get a lot worse before it gets better. Malwarebytes warns that new innovations such as cloud-based biometrics, genetic research, advances in prosthetics, and a proliferation in the use of IoT devices for collecting healthcare information will broaden the attack surface even further. That will make it even harder for healthcare organizations to prevent cyberattacks. It is essential for these new technologies to have security baked into the design and implementation or vulnerabilities will be found and exploited.

The post Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018 appeared first on HIPAA Journal.

Consumer Online Privacy Rights Act Offers CCPA-Style Privacy Protections for All U.S. Citizens

A federal law giving U.S. citizens new rights over their personal data has been introduced by U.S. Sen. Maria Cantwell (D-Washington). The Consumer Online Privacy Rights Act (COPRA) proposes California Consumer Privacy Act (CCPA) style protections at a national level to better protect the privacy of consumers and give them greater control over how their personal data is used.

CCPA will take effect on January 1, 2020, but only applies to California residents. While there are laws in most states covering privacy and data security, there is no federal law covering all states. If such a law is introduced, it would make the rights of all U.S. citizens crystal clear and all Americans would have the same rights over how their personal data is used, irrespective of where they live.

The bill, co-sponsored by Sens, Amy Klobuchar (D-Minnesota.), Ed Markey (D-Massachusetts), and Brian Schatz (D-Hawaii), is not the first of its type to be introduced. Several other bills have been introduced but they have failed to receive the required support.

This bill may gather more support than others as it does not place an undue burden on small businesses, who are largely exempt. COPRA will apply to businesses, not-for-profits, certain financial institutions, and other entities covered by the Federal Trade Commission Act, but compliance with COPRA will not be mandatory for businesses with revenues of less than $25 million per year. COPRA will also not apply to entities that generate less than 50% of their revenue from transferring covered consumer data for valuable consideration.

At the heart of the bill is the requirement for consent to be obtained from U.S. citizens before their personal data is collected, processed, or used. Similar to the EU’s General Data Protection Regulation (GDPR), affirmative consent will be required. That means consent must be provided by an affirmative act that confirms consent to a specific act or practice. An individual must be told, in clear, precise, and easy-to-understand language that consent is required and what the individual is consenting to.

The law introduces a duty of loyalty, which prohibits deceptive data practices and harmful data practices, which includes those that may cause financial, reputational, or physical injury.

COPRA gives U.S. citizens the right to access the personal data stored on them by a covered entity. A copy of that information must be provided, on request, along with details of the entities to whom that data has been disclosed and the reason why data transfer occurred.

Covered entities will be required to publish a privacy policy, written in easy-to-understand language, that describes how an individual’s data will be used, to whom that data will be made available, for how long the information will be retained, and the covered entity’s data security and data minimization policies. To ensure all consumers understand how data will be used, COPRA requires privacy policies to be made available in all languages in which the covered entity provides the product or services. Consumers must also be told how they can exercise the rights they are afforded by COPRA.

COPRA also includes a Right to Delete. U.S. citizens can request that all personal data held by a covered entity is deleted and for all processing to stop and to opt out of data sharing.

COPRA will be enforced by the Federal Trade Commission (FTC). The proposed penalties for noncompliance range from $100 to $1,000 per violation per day, along with the cost of attorneys’ fees and equitable relief. Those financial penalties will be deposited in a fund that will be used for education efforts and for redress and compensation for individuals affected by any privacy violations.

The post Consumer Online Privacy Rights Act Offers CCPA-Style Privacy Protections for All U.S. Citizens appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records

Virtual Care Provider Inc. (VCP), a Wisconsin-based provider of internet and email services, data storage, cybersecurity, and other IT services has experienced a ransomware attack that has resulted in the encryption of medical records and other data the firm hosts for its clients. Its clients include 110 nursing home operators and acute care facilities throughout the United States. Those entities have been prevented from accessing critical patient data, including medical records. The company provides support for 80,000 computers, in around 2,400 facilities in 45 states.

The attack involved Ryuk ransomware, a ransomware strain that has been used to attack many healthcare organizations and managed IT service providers in the United States in recent months. The ransomware is typically deployed as a secondary payload following an initial Trojan download. The attacks often involve extensive encryption and cause major disruption and huge ransom demands are often issued. This attack is no different. A ransom demand of $14 million has reportedly been issued, which the company has said it cannot afford to pay.

According to Brian Krebs of KrebsonSecurity, who spoke to VCP owner and CEO Karen Christianson, the attack has affected virtually all of the company’s core offerings, including internet access, email, stored patient records, clients’ phone systems, billing, as well as the VCP payroll system.

The attack has meant acute care facilities and nursing homes cannot view or update patient records and order essential drugs to ensure they are delivered in time. Several small facilities are unable to bill for Medicaid, which will force them to close their doors if systems are not restored before December 5th in time for claims to be submitted. VCP has prioritized restoring its Citrix-based virtual private networking platform to allow clients to access patients’ medical records.

The attack commenced on November 17, 2019 and VCP is still struggling to restore access to client data and cannot process payroll for almost 150 employees. Christianson is concerned that the attack could potentially result in the untimely demise of some patients and may force her to permanently close her business.

KrebsonSecurity reports that the initial attack may date back to September 2018 and likely started with a TrickBot or Emotet infection, with Ryuk deployed as a secondary payload.

The post IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records appeared first on HIPAA Journal.

GAO and VA OIG Identify Privacy and Security Failures at the Department of Veterans Affairs

Privacy and security failures at the U.S. Department of Veteran Affairs (VA) have recently been identified by government watchdog agencies. Two reviews were conducted by the VA Office of Inspector General (VA OIG) and the Government Accountability Office (GAO).

GAO assessed the security controls at the VA to determine whether they met the requirements of the National Institute of Science and Technology (NIST) Cybersecurity Framework. GAO determined that the VA had failed to meet all requirements of NIST Cybersecurity Framework and was deficient in five areas: Security management, access control, configuration management, contingency planning, and segregation of duties. The VA had reported that it had only met 6 of the 10 cybersecurity performance targets set by the Trump administration and had not yet met the targets for software asset management, hardware asset management, authorization management, and automated access management. The security failures identified by GAO were similar to those at 18 other government agencies.

As with the other government agencies, modernizing and securing information systems has been a major challenge. Security practices have been implemented, but those practices have not been implemented consistently across the entire agency and many vulnerabilities remain unaddressed. The VA was found not to have consistently mitigated vulnerabilities, has not fully established a cybersecurity risk management program, was not identifying critical cybersecurity staffing needs, and was not effectively managing IT supply chain risks.

In 2016, GAO had recommended 74 actions that the VA needed to take to improve its cybersecurity program and address deficiencies. As of October 2019, only 42 of those recommendations had been addressed. The latest review also added a further 4 recommendations for its cybersecurity risk management program, along with one additional recommendation to accurately identify IT/cybersecurity workforce positions. The VA concurred with the GAO recommendations and will implement the additional recommendations as soon as possible.

Another report was recently published by VA OIG following a review of the Veterans Benefits Administration’s (VBA) Records Management Center (RMC). The review was conducted to determine whether staff were disclosing third-party, sensitive personally identifiable information (PII).

Many records held by VBA contain the PII of other individuals. Staff at RMC were previously required to redact third-party PII when processing Privacy Act requests, and only provide information on the person making the request. A change to the VA privacy policy in 2016 meant that third-party PII stopped being redacted, which resulted in the disclosure of a considerable amount of third-party PII when processing the Privacy Act requests.

The decision to stop redacting third-party PII has meant that requests can be processed much faster, but it has also placed many individuals at risk of identity theft. Since those individuals are unaware that their PII is being disclosed, they would not know to take steps to reduce risk.

A sample of 30 Privacy Act responses out of a total of 65,600 requests processed between April 1, 2018 and September 30, 2018 were reviewed. 18 of those 30 requests contained the names and Social Security numbers of unrelated third parties. In some cases, the requests included the PII of more than 100 third parties, including the PII of physicians and other people involved the care of a veteran.

From the data of the privacy policy change n 2016 to May 2019, approximately 379,000 requests had been processed. The 30-request sample was found to contain the names and Social Security numbers of 1,027 unrelated third parties. Assuming the 30 responses were representative of the total, the PII of millions of third parties may have been disclosed. Further, the discs on which the information was saved were not encrypted or protected with passwords. The policies covering the mailing of discs had not been updated following the privacy policy changes in 2016.

According to the VA OIG report, after privacy concerns were raised, VBA agreed that a further update to its privacy policy was required and from no later than October 1, 2019 the redaction of third-party PII will resume.

The post GAO and VA OIG Identify Privacy and Security Failures at the Department of Veterans Affairs appeared first on HIPAA Journal.

Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data

The Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act, has been introduced by Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada). The new legislation will ensure that health data collected through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent.

The Health Insurance Portability and Accountability Act (HIPAA) applies to health data collected, received, stored, maintained, or transmitted by HIPAA-covered entities and their business associates. Some of the same information is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. That information can be used, shared, or sold, without consent. Consumers have no control over who can access their health data. The new legislation aims to address that privacy gap.

The bill prohibits the transfer, sale, sharing, or access to any non-anonymized consumer health information or other individually identifiable health information that is collected, recorded, or derived from personal consumer devices to domestic information brokers, other domestic entities, or entities based outside the United States unless consent has been obtained from the consumer.

Consumer devices are defined as “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”

The Smartwatch Data Act applies to information about the health status of an individual, personal biometric information, and kinesthetic information collected directly through sensors or inputted manually into apps by consumers. The Smartwatch Data Act would treat all health data collected through apps, wearable devices, and trackers as protected health information.

There have been calls for HIPAA to be extended to cover app developers and wearable device manufacturers that collect, store, maintain, process, or transmit consumer health information. The Smartwatch Data Act does not extend HIPAA to cover these companies, instead the legislation applies to the data itself. The bill proposes the HHS’ Office for Civil Rights, the main enforcer of compliance with HIPAA, would also be responsible for enforcing compliance with the Smartwatch Data Act. The penalties for noncompliance with the Smartwatch Data Act would be the same as the penalties for HIPAA violations.

“The introduction of technology to our healthcare system in the form of apps and wearable health devices has brought up a number of important questions regarding data collection and privacy,” said Sen. Rosen “This commonsense, bipartisan legislation will extend existing health care privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent.”

The legislation was introduced following the news that Google has partnered with Ascension, the second largest healthcare provider in the United States, and has been given access to the health information of 50 million Americans. That partnership has raised a number of questions about the privacy of health information.

The Ascension data passed to Google is covered by HIPAA, but currently fitness tracker data is not. Google intends to acquire fitness tracker manufacturer Fitbit in 2020 and concern has been raised about how Google will use personal health data collected through Fitbit devices. The Smartwatch Data Act would help to ensure that consumers are given a say in how their health data is used.

The post Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data appeared first on HIPAA Journal.

House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership

Leaders of the House Committee on Energy and Commerce are seeking answers from Google and Ascension on Project Nightingale. The Department of Health and Human Services’ Office for Civil Rights has also confirmed that an investigation has been launched to determine if HIPAA Rules have been followed.

The collaboration between Google and Ascension was revealed to the public last week. The Wall Street Journal reported that Ascension was transferring millions of patient health records to Google as part of an initiative called Project Nightingale.

A whistleblower at Google had contacted the WSJ to raise concerns about patient privacy. A variety of internal documents were shared with reporters on the extent of the partnership and the number of Google employees who had access to Ascension patients’ data. Under the partnership, the records of approximately 50 million patients will be provided to Google, 10 million of which have already been transferred.

According to the WSJ report, 150 Google employees are involved with the project and have access to patient data. The whistleblower stated that those individuals are able to access and download sensitive patient information and that patients had not been informed about the transfer of their data in advance. Understandably, the partnership has raised concerns about patient privacy.

Both Google and Ascension released statements about the partnership after the WSJ story was published, confirming that Google was acting as a business associate of Ascension, had signed a business associate agreement, and that it was in full compliance with HIPAA regulations. Under the terms of the BAA, which has not been made public, Google is permitted access to patient data in order to perform services on behalf of Ascension for the purpose of treatment, payment, and healthcare operations.

Google will be analyzing patient data and using its artificial intelligence and machine learning systems to develop tools to assist with the development of patient treatment plans. Google will also be helping Ascension modernize its infrastructure, electronic health record system, and improve collaboration and communication. Google has confirmed in a blog post that it is only permitted to use patient data for purposes outlined in the BAA and has stated that it will not be combining patient data with any consumer data it holds and that patient data will not be used for advertising purposes.

Democratic leaders of the House Committee on Energy and Commerce wrote to Google and Ascension on November 18, 2019 requesting further information on the partnership. The inquiry is being led by House Energy Committee Chairman, Frank Pallone Jr. (D-New Jersey). The letters have also been signed by Chairwoman of the Subcommittee on Health, Anna Eshoo (D-California), Subcommittee on Consumer Protection and Commerce Chair, Jan Schakowsky (D-Illinois), and Subcommittee on Oversight and Investigations Chair, Diana DeGette (D-Colorado).

In the letters, the Committee leaders have requested information on the “disturbing initiative” known as Project Nightingale.

“While we appreciate your efforts to provide the public with further information about Project Nightingale, this initiative raises serious privacy concerns. For example, longstanding questions related to Google’s commitment to protecting the privacy of its own users’ data raise serious concerns about whether Google can be a good steward of patients’ protected health information.”

Ascension’s decision not to inform patients prior to the transfer of protected health information has also raised privacy concerns, as has the number of Google employees given access to the data. Further, employees of Google’s parent company Alphabet also have access to Ascension data.

The Committee leaders have requested a briefing by no later than December 6, 2019 about the types of data being used, including the data being fed into its artificial intelligence tools, and the extent to which Google and Alphabet employees have access to the data. The Committee leaders also want to know what steps have been taken to protect patient information and the extent to which patients have been informed.

The Department of Health and Human Services’ Office for Civil Rights has also confirmed that it has launched an investigation into the partnership. Its investigation is primarily focused on how data is being transferred, the protections put in place to safeguard the confidentiality, integrity, and availability of protected health information, and whether HIPAA Rules are being followed. Google has stated it will be cooperating fully with the OCR investigation.

The post House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership appeared first on HIPAA Journal.

Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion

It has been 60 days since Greenbone Networks uncovered the extent to which medical images in Picture Archiving and Communication Systems (PACS) servers are being exposed online. In an updated report, the German vulnerability analysis and management platform provider has revealed the problem is getting worse, not better.

Picture Archiving and Communication Systems (PACS) servers are extensively used by healthcare providers for archiving medical images and sharing those images with physicians for review, yet many healthcare providers are not ensuring their PACS servers have appropriate security. Consequently, medical images (X-Ray, MRI, CT Scans), along with personally identifiable patient information, is being exposed over the Internet. Anyone who knows where to look and how to search for the files can find them, view them and, in many cases, download the images without any authentication required. The images are not accessible due to software vulnerabilities. Data access is possible because of the misconfiguration of infrastructure and PACS servers.

Between July and September 2019, Greenbone Networks conducted an analysis to identify unsecured PACS servers around the globe. The study shed light on the scale of the problem. In the United States, 13.7 million data sets were found on unsecured PACS servers, which included 303.1 million medical images of which 45.8 million were accessible. The discovery was widely reported in the media at the time, and now further information on the scale of the problem has been released.

On Monday, November 18, Greenbone Networks issued an updated report that shows globally, 1.19 billion medical images have now been identified, increasing the previous total of 737 million by 60%. The results of 35 million medical examinations are online, up from 24 million.

In the United States, the researchers found 21.8 million medical examinations and 786 million medical images. 114.5 of those images were accessible and there are 15 systems that allow unprotected Web/FTP access and directory listing. In one PACS alone, the researchers found 1.2 million examinations and 61 million medical images. The researchers had full access to the data, which included the images and associated personally identifiable information. Greenbone Networks has confirmed that in the 24 hours prior to publication of its latest report, data access was still possible. “For most of the systems we scrutinized, we had – and still have – continued access to the personal health information,” explained Greenbone Networks CMS, Dirk Schrader.

Exposed Medical Images on PACS Servers. Source: Greenbone Networks

Earlier in November, Sen. Mark. R. Warner wrote to HHS’ Office for Civil Rights Director, Roger Severino, expressing concern over the apparent lack of action from OCR over the exposed files. Far from the situation improving following the announcement about the exposed data, it appears that very little is being done to secure the PACS servers and stop further data exposure.

The types of information in the images, which is classed as Protected Health Information (PHI) under HIPAA, includes names, dates of birth, examination dates, scope of the investigations, imaging procedures performed, attending physicians’ names, location of scan, number of images and, for 75% of the images, Social Security numbers.

The exposure of this data places patients at risk of identity theft and fraud, although there are other risks. Previously, security researchers have shown that flaws in the DICOM image format allows the insertion of malicious code. Images could therefore be downloaded, have malicious code inserted, and be uploaded back to the PACS. This could all be down without the knowledge of the data owner. For the purpose of the study, Greenbone Networks only investigated reading access, not image manipulation and upload.

Images were accessed and viewed using the RadiAnt DICOM Viewer. Instructions on configuration to view images using the RadiAnt DICOM Viewer are freely available online, as is the viewer and the list of IPs where the images are stored.

Greenbone Networks estimates that the exposed medical images and PHI has a value in excess of $1 billion dollars. The data could be used for a variety of nefarious purposes including identity theft, social engineering and phishing, and blackmail.

The exposure of the data is in violation of the Health Insurance Portability and Accountability Act (HIPAA), the EU’ s General Data Protection Regulation (GDPR), and many other data privacy and security laws. The data relates to more individuals in more than 52 countries.

The post Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion appeared first on HIPAA Journal.