Healthcare Data Privacy

August 2021 Healthcare Data Breach Report

Posted September 21, 2021 by HIPAA Journal

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021.

While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined.

Largest Healthcare Data Breaches Reported in August 2021

Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks reported in August have resulted in appointments being postponed and have seen patients redirected to alternative facilities out of safety concerns.

It is now the norm for hackers to exfiltrate sensitive data prior to the use of ransomware and then demand payment for the keys to decrypt data and to prevent stolen data from being published or sold. While some major ransomware operations such as Sodinokibi/REvil and DarkSide appear to have been shutdown, several other operations have taken their place. The Vice Society and Hive ransomware gangs have been targeting the healthcare sector, and this month the Health Sector Cybersecurity Coordination Center (HC3) issued a warning to the health and public health sector about an increased risk of BlackMatter ransomware attacks. Fortunately, this month, past victims of Sodinokibi/REvil ransomware have been given the opportunity to recover encrypted data for free. Bitdefender released a free Sodinokibi/REvil decryptor last week.

In August there were three major ransomware attacks reported by healthcare providers that involved huge amounts of patient data. DuPage Medical Group suffered a ransomware attack in which the protected health information (PHI) of 655,384 patients may have been compromised, while the attack on University Medical Center Southern Nevada affected 1.3 million patients and the St. Joseph’s/Candler Health System attack involved the PHI of 1.4 million patients. Class action lawsuits have already been filed against DuPage Medical Group and St. Joseph’s/Candler Health System on behalf of patients affected by those attacks.

Listed below are the 20 data breaches reported in August that involved the PHI of 10,000 or more individuals. The majority of these data breaches involved ransomware or data stored in compromised email accounts.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Cause
St. Joseph’s/Candler Health System, Inc.	Healthcare Provider	1,400,000	Hacking/IT Incident	Ransomware attack
University Medical Center Southern Nevada	Healthcare Provider	1,300,000	Hacking/IT Incident	Ransomware attack
DuPage Medical Group, Ltd.	Healthcare Provider	655,384	Hacking/IT Incident	Ransomware attack
UNM Health	Healthcare Provider	637,252	Hacking/IT Incident	Unspecified hacking incident
Denton County, Texas	Healthcare Provider	326,417	Unauthorized Access/Disclosure	Online exposure of COVID-19 vaccination data
Metro Infectious Disease Consultants	Healthcare Provider	171,740	Hacking/IT Incident	Email accounts compromised
LifeLong Medical Care	Healthcare Provider	115,448	Hacking/IT Incident	Ransomware attack (Netgain Technologies)
CareATC, Inc.	Healthcare Provider	98,774	Hacking/IT Incident	Email accounts compromised
San Andreas Regional Center	Business Associate	57,244	Hacking/IT Incident	Ransomware attack
CarePointe ENT	Healthcare Provider	48,742	Hacking/IT Incident	Ransomware attack
South Florida Community Care Network LLC d/b/a Community Care Plan	Health Plan	48,344	Unauthorized Access/Disclosure	PHI emailed to a personal email account
Electromed	Healthcare Provider	47,200	Hacking/IT Incident	Unspecified hacking incident
Queen Creek Medical Center d/b/a Desert Wells Family Medicine	Healthcare Provider	35,000	Hacking/IT Incident	Ransomware attack
The Wedge Medical Center	Healthcare Provider	29,000	Hacking/IT Incident	Unspecified hacking incident
Gregory P. Vannucci DDS	Healthcare Provider	26,144	Hacking/IT Incident	Unspecified hacking incident
Texoma Community Center	Healthcare Provider	24,030	Hacking/IT Incident	Email accounts compromised
Family Medical Center of Michigan	Healthcare Provider	21,988	Hacking/IT Incident	Ransomware attack
Central Utah Clinic, P.C. dba Revere Health	Healthcare Provider	12,433	Hacking/IT Incident	Email accounts compromised (Phishing)
Hospice of the Piedmont	Healthcare Provider	10,682	Hacking/IT Incident	Email accounts compromised
Long Island Jewish Forest Hills Hospital	Healthcare Provider	10,333	Unauthorized Access/Disclosure	Unauthorized medical record access by employee

Causes of August 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, accounting for 81.6% of the month’s data breaches and 92.3% of breached healthcare records. There were 31 security breaches classed as hacking/IT incidents involving 4,727,350 healthcare records. The mean breach size was 152,495 records and the median breach size was 12,433 records. The majority of these incidents involved ransomware, malware, or compromised email accounts.

There were 7 incidents classed as unauthorized access/disclosure incidents. Those incidents involved 392,939 healthcare records. The mean breach size was 56,134 records and the median breach size was 4,117 records. There were no reported breaches involving lost or stolen devices or paper records and no reported improper disposal incidents.

Healthcare Data Breaches by State

August’s 38 healthcare data breaches were reported by entities in 24 U.S. states. Texas was the worst affected state with 4 reported breaches, followed by Arizona and Illinois with three reported breaches each.

State	Number of Reported Data Breaches
Texas	4
Arizona & Illinois	3
California, Georgia, Michigan, Minnesota, New Hampshire, Oklahoma, & Virginia	2
Alabama, Delaware, Florida, Iowa, Indiana, Massachusetts, Nevada, New Mexico, New York, Pennsylvania, Tennessee, Utah, West Virginia, & Wisconsin	1

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 30 data breaches reported, 4 of which occurred at business associates but were reported by the healthcare provider. 4 data breaches were reported by health plans, and business associates self-reported 4 breaches.

HIPAA Enforcement Activity in August 2021

The HHS’ Office for Civil Rights (OCR) did not announce any new HIPAA penalties in August and there were no HIPAA enforcement actions announced by state attorneys general. So far in 2021 there have been 8 financial penalties imposed on HIPAA-covered entities and business associates by OCR, and one multi-state action by state attorneys general.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on September 20, 2021

The post August 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches

Posted September 16, 2021 by HIPAA Journal

Developers of health apps and wearable devices such as fitness trackers that collect health data have been warned by the Federal Trade Commission (FTC) that they are required to comply with the FTC Health Breach Notification Rule and must notify consumers about data breaches.

The FTC Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009, and requires individuals to be notified if there is a breach of their health data. The Health Breach Notification Rule applies to vendors of personal health records and associated companies, but in a policy statement issued on September 16, 2021, the FTC said health apps and other connected devices that collect or use the health information of U.S. consumers are also covered by Rule. The policy statement was approved during an open meeting on Wednesday by a vote of 3-2.

The FTC Health Breach Notification Rule applies to health apps and wearable devices that collect health information from a consumer and can draw information from multiple sources, such as through an API that allows synching with a device such as a fitness tracker. Compliance will be enforced by the FTC, which has the authority to impose financial penalties. Those penalties can be as high as $43,792 for each day that notifications have not been issued.

Health apps can collect a wide range of sensitive personal and health data, either by directly recording the information through paired sensors, or by individuals entering the data into the apps manually. Health apps have been growing in popularity and usage has increased during the pandemic. Given the wide range of sensitive data stored by the apps, they are an attractive target for cybercriminals.

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” said the FTC in the policy statement.

A lot of the data collected by health apps would be considered protected health information if collected by a healthcare provider, which would mean the information would be subject to the restrictions on uses and disclosures stipulated by the HIPAA Privacy Rule. Safeguards would need to be implemented to secure the data, in accordance with the HIPAA Security Rule, and a breach of health data would require notifications per the HIPAA Breach Notification Rule. However, unless a health app is developed for use by a HIPAA-covered entity, it falls outside of HIPAA protections.

Health apps often have security features to protect the privacy of users, but they are often limited. There have been calls for HIPAA to be extended to cover health app developers to improve privacy protections for users, or to implement new legislation covering these apps that requires certain standards of privacy and security to be adopted.

The FTC policy statement will at least help to ensure that users of health apps and wearable devices will be notified should a data breach occur, which will allow them to take steps to protect their identities and prevent fraud.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The post FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches appeared first on HIPAA Journal.

Walgreens Covid-19 Test Registration System Has Been Exposing Patient Data

Posted September 16, 2021 by HIPAA Journal

The personal data of individuals who took a COVID-19 test at a Walgreens pharmacy has been exposed over the Internet due to vulnerabilities in its COVID-19 test registration system.

It is currently unclear how many individuals have been affected, although they could well number in the millions given the number of COVID-19 tests Walgreens has performed since April 2020. It is unclear when the vulnerabilities were introduced on the website, but they date back to at least March 2021 when they were discovered by Interstitial Technology PBC consultant Alejandro Ruiz. He identified a security error when a member of his family had a COVID-19 test performed at Walgreens. Ruiz contacted Walgreens to alert them to the data exposure, but claimed the company was not responsive.

Ruiz spoke to Recode about the issue, which had the security flaws confirmed by two security experts. Recorde reported the issue to Walgreens, and the company said, “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate.” However, as of September 13, 2021 the vulnerabilities had not been addressed.

Recode reports that using the Wayback Machine, which contains an archive of the Internet, it was possible to see blank test confirmations dating back to July 2020, indicating the vulnerabilities have been present since at least then.

According to the security researchers, the vulnerabilities were the result of basic errors in the Walgreens’ Covid-19 test appointment registration system. When a patient completes an online form, they are assigned with a 32-digit ID number and an appointment request form is created which has the unique 32-digit ID number in the URL. Anyone who has that URL is able to access the form. There is no need to authenticate to view the page.

The pages only contain a patient’s name, type of test, appointment time and location in the visible portion, but through the developer tools panel of a web browser it is possible to access other data, including date of birth, address, email address, phone number, and gender identity. Since the OrderID and the name of the lab that performed the test is also included in the data, it would be possible to access the test result, at least at one of Walgreens’ lab partners’ test result portals.

An active page could be viewed by an unauthorized individual if using a computer of someone who had booked a test via their Internet history. An employer, for instance, could view the information if the page was accessed on a work computer. The data would also be accessible to the third-party ad trackers present on the Walgreens appointment confirmation pages. Researchers note that the confirmation pages have ad trackers from Adobe, Dotomi, Facebook, Akami, Google, Monetate, and InMoment, all of which could potentially access private information.

The URLs of all confirmation pages are the same aside from the unique 32-digit code contained in a “query string”. The researchers said there are likely millions of active appointment confirmation pages since Walgreens has been conducting COVID-19 tests at around 6,000 sites across the United States for almost 18 months.

The researchers suggested a hacker could create a bot to generate 32-digit identification numbers, add them to URLs, and then identify active pages. Considering the number of digits in the URL that would be a lengthy task, but it is not beyond the realm of possibility.

“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” said Ruiz to Recode. “It’s just another example of a large company that prioritizes its profits over our privacy.”

The post Walgreens Covid-19 Test Registration System Has Been Exposing Patient Data appeared first on HIPAA Journal.

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

Posted September 8, 2021 by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has recently released the final version of the NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders.

Public safety and first responder (PSFR) personnel require on-demand access to public safety data in order to provide proper support and emergency care. In order to access the necessary data, PSFR personnel are heavily reliant on mobile platforms. Through these platforms, PSFR personnel can access the personal and protected health information of patients and sensitive law enforcement information; however, in order to keep sensitive information secure and to prevent unauthorized access, strong authentication mechanisms are required.

Those authentication mechanisms are needed to keep data secure and to protect privacy, but they have potential to hinder PSFR personnel and get in the way of them providing emergency services. While authentication may only take a matter of seconds, any delay in providing emergency services can have grave consequences and may even be a matter of life and death.

The Cybersecurity Practice Guide was developed in collaboration with NIST’S Public Safety Communications Research lab and industry stakeholders and aims to help resolve authentication issues to ensure sensitive data remains private and confidential and PSFR personnel can rapidly gain access to the data they need via mobile devices and associated applications.

The guide includes a detailed example solution with capabilities to address risk with appropriate security controls, along with a demonstration of the approach using commercially available products. Instructions are also included for implementers and security engineers to help them integrate the solution into their organization’s enterprise and configure it in a way to achieve security goals with minimal impact on operational efficiency and expense.

“This practice guide describes a reference design for multifactor authentication and mobile single sign-on for native and web applications while improving interoperability among mobile platforms, applications, and identity providers, regardless of the application development platform used in their construction,” explained NCCoE.

The NIST Cybersecurity Practice Guide can be found on this link.

The post NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders appeared first on HIPAA Journal.

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

Posted September 8, 2021 by HIPAA Journal

The NIST Cybersecurity Practice Guide can be found on this link.

The post NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders appeared first on HIPAA Journal.

July 2021 Healthcare Data Breach Report

Posted August 23, 2021 by HIPAA Journal

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Breach Cause	Business Associate Present
Forefront Dermatology, S.C.	Healthcare Provider	2,413,553	Hacking/IT Incident	Unspecified hacking incident	Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp	Business Associate	1,210,688	Hacking/IT Incident	Ransomware attack	Yes
UF Health Central Florida	Healthcare Provider	700,981	Hacking/IT Incident	Ransomware attack	No
Orlando Family Physicians, LLC	Healthcare Provider	447,426	Hacking/IT Incident	Phishing attack	No
HealthReach Community Health Centers	Healthcare Provider	122,340	Improper Disposal	Improper disposal of electronic medical records	No
Guidehouse	Business Associate	84,220	Hacking/IT Incident	Ransomware attack (Accellion FTA)	Yes
Advocate Aurora Health	Healthcare Provider	68,707	Hacking/IT Incident	Ransomware attack (Elekta)	Yes
McLaren Health Care Corporation	Healthcare Provider	64,600	Hacking/IT Incident	Ransomware attack (Elekta)	Yes
Coastal Family Health Center, Inc	Healthcare Provider	62,342	Hacking/IT Incident	Ransomware attack	No
Florida Heart Associates	Healthcare Provider	45,148	Hacking/IT Incident	Ransomware attack	No
A2Z Diagnostics, LLC	Healthcare Provider	35,587	Hacking/IT Incident	Phishing attack	No
University of Maryland, Baltimore	Business Associate	30,468	Hacking/IT Incident	Unspecified hacking incident	Yes
Florida Blue	Health Plan	30,063	Hacking/IT Incident	Brute force attack (Member portal)	No
Intermountain Healthcare	Healthcare Provider	28,628	Hacking/IT Incident	Ransomware attack (Elekta)	Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State	Number of Reported Healthcare Data Breaches
Florida	6
California, New York & Texas	5
Illinois & North Carolina	4
Connecticut, Minnesota, Nebraska & New Jersey	3
Mississippi, Oklahoma, Washington & Wisconsin	2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia	1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

Posted August 21, 2021 by HIPAA Journal

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA?

It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today.

It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially initially due to the considerable administrative burden it placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives.

The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes that have helped to reduce waste and healthcare fraud. The improvements have generally been made for relatively little cost.

HIPAA certainly has its strengths, but there are also limitations that have become increasingly apparent in recent years and even now, 25 years after the legislation was first introduced, there is still confusion about what compliance entails.

In this article we will explore the strengths and limitations of HIPAA, assess how effective HIPAA has been, and will explore the future of HIPAA and what can be expected in terms of updates to the legislation. First, however, it is useful to provide a brief recap of the history of HIPAA and how the legislation has evolved over the years.

A Brief History of HIPAA

HIPAA was initially introduced to improve the portability of health insurance coverage for employees between jobs, to combat waste, fraud and abuse in health insurance and healthcare delivery, to promote the use of medical savings accounts by introducing tax breaks, and to simplify the administration of health insurance. The legislation was later augmented with new Rules covering the privacy and security of healthcare data.

Initially, HIPAA only applied to a limited number of entities in the healthcare industry – healthcare providers, health plans, and healthcare clearinghouses, and only those that transmit healthcare data in electronic form for certain transactions for which the HHS maintains standards. The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the scope of HIPAA to cover business associates of HIPAA covered entities – third-party firms that require access to protected health information (PHI) to provide services or products to covered entities.

Important updates to HIPAA are detailed below:

HIPAA Signed into Law by President Bill Clinton – August 1996
Effective Date of the HIPAA Privacy Rule – April 2003
Effective Date of the HIPAA Security Rule – April 2005
Effective Date of the HIPAA Enforcement Rule – March 2006
Effective date of HITECH and the Breach Notification Rule – September 2009
Effective Date of the Final Omnibus Rule – March 2013

HIPAA’s Strengths and Weaknesses

There are many positives that have come from HIPAA, the best known of which are improving privacy protections for patients and improving the security of healthcare data. HIPAA limits the uses and disclosures of patient data to those related to treatment, payment, or healthcare operations and all covered entities and business associates must implement appropriate administrative, physical, and technical safeguards to ensure patient data are appropriately protected from internal and external threats.

Importantly, HIPAA gave individuals new rights with respect to their healthcare data. Prior to the introduction of the HIPAA Privacy Rule, patients were not even permitted to see their medical files. HIPAA gave individuals the right to obtain and inspect a copy of their healthcare data and request errors be corrected. HIPAA made sure patients are informed about how their healthcare data will be used and disclosed, gave patients the right to further limit disclosures of their health data, and also allowed them to view an “accounting of disclosures” to see who has been provided with their healthcare data.

HIPAA has improved the portability of health insurance for employees between jobs and has helped to prevent discrimination against people with pre-existing conditions when receiving health insurance coverage. Efficiency in healthcare has been improved by standardizing transactions through the use of standard code sets and has helped to significantly reduce waste and fraud in healthcare.

However, it has not all been plain sailing. One of the initial requirements of HIPAA was to create a national patient identifier system, but 25 years on and that requirement has still failed to be implemented. Without a national patient identifier system, it can be difficult identifying patients which can result in medical record mismatching. One ONC study in 2014 suggested between 50% and 60% of records are mismatched when shared between different healthcare providers.

Another weakness of HIPAA is its coverage of healthcare data, which is limited to healthcare data collected, held, processed, stored, or transmitted by HIPAA-covered entities and business associates. If a non-HIPAA-covered entity or non-business associate collects the exact same data, HIPAA protections do not apply.

The HIPAA Rules are not clear in places due to the flexibility built into the legislation, so there is potential for misinterpretation of the requirements and there is still confusion among some HIPAA covered entities and business associates when it comes to compliance.

One criticism often made by patients is the lack of a private cause of action. It is not possible to sue for a HIPAA violation, even if the HIPAA Rules have clearly been violated and harm has been suffered. Legal action can only be taken under state laws.

Has HIPAA Been Effective?

In the early years following the introduction of the HIPAA Privacy and Security Rules, questions were asked about how effective the legislation has been. HIPAA certainly looked good on paper but was less effective in practice and noncompliance was widespread. Even the introduction of the HIPAA Enforcement Rule in 2006, which gave the HHS’ Office for Civil Rights the authority to impose financial penalties and sanctions for noncompliance, failed to have a major effect at spurring covered entities into compliance. Enforcement was also very slow at first. It took until 2008 for the first enforcement action to result in a financial penalty, then there was only one financial penalty in 2009 and just two in 2010.

The first phase of HIPAA compliance audits conducted in 2011/2012 highlighted just how many covered entities had ineffective HIPAA compliance programs. The audits uncovered many violations of both the HIPAA Privacy and Security Rules. Even those violations, some of which were serious, did not result in any financial penalties. Some of the fiercest criticism of HIPAA in the early years was it was all bark and no bite.

The introduction of the HITECH Act was a major turning point in the history of HIPAA. Prior to the HITECH Act, business associates were not covered to a large extent by HIPAA, even though they were frequently provided with PHI. The HITECH Act made the HIPAA Rules directly applicable to business associates, which could then be fined directly if they did not also comply with the HIPAA Rules. Business associates include a huge range of third-party companies such as accountants, attorneys, billing companies, collection agencies, consultants, data analysts, and IT firms, so the HITECH Act, and subsequent Omnibus Rule, addressed that major gap.

The introduction of the HITECH Act also saw the penalties for noncompliance significantly increased and OCR also increased its HIPAA enforcement activities. With major fines issued for HIPAA violations, HIPAA compliance became a major focus for HIPAA-covered entities and business associates.

Enforcement of compliance has been critical to the success of HIPAA and while there are still many cases each year of noncompliance, on the whole the requirements of HIPAA have been largely implemented and the benefits of HIPAA are being realized.

Issues with Patient Access to PHI

Since the 2000 HIPAA Privacy Rule was introduced, patients have been given the right to obtain a copy of their own healthcare data, or to have that data sent to their nominated representative. The HITECH Act updated that right and helped individuals obtain a copy of their health data in electronic form, due to the increasing use of electronic health record systems.

While healthcare organizations have implemented policies that allow patients to exercise their access rights, many patients have experienced problems obtaining a copy of their healthcare data. They have either been refused access, requests have been delayed, and patients have been charged excessive fees for exercising their access rights – HIPAA only permits covered entities to charge a reasonable, cost-based fee for providing records.

One of the requirements of the 21st Century Cures Act, introduced in 2016, was to call on the Government Accountability Office to report on the barriers to patient medical record access and following assessments the HHS’ Office for Civil Rights launched a new HIPAA enforcement initiative targeting violations of the HIPAA Right of Access of the HIPAA Privacy Rule in the fall of 2019. That enforcement initiative is still active and, up until the end of July 2021, OCR has imposed 19 financial penalties on healthcare providers found to have been in violation of the HIPAA Right of Access.

Prior to the OCR enforcement initiative, only one financial penalty had been imposed for violations of this important right and that was the $4,300,000 financial penalty imposed on Cignet Health of Prince George’s County in 2011 for denying 741 patients access to their medical records.

HIPAA has Improved Healthcare Data Security

Prior to the introduction of the HIPAA Security Rule, healthcare organizations only had to comply with state laws covering data security. The Security Rule set new minimum standards for data security to ensure the confidentiality, integrity, and availability of electronic PHI. The Security Rule requires risk analyses to be conducted and risks reduced to a reasonable and acceptable level. Access controls are required to prevent unauthorized access to healthcare data, logs must be maintained and checked to identify unauthorized access, backups of data must be made, measures must be implemented to protect against reasonably anticipated, impermissible uses or disclosures, and staff must be provided with security awareness training.

Data security has improved, but data breaches are now occurring at records levels. For the past 5 months, data breaches have been reported by healthcare organizations and business associates at a rate of over 2 per day, but without the Security Rule requirements, far more breaches would be likely to occur.

The HIPAA Security Rule does have weaknesses. To remain relevant the HIPAA Security Rule had to be technology agnostic, so specific measures for security are generally not stipulated. It is left to the discretion of each entity to determine what constitutes “reasonable” protections. If the Security Rule was more specific with regard to required security protections, many more data breaches could be prevented.

The Security Rule also only applies to HIPAA covered entities and business associates, not to any other entity. It therefore has limited reach, and does not cover health data collected by health apps, or the huge volumes of data collected and sold by data brokers. There is therefore considerable scope for improvement to better protect all health data.

The HIPAA Security Rule also calls for security awareness training for staff but does not stipulate how frequently it should be provided. With the threat landscape constantly changing, regular training must be provided to the workforce to ensure employees are kept aware of the latest threats and are taught how to avoid them. Many covered entities and business associates are compliant with this requirement yet fail to provide training regularly enough to prevent cyberattacks and the associated privacy violations.

How Has HIPAA Fared with Changing Technology?

No legislative act will be able to maintain pace with the pace at which technology has evolved, especially one covering the healthcare industry. This is why HIPAA provided a framework rather than specifics and incorporated flexibility to accommodate for changes to healthcare technology and evolving privacy and security best practices.

Updates have been made over the years which have amended HIPAA to maintain relevance, such as the 2008 Genetic Information Non-discrimination Act (GINA) which restricts the use of individuals’ genetic data by health insurers and employers and the American Recovery and Reinvestment Act, of which the HITECH Act was part, which strengthened HIPAA in relation to the adoption of EHRs.

However, many new technologies have emerged over the years that are not covered by HIPAA. Personal electronic devices are extensively used which can collect huge amounts of personal and health data, such as fitness trackers and other wearable devices and smartphones have made it much easier for individuals to obtain, use, and share healthcare data.

Many of these devices collect data that would fall under the category of PHI if created or collected by a HIPAA-covered entity but are not within the scope of HIPAA, even though the same data are often collected by those devices. The extent to which these devices are now being used, and the sheer volume of digital health and wellness data being generated outside the healthcare system by individuals, is a growing cause of concern. Without the protections of HIPAA, healthcare data may not be properly protected and could be shared extensively or sold on with ease.

The HIPAA Privacy Rule does not adequately cover the collection of healthcare data, as it only covers uses and disclosures by certain entities. It does not apply to health data itself, and this could be argued is one of the biggest failures of HIPAA. The same is true of the HIPAA Security Rule, which also has a restrictive scope and only calls for administrative, physical, and technical safeguards for the healthcare data held, received, or transmitted by HIPAA-covered entities and their business associates.

Healthcare data is extremely valuable, and not only to bad actors such as cybercriminals. Cybercriminals can use healthcare data for fraud and identity theft, but it also has tremendous value to a wide range of businesses. Healthcare and wellness data can be used by insurers to gauge risk – which can affect insurance premiums. Employers can use health data to make decisions about potential new hires, and all manner of other businesses can use the data to make decisions about individuals that could have significant consequences for the data subjects.

The question about whether HIPAA should be updated to cover all healthcare data has yet to be fully answered. Many attempts have been made to introduce legislation to cover all healthcare data, but each has failed to make it through the Senate.

The scope of HIPAA could be expanded to include individually identifiable health information collected, used, transmitted, or maintained by non-HIPAA covered entities and non-business associates. Alternatively, new separate legislation is required to cover healthcare data not currently regulated by HIPAA. The solution could well be to leave HIPAA as it is and to instead introduce a national privacy law akin to the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

HIPAA Training and Education Need to Improve

HIPAA is not perfect and there are still significant gaps in the legislation, something that the coronavirus pandemic has highlighted. HIPAA doesn’t extend to the army of contact tracers and the data they collect, nor does it adequately cover exposure notification apps and may disclosures of COVID-19 related data. This is an area, like personal health apps, that needs to be addressed as there is considerable potential for privacy violations.

Vaccination programs have highlighted several areas where education needs to be improved. There have been many cases of HIPAA being cited as a reason not to disclose or share vaccination data, when HIPAA does not place restrictions on disclosures of vaccination information by individuals to employers or others.

Training remains a key issue with HIPAA and is often a much bigger weakness than technology or the HIPAA text itself. It is often uninformed people, and not healthcare technology and privacy and security controls, that are the reason for security breaches and privacy violations. While updates to HIPAA are needed, improvements need to be made to training programs to ensure all individuals with access to PHI or systems containing PHI are aware of their responsibilities and are trained how to be HIPAA-compliant employees.

Training needs to be appropriate to the role of each individual and training needs to be reinforced. Regular training sessions need to be provided to the workforce to make sure that the requirements of HIPAA are fully understood and are not forgotten over time. At many covered entities and business associates, employee training on HIPAA is not provided frequently enough.

Proposed Updates to the HIPAA Privacy Rule

Ahead of the 25-year anniversary of the HIPAA Privacy Rule, a significant update was proposed by the HHS. The proposed update published by the HHS in 2020 is intended to address several aspects of the Privacy Rule that are hampering care coordination and adding an unnecessary administrative burden on healthcare providers.

One of the main reasons for the update, according to then HHS Secretary Alex Azar, was to “break down barriers that have stood in the way of common sense care coordination and value-based arrangements for far too long.” The proposed update will improve care coordination and case management for patients, allow families and caregivers to become more involved in the provision of care to individuals, improve patients’ access to their health data, and will introduce new flexibilities covering disclosures of PHI in emergency and threatening situations, while also reducing the administrative burden on healthcare organizations. These updates have been long overdue but there has been criticism that the updates do not go far enough, and that some of the suggested updates are ill-advised.

One of the aspects addressed in the update will make it easier for patients to obtain a copy of their electronic healthcare data, but there are potential privacy and security risks with the change. Patients will be given the “right to direct the transmission of certain protected health information in an electronic format to a third party.” This right will help patients share their healthcare data with research organizations, but there are concerns that this change could have a negative impact on patients. Patients could request their health data be sent to anyone they choose, when the transmission of data to an entity not covered by the protections of HIPAA carries a security risk. The new right will certainly give patients much greater access and control over their personal data, but potentially it increases the risks that PHI may fall into the hands of bad actors.

The Future of HIPAA

HIPAA has been a great success, but it is far from perfect. There are still areas that require tweaking to improve usability and remove some of the administrative burden placed on HIPAA-covered entities. Proposed updates to the HIPAA Privacy Rule go some way to addressing some of the issues, but for many, the new HIPAA regulations that have been proposed do not go nearly far enough and some of the proposed changes have potential to cause privacy issues.

Overall, for legislation that is 25 years old, HIPAA has, with its various amendments, survived the test of time and is even more relevant and useful now than it was when it was first signed into law in 1996. HIPAA should be viewed as a work in progress though, and as far as the Future of HIPAA is concerned, there are likely to need to be further updates to ensure it remains relevant and effective.

Future of HIPAA FAQs

Does HIPAA cover all healthcare data?

HIPAA covers identifiable healthcare data, which is any healthcare data created, collected, transmitted, or maintained by a HIPAA-covered entity or business associate for treatment, payment for healthcare, or healthcare operations relating to the past, present, or future health status of an individual. Health data is not covered by HIPAA if it is created, stored, or transmitted by a non-HIPAA-covered entity or non-business associate.

Who does HIPAA apply to?

HIPAA applies to HIPAA-covered entities and their business associates. HIPAA-covered entities are healthcare providers, health plans, and healthcare clearinghouses that conduct electronic transactions involving PHI for which the HHS has developed standards. Business associates are vendors that provide products or services to HIPAA-covered entities that requires contact with PHI. HIPAA does not apply to other entities such as reporters, senators, individuals, and most employers.

Are there privacy risks associated with health apps?

Health apps, fitness trackers, and other wearable devices are not generally covered by HIPAA, nor are the data they collect or transmit. Without the protection of HIPAA, health app developers may use, disclose, or sell health data collected through the apps, and the security measures implemented may not meet HIPAA standards. There may be privacy and security risks associated with the use of these apps and devices.

Does HIPAA prevent disclosures of COVID-19 vaccination information?

Many people hide behind HIPAA and use the regulation as an excuse not to answer questions. One of the most notable recent examples, of which there are many, came from Marjorie Taylor Greene when asked about her vaccination status and cited HIPAA as the reason she could not disclose the information. HIPAA does not prevent such discloses. It only places restrictions on uses and disclosures by healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities.

How often does HIPAA training need to be provided?

HIPAA training must be provided to all healthcare employees within a reasonable period of time after the person joins the covered entity’s workforce, as well as when functions are affected by a material change in policies or procedures and following any updates to the HIPAA Rules. HIPAA refresher training should also be provided at least annually, and no later than every two years. Annual training is the best practice.

The post Future of HIPAA: Reflections at the 25th Anniversary of HIPAA appeared first on HIPAA Journal.

Scripps Health Ransomware Attack Expected to Cost $106.8 Million

Posted August 18, 2021 by HIPAA Journal

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack.

While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected.

Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four of its main hospitals in Encinitas, La Jolla, San Diego and Chula Vista, and trauma patients could not be accepted at Scripps Mercy Hospital San Diego in Hillcrest and Scripps Memorial Hospital La Jolla. Scripps Health said it took 4 weeks to recover from the attack.

Losses sustained as a result of the attack are expected to reach $106.8 million, with the majority of that figure – $91.6 million – due to lost revenue during the 4-week recovery period. $21.1 million had to be spent on response and recovery, and Scripps Health was only able to recover $5.9 million from its cyber insurance policy.

The costs are likely to increase further still. The protected health information of 147,267 patients was compromised in the attack, and several class action lawsuits have been filed against Scripps Health over the theft of patient data. The expected losses do not include litigation costs.

The post Scripps Health Ransomware Attack Expected to Cost $106.8 Million appeared first on HIPAA Journal.

NCSC Password Recommendations

Posted August 10, 2021 by HIPAA Journal

The UK’s NCSC password recommendations have been updated and a new strategy is being promoted that meets password strength requirements but improves usability.

There are multiple schools of thought when it comes to the creation of passwords, but all are based on the premise that passwords need to be sufficiently complex to ensure they cannot be easily guessed, not only by humans, but also the algorithms used by hackers in their brute force attacks.

Each year lists of the worst passwords are published that are compiled from credentials exposed in data breaches. These worst password lists clearly demonstrate that some people are very poor at choosing passwords. Passwords such as “password,” “12345678,” and “qwertyuiop” all feature highly in the lists. Due to the risk of end users creating these weak passwords, many organizations now have minimum requirements for password complexity, but that does not always mean that strong passwords will be set.

The Problem with Password Complexity Requirements

The minimum requirements for password complexity are typically to have at least one lower- and upper-case letter, a number, and often a special character. Incorporating these elements makes passwords much harder to guess – in theory at least. In practice, individuals get around these requirements by setting passwords such as “Passw0rd!” or “Qwertyuiop1!” that meet complexity requirements but are still incredibly weak and extremely vulnerable to brute force attacks.

From a security perspective, all accounts should have a unique password which must never be used to protect multiple accounts. Passwords should ideally consist of random letters, numbers, and characters and be sufficiently long – 8 characters as an absolute minimum. The problem is that while these random complex passwords are strong and will be resistant to brute force attacks, they are also virtually impossible for most people to remember, especially considering the average person has around one hundred passwords.

The National Institute of Standards and Technology (NIST) highlighted this problem in its latest password guidance (SP 800-63B), and recommends the use of passphrases rather than passwords, as the length of a passphrase of, say 16 characters, adds the required complexity while being human-friendly.

Now, the National Cyber Security Center (NSCS), part of the UK Government Communications Headquarters (GCHQ) has suggested a new approach for creating passwords that combines security with usability.

NCSC Password Recommendations are to Use Three Random Words

The solution proposed by NSCS is contrary to the arbitrary complexity password requirements that are often recommended. Complex passwords consisting of lower- and upper-case letters, numbers, and special characters are often far from complex may give a false sense of security. The reason is the character combinations selected by end users are usually far from random. There are tricks that many people use to make passwords easy to remember and meet password complexity requirements, and those tricks are known to hackers. For example, replacing a 1 with an exclamation mark, an E with a 3, a 5 with an S, or an O with a zero.

There are also combinations of letters and numbers that are more common than others, and those more common combinations are incorporated into hackers’ password guessing tools. “Counterintuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” explained NSCS in a recent blog post. “Security that’s not usable doesn’t work.”

The NCSC password recommendations add enough complexity while still making passwords easy to remember. They are to use three random words to make up a password. The use of three random words means passwords will be relatively long, sufficiently complex, but easy to remember.

The three random word approach to passwords works in several different ways:

Length – Passwords will generally be longer
Impact – The strategy is quick and easy to explain
Novelty – Encourages use of words not previously considered
Usability – It is easy to think of three words and remember them

“Traditional password advice telling us to remember multiple complex passwords is simply daft,” said NCSC’s technical director, Dr Ian Levy. “By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager.”

The latter advice is important, as the strategy of using three random words does not work when unique passwords need to be created for 100 difficult online accounts. “Adopting three random words is not a panacea that solves the issue of remembering a lot of passwords in a single stroke, and we expect it to be used alongside secure storage,” said NCSC.

The aim of the latest NCSC password recommendations is not to solve the password problem completely, but simply to increase password diversity – that is, “reducing the number of passwords that are discoverable by cheap and efficient search algorithms, forcing an attacker to run multiple search algorithms (or use inefficient algorithms) to recover a useful number of passwords.”

The Best Password Strategy

The best password strategy based on the NCSC password recommendations is to create password of three random words, but also to use a password manager. A password manager allows users to generate truly random strings of numbers, letters, and characters that are incredibly complex, but importantly users never have to remember them. Those passwords are stored in encrypted form in a secure password vault and will be autofilled when a user needs them. There is never the need to remember them or type them in. These solutions are very secure, and many operate under the zero-knowledge model, where even the password manager developer does not have access to users’ password vaults.

All that is required is for a user to set a secure, master password for their password vault and set up 2-factor authentication. The strategy of using three random words would work well for the master password that provides access to user’ vault of truly random, long complex passwords.

Password manager solutions are usually low cost or even free. For example, Bitwarden provides a secure, open-source password manager solution under a free tier with the individual premium package only costing $10 per year, yet even with the low cost of these solutions, uptake is still low.

If businesses and individuals make the change and start using a password manager and implement the latest NCSC password recommendations, password security and usability will be substantially improved.

The post NCSC Password Recommendations appeared first on HIPAA Journal.