Healthcare Data Privacy

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted December 22, 2020 by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location.

PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for cybersecurity risks to be introduced that could easily compromise the confidentiality, integrity, and availability of the PACS ecosystem, protected health information (PHI), and any systems to which PACS connects.

In September 2019, a ProPublica report found 187 unprotected servers that were used to store and retrieve medical images. Those servers stored the medical images and associated PHI of more than 5 million patients in the United States. In some cases, the images could be accessed using a standard web browser and viewed using free-to-download software.

This year, the analyst team at CyberAngel scanned approximately 4.3 billion IP addresses worldwide and found 2,140 unprotected servers across 67 countries. Those servers were found to contain more than 45 million medical images. The images had up to 200 lines of metadata that included personally identifiable information and protected health information. According to the CyberAngel “Full Body Exposure” report, those images could be accessed via the Internet with a standard web browser. In some instances, login portals were present, but accepted blank username and password fields.

NIST released draft guidance on securing the PACS ecosystem shortly after the ProPublica report was published to help healthcare delivery organizations identify cybersecurity risks associated with PACS and implement stronger security controls while minimizing the impact and availability to PACS and other components.

The final version of the guidance includes a comprehensive set of cybersecurity standards and best practices to adopt to improve the security of the PACS ecosystem, with the guidance covering asset management, access control, user identification and authentication, data security, security continuous monitoring, and response planning, recovery, and restoration.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” explained NIST.

This practice guide can be used by HIPAA covered entities and their business associates to implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of PACS

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is available on this link.

The guidance was developed by NIST/NCCoE in collaboration with Cisco, Clearwater Compliance, DigiCert, Forescout, Hyland, Microsoft, Philips, Symantec, TDI Technologies, Tempered Networks, Tripwire, Virtua Labs, and Zingbox.

The post NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

Posted December 21, 2020 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis.

HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in public health, without requiring prior individual authorization.

Such disclosures are permitted under the following circumstances:

When disclosures are required by federal, state, local, or other laws that are enforceable in court
When the HIE is acting under a grant of authority or contract with a PHA for a public health activity
When the HIE is a business associate of the covered entity or another business associate, and wishes to provide ePHI to a PHA for public health purposes*

*The HIPAA Privacy Rule only permits an HIE which is a business associate of the covered entity or another business associate to disclose ePHI to a PHA for public health purposes if it is expressly stated that they can do so in the business associate agreement (BAA) with the covered entity. However, earlier this year in response to the COVID-19 public health emergency, OCR issued a notice of enforcement discretion stating no action will be taken against a business associate for good faith disclosures of ePHI to a PHA for public health purposes if they are not expressly permitted to disclose ePHI to a PHA in their BAA. In such cases, the business associate must inform the covered entity within 10 calendar days of the disclosure. The notice of enforcement discretion is only valid for the duration of the COVID-19 public health emergency. When the Secretary of the HHS declares the COVID-19 public health emergency over, such disclosures will no longer be permitted unless expressly permitted in the BAA.

Disclosures of ePHI by an HIE to a PHA should be limited to the minimum necessary information to achieve the purpose for the disclosure. A covered entity can rely on a PHA’s request to disclose a summary record to the PHA or HIE as being the minimum necessary PHI to achieve the public health purpose of the disclosure.

A covered entity is permitted by the HIPAA Privacy Rule to disclose ePHI to a PHA through an HIE, even if a direct request for the PHI is not received from the PHA, provided the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.

While the above disclosures of ePHI for public health purposes do not require authorizations to be obtained from the individuals whose PHI is being disclosed, those individuals must be notified about such disclosures. That can be achieved by stating disclosures of ePHI will occur for public health purposes in the organization’s Notice of Privacy Practices.

You can view the OCR guidance, which includes several examples related to COVID-19, on the HHS website, which can be accessed on this link (PDF).

The post OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

Posted December 18, 2020 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training. A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

Most covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Posted December 14, 2020 by HIPAA Journal

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product.

The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been assigned a CVSS v3 base score of 8.0 out of 10.

A heap-based buffer overflow event can be triggered in the MCL Smart Patient Reader software stack by an authenticated attacker running a debug command. Once triggered, an attacker could then remotely execute code on the vulnerable MCL Smart Patient Reader, potentially allowing the attacker to take control of the device. The vulnerability is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

MCL Smart Patient Readers are also vulnerable to a race condition in the software update system, which could be exploited to upload and execute unsigned firmware on the Patient Reader. This vulnerability could also allow remote execution of arbitrary code on the MCL Smart Patient Reader and could give an attacker control of the device. The flaw is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

The vulnerabilities were identified by researchers at the Israeli firm Sternum, with UC Santa Barbara, University of Florida, and University of Michigan researchers independently identifying the improper authentication vulnerability.

The flaws were reported to Medtronic which has now released a firmware update to fix the vulnerabilities. The firmware update can be applied by updating the MyCareLink Smartapp via the associated mobile application store. Updating to mobile application version v5.2 will ensure the update is applied on the next use; however, in order for the patch to work, the user’s smartphone must be running iOS 10 or above or Android 6.0 or above.

Users have also been advised to maintain strong physical control over their home monitors and to restrict use of the home monitors to private environments. Patients should only use home monitors that have been obtained directly from their healthcare provider or a Medtronic representative.

Medtronic has also taken steps to improve security, including implementing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.

The post Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers appeared first on HIPAA Journal.

HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights

Posted December 10, 2020 by HIPAA Journal

The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI).

OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data.

“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” said HHS Secretary Alex Azar. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”

HIPAA was initially signed into law in 1996 and the Privacy Rule took effect in 2003, prior to widespread adoption of electronic medical records and before many online and mobile services were available. The proposed updates are intended to remove some of the barriers to digital health, with definitions added for terms such as electronic health records and personal health applications.

Strengthening Patients’ Rights to their Own Healthcare Data

The HIPAA Privacy Rule gave patients the right to access their own healthcare data. The proposed changes will see those rights strengthened with regard to electronic protected health information (ePHI) and inspecting PHI in person. Individuals will be permitted to take notes and use personal resources to view and capture images of their own PHI, such as taking photographs of their own medical records and medical images. The time frame for providing patients with access to their own PHI has been shortened from 30 days to 15 days from the date of request and the identity verification burden on individuals has been eased.

Disclosures to Telecommunication Relay Services (TRS), which are used by the deaf and hard of hearing, are expressly permitted and TRS providers have been excluded from the definition of business associate.

The HHS has specified when ePHI must be provided to individuals at no cost – such as when ePHI is provided through online patient portals – and the permissible fee structure has been amended for responding to requests to direct healthcare records to a third party.

The HHS has also created a pathway for individuals to direct the sharing of ePHI in an EHR among covered health care providers and health plans. Covered entities will also be required to publish estimated fee structures on their websites for providing access to PHI and copies of PHI, as well as provide individuals with itemized bills for completed requests.

Improving Coordination of Care and Reducing the Administrative Burden

Several changes have been proposed to improve information sharing for care coordination and case management for individuals, which will make it easier for hospitals and physician practices to share patient information with other healthcare providers and social service and caregiving agencies.

If patients give their authorization for their healthcare provider or doctor to see their medical records from another healthcare provider, it will be the healthcare provider or doctor’s office that will be responsible for getting that information rather than the patient.

The privacy standard that permitted covered entities to make disclosures based on their professional judgement has been changed to permit uses and disclosures based on a covered entity’s good faith belief that a use or disclosure is in the best interests of the patient, which is more permissive.

Changes have also been proposed to remove the administrative burden on healthcare providers, such as long-awaited removal of the requirement to have patients sign a notice of privacy practices, instead they will only need to be provided with a notice of privacy practices. This change alone is expected to save the healthcare industry an estimated $3.2 billion over five years.

Changes have been proposed to improve the sharing of healthcare data in crises and emergencies. Currently, the HIPAA Privacy Rule permits covered entities to disclose patient health information to avert a serious and imminent threat to health or patient safety. The wording has been changed to avert threats when harm is ‘serious and reasonably foreseeable’. The change would make it easier for healthcare providers to share information when individuals have stated they are contemplating suicide, for instance, and would improve care coordination in emergencies such as the opioid and COVID-19 public health emergencies.

Commonsense, Bipartisan HIPAA Privacy Rules Changes

“Today’s announcement is a continuation of our ongoing work under my Regulatory Sprint to Coordinated Care to eliminate unnecessary regulatory barriers blocking patients from getting better care,” said HHS Deputy Secretary Eric Hargan. “These proposed changes reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA’s promise of privacy and security.”

The HHS is accepting comments from all healthcare industry stakeholders, including patients and their families, healthcare providers, health plans, business associates, health IT vendors and government entities. Comments must be submitted within 60 days of the publication of the notice of proposed rulemaking in the Federal Register.

With President-Elect Biden due to take office in January, it is likely there will be significant amendments to the proposed HIPAA Privacy Rule changes; however, many of the updates have been proposed to address issues that have been proving problematic for hospitals, doctors, and patients for many years and are non-partisan, commonsense changes. HHS officials hope the incoming administration will understand the need for these HIPAA Privacy Rule changes and will provide the support to ensure they are implemented.

You can view the proposed 2020 HIPAA Privacy Rule changes on this link (PDF).

The post HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights appeared first on HIPAA Journal.

Xavier Becerra Named Secretary of the Department of Health and Human Services

Posted December 7, 2020 by HIPAA Journal

President-elect Joe Biden has named California Attorney General Xavier Becerra as Secretary of the Department of Health and Human Services. While the decision has been made according to The New York Times, the appointment has yet to be announced by his transition team.

Biden is committed to building the most diverse administration in history and while progress has been made so far, Biden has faced criticism over the number of Latinos appointed to date. If the appointment of Becerra is confirmed by the senate, he will become the first ever Latino Secretary of the Department of Health and Human Services. The news of his selection has drawn praise from the Congressional Hispanic Caucus.

Becerra has a long record of supporting the Affordable Care Act and helped steer the legislation through Congress in 2009 and 2010. The former Los Angeles area congressman also led the coalition of Democratic states that defended the Affordable Care Act and resisted attempts by the Trump Administration to overturn it. Becerra will be responsible for expanding the Affordable Care Act and is likely to quickly rollback changes made by the Trump administration.

Becerra has worked with the Louisiana Attorney General to increase the availability of the drug Remdesivir in the state and with many Republican Attorneys General in legal actions against opioid manufacturers. His successes working with Republicans was one of factors that helped secure the position of Secretary of the HHS. Becerra will have the immediate task of overseeing the HHS response to the coronavirus pandemic, including the mass vaccination program due to be rolled out across the United States in early 2021.

Biden has nominated Dr. Rochelle Walensky to lead the Centers for Disease Control and Prevention. Walensky is a leading infectious disease specialist at Massachusetts General Hospital, with extensive career experience combatting HIV/AIDS. Dr. Anthony Fauci, current director of the National Institute of Allergy and Infectious Diseases and chief medical advisor on COVID-19 will remain in those two positions.

Biden has named Jeff Zients, former economic advisor to President Barack Obama, as the White House coronavirus coordinator and co-chair of the coronavirus task force, Vivek Murthy, is expected to return to the position of Surgeon General that he held under the Obama administration.

Other nominations include Yale School of Medicine professor Dr. Marcella Nunez-Smith as COVID-19 Equity Task Force chair and deputy campaign manager Natalie Quillian as deputy coordinator of the COVID-19 Response. The remaining members of the health care team are expected to be announced in the next few days.

The post Xavier Becerra Named Secretary of the Department of Health and Human Services appeared first on HIPAA Journal.

AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks

Posted December 4, 2020 by HIPAA Journal

The American Medical Association has warned hospitals, health systems, and medical practices about the increase in cyber risks targeting the healthcare sector and has provided recommendations on the steps that can be taken to ensure threats are mitigated and network security is improved.

Laura Hoffman, AMA assistant director of federal affairs, explained the current threats in a recent AMA COVID-19 Update and announced a new resource has been developed by the AMA and American Hospital Association (AHA) on technology considerations for healthcare organizations for the remainder of 2020 to improve network security and bolster patient privacy efforts.

The COVID-19 pandemic has created many new challenges for healthcare organizations which are having to treat increased numbers of patients while working in ways that may be unfamiliar. The pandemic has seen a major expansion of telehealth services, with many patients now receiving care virtually using new technology platforms.

These new technologies and platforms have introduced vulnerabilities and broadened the attack surface and cybercriminals have taken advantage and have stepped up attacks on the healthcare sector. At the start of the pandemic there was an increase in phishing attacks on the industry. Virtual Private Networks have been used to support remote working, telehealth, and remote monitoring of medical devices, which has increased the attack surface. Several vulnerabilities have been identified in these solutions which have been exploited by threat actors to gain access to healthcare networks.

There has also been a major increase in ransomware attacks on the healthcare sector. The operators of Ryuk ransomware have been targeting the healthcare industry and have stepped up their attacks in recent weeks. These attacks prevent access to protected health information and disable mission critical systems, causing delays to patient care and placing patient safety at risk. The AMA has also observed an increase in insider threats during the pandemic. Insiders have identified security vulnerabilities and have taken advantage and exploited those vulnerabilities for financial gain.

“As practices reopen, and hospitals around the country prepare for a second wave of COVID-19 infections coinciding with cold and flu season, our organizations are providing this update on steps physicians should take to prepare for the coming months,” explained AMA/AHA in the new guidance document – Technology Considerations for the Rest of 2020.

The AMA recommends healthcare providers should request routine updates from their health information technology vendors or security professionals. The guidance document lists a series of questions that should be asked of those providers to ensure that vulnerabilities are identified and addressed. The questions cover network security, the use of legacy devices and software that is no longer supported, access rights to systems given to third parties and vendors during the pandemic, and the location of all protected health information.

In addition to addressing cybersecurity risks, healthcare providers should get prepared for when the Public Health Emergency comes to an end. During the pandemic, the HHS’ Office for Civil Rights announced it would be exercising enforcement discretion with respect to the good faith use of technology to support telehealth. When the Public Health Emergency ends, healthcare providers will be required to comply fully with HIPAA once again.

The telehealth platforms that have been used during the pandemic may no longer be suitable for use, and if use can continue, business associate agreements will need to be entered into with technology vendors. It is also necessary to conduct security risk assessments on telehealth platforms to identify risks and vulnerabilities to protected health information associated, if they have not already been conducted.

The AMA is encouraging physicians and hospitals to start having discussions with their telemedicine vendors and to take steps to conduct or implement a security risk analysis, so they are prepared for when the Public Health Emergency ends.

In the guidance, the AMA/AHA also suggest asking telemedicine vendors about their privacy practices, intended data use and security protocols. “Many physicians do not realize that a telemedicine platform or application may be low-cost or free because the vendor’s business model is based on aggregating and selling patients’ data. If possible, consult with your legal team to clarify how video, audio, and other data are being captured and stored by the vendor and who has access. You can also ask whether the vendor will share results of third-party security audits, including SOC 2 or HITRUST, in addition to the results of their penetration testing.”

It is also advisable to enable all available privacy and security tools when using telemedicine platforms, including end-to-end encryption to prevent third-parties from intercepting communications between providers and patients. Providers should also be open with patients about the potential privacy risks associated with the use of telemedicine platforms and make sure they are aware of any risks involved with virtual care.

The post AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks appeared first on HIPAA Journal.

Vendor Access and HIPAA Compliance: Are you Secured?

Posted November 17, 2020 by HIPAA Journal

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine.

Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft, and the increasingly popular route of ransomware.

Gone are the days where healthcare companies only had to deal with issues related to patient care because they now find themselves grappling with complicated cybersecurity issues far outside the medical space.

Considering the risks of HIPAA noncompliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

How to Restrict Vendor Access

Who has access to the patients’ information, how are they accessing the information, and how much access do they have (or should they have)? These are crucial questions for any technology vendor.

First, each member of the IT team should have only the level of access required to ensure both HIPAA compliance and data security, including restrictions on time, scope, and job function. Each vendor rep should use a unique username and password to log into the system and go through multi-level authentication that’s attached to their identities. On top of that, an automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Why Auditable Reports are Necessary

An automatic audit system permits healthcare companies to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of access to the patients’ records, and other sensitive information.

These reports are not only necessary for internal security purposes, but are integral for proving HIPAA compliance in relation to allowing vendors on your network.

The Importance of Data Integrity and Security

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128-, 192-, and 256-bit modes, and data encryption standards (DES) of Triple DES10.

Be Sure, Be Secure

Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance. If you’re worried about your vendors not having your compliance in mind, it is of the utmost importance to ensure you are vetting them before onboarding them, as well as checking in on them and doing an “audit” of some sort to make sure you have a ledger of all vendors.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches. Know your vendors, why they’re connecting, and ensure compliance.

Author: Ellen Neveux, SecureLink

SecureLink provides a remote-access platform that reduces the risks associated with providing remote access to internal networks to vendors and clients

The post Vendor Access and HIPAA Compliance: Are you Secured? appeared first on HIPAA Journal.

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

Posted October 22, 2020 by HIPAA Journal

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. Databreaches.net has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September. The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Breach Cause
Trinity Health	Business Associate	3,320,726	Hacking/IT Incident	Blackbaud Ransomware Attack
Inova Health System	Healthcare Provider	1,045,270	Hacking/IT Incident	Blackbaud Ransomware Attack
NorthShore University HealthSystem	Healthcare Provider	348,746	Hacking/IT Incident	Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity)	Healthcare Provider	343,493	Hacking/IT Incident	Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities)	Healthcare Provider	314,829	Hacking/IT Incident	Blackbaud Ransomware Attack
The Baton Rouge Clinic, A Medical Corporation	Healthcare Provider	308,169	Hacking/IT Incident	Ransomware Attack
Virginia Mason Medical Center	Healthcare Provider	244,761	Hacking/IT Incident	Blackbaud Ransomware Attack
University of Tennessee Medical Center	Healthcare Provider	234,954	Hacking/IT Incident	Blackbaud Ransomware Attack
Legacy Community Health Services, Inc.	Healthcare Provider	228,009	Hacking/IT Incident	Phishing Attack
Allina Health	Healthcare Provider	199,389	Hacking/IT Incident	Blackbaud Ransomware Attack
University of Missouri Health Care	Healthcare Provider	189,736	Hacking/IT Incident	Phishing Attack
The Christ Hospital Health Network	Healthcare Provider	183,265	Hacking/IT Incident	Blackbaud Ransomware Attack
Stony Brook University Hospital	Healthcare Provider	175,803	Hacking/IT Incident	Blackbaud Ransomware Attack
Atrium Health	Healthcare Provider	165,000	Hacking/IT Incident	Blackbaud Ransomware Attack
University of Kentucky HealthCare	Healthcare Provider	163,774	Hacking/IT Incident	Blackbaud Ransomware Attack
Children’s Minnesota	Healthcare Provider	160,268	Hacking/IT Incident	Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center	Healthcare Provider	141,669	Hacking/IT Incident	Blackbaud Ransomware Attack
Piedmont Healthcare, Inc.	Healthcare Provider	111,588	Hacking/IT Incident	Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity)	Healthcare Provider	93,642	Hacking/IT Incident	Blackbaud Ransomware Attack
Roper St. Francis Healthcare	Healthcare Provider	92,963	Hacking/IT Incident	Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity	Settlement
Beth Israel Lahey Health Behavioral Services	$70,000
Housing Works, Inc.	$38,000
All Inclusive Medical Services, Inc.	$15,000
Wise Psychiatry, PC	$10,000
King MD	$3,500

There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information