Healthcare Data Privacy

Largest Healthcare Data Breaches in 2020

Posted by HIPAA Journal

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records.

The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years.

The Largest Healthcare Data Breaches in 2020

When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom to prevent the exposure of client data. Blackbaud received assurances that the stolen data was permanently deleted and not been further disclosed.

The total victim count from the Blackbaud ransomware attack may never be known, but more than 6 dozen healthcare providers have reported being affected to date and over 8 million healthcare records have potentially been compromised. That breach clearly tops the list of the largest healthcare data breaches in 2020 and ranks as one of the largest healthcare data breaches of all time.

2020’s Largest Healthcare Data Breaches

The individual entities that reported data breaches in 2020 involving more than 300,000 healthcare records are listed below. In some cases, the actual data breach occurred prior to 2020, but was only discovered and reported in 2020.

Trinity Health – 3,320,726 Individuals

At more than 3.3 million records, Trinity Health was the worst affected healthcare victim of the ransomware attack on Blackbaud Inc. The hackers potentially obtained the philanthropy database of the Livonia, Michigan-based Catholic health system, which contained patient and donor information from 2000 to 2020.

MEDNAX Services, Inc. – 1,290,670 Individuals

Sunrise, FL-based MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, suffered a breach of its Office 365 environment in June 2020 after employees responded to phishing emails. The breach was extensive, involving patient and guarantor information such as Social Security numbers, driver’s license numbers, and health insurance and financial information.

Inova Health System – 1,045,270 Individuals

Virginia-based Inova Health System was also a victim of the Blackbaud ransomware attack. The hackers gained access to Blackbaud’s systems on February 7, 2020 and the breach continued until May 20, 2020. Ransomware was deployed on May 14, 2020. Inova’s fundraising database was potentially compromised which contained patient and donor information.

Magellan Health Inc. 1,013,956 Individuals

Arizona-based Magellan Health was the victim of an April 2020 ransomware attack in which the protected health information of patients was potentially compromised. The attack ended with the deployment of ransomware but started with a spear phishing email. Several of its affiliated entities were also affected by the breach.

Dental Care Alliance – 1,004,304 Individuals

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, reported a breach of its systems in December. Few details have been released about the nature of the hacking incident as the investigation is still ongoing. The breach affected many of its affiliated dental practices.

Luxottica of America Inc. – 829,454 Individuals

Luxottica of America Inc., an operator of vision care facilities across the United States and owner of the eyewear brands Ray-Ban, Oakley, and Persol, experienced a cyberattack in August 2020 which saw hackers gain access to its web-based appointment scheduling system which contained the PHI of patients of its eye care partners.

Northern Light Health – 657,392 Individuals

The Maine health system Northern Light Health was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

Health Share of Oregon – 654,362 Individuals

In May 2020, the Medicaid coordinated care organization Health Share of Oregon reported the theft of a laptop computer from its non-emergent medical transportation vendor. The laptop was stolen in November 2019 and was not encrypted, which potentially gave the thief access to patents’ contact information, Health Share ID numbers, and Social Security numbers.

Florida Orthopaedic Institute – 640,000 Individuals

Florida Orthopaedic Institute suffered a ransomware attack in April which saw patient information on its servers encrypted. Prior to the use of ransomware, patient data may have been viewed or obtained by the hackers.

Elkhart Emergency Physicians – 550,000 Individuals

Elkhart Emergency Physicians reported a breach in May 2020 involving the improper disposal of patient records by a third-party storage vendor – Central Files Inc. Elkhart Emergency Physicians was the worst affected entity, but several other clients of the vendor were also impacted by the breach. The records had been dumped without being shredded after the storage facility permanently closed.

Aetna ACE – 484,157 Individuals

Aetna reported a data breach in December which occurred at business associate EyeMed, which provides vision benefit services for its members. The breach occurred when an EyeMed employee responded to a phishing email, which allowed the attacker to gain access to email accounts containing PHI. Several EyeMed clients were affected by the breach.

Saint Luke’s Foundation – 360,212 Individuals

Kansas City, MO-based Saint Luke’s Foundation was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

NorthShore University Health System – 348,746 Individuals

Evanston, IL-based NorthShore University Health System was also affected by the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database.

SCL Health Colorado – 343,493 Individuals

SCL Health Colorado was also a victim of the Blackbaud ransomware attack. The PHI of patients in its Colorado, Montana and Kansas locations was potentially accessed by the attackers.

AdventHealth – 315,811 Individuals

The Altamonte Springs, FL-based healthcare system AdventHealth was also a victim of the Blackbaud ransomware attack which saw the hackers gain access to its fundraising database.

Nuvance Health – 314,829 Individuals

Nuvance Health was a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database between February and May.

Magellan Rx Management – 314,704 Individuals

Magellan Rx Management was one of the victims of the ransomware attack on its parent company, Magellan Health, in April. The hackers potentially stole patient data prior to encrypting files.

The Baton Rouge Clinic – 308,169 Individuals

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July involving ransomware. The attackers potentially viewed or obtained patient data prior to the deployment of ransomware.

The post Largest Healthcare Data Breaches in 2020 appeared first on HIPAA Journal.

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location.

PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for cybersecurity risks to be introduced that could easily compromise the confidentiality, integrity, and availability of the PACS ecosystem, protected health information (PHI), and any systems to which PACS connects.

In September 2019, a ProPublica report found 187 unprotected servers that were used to store and retrieve medical images. Those servers stored the medical images and associated PHI of more than 5 million patients in the United States. In some cases, the images could be accessed using a standard web browser and viewed using free-to-download software.

This year, the analyst team at CyberAngel scanned approximately 4.3 billion IP addresses worldwide and found 2,140 unprotected servers across 67 countries. Those servers were found to contain more than 45 million medical images. The images had up to 200 lines of metadata that included personally identifiable information and protected health information. According to the CyberAngel “Full Body Exposure” report, those images could be accessed via the Internet with a standard web browser. In some instances, login portals were present, but accepted blank username and password fields.

NIST released draft guidance on securing the PACS ecosystem shortly after the ProPublica report was published to help healthcare delivery organizations identify cybersecurity risks associated with PACS and implement stronger security controls while minimizing the impact and availability to PACS and other components.

The final version of the guidance includes a comprehensive set of cybersecurity standards and best practices to adopt to improve the security of the PACS ecosystem, with the guidance covering asset management, access control, user identification and authentication, data security, security continuous monitoring, and response planning, recovery, and restoration.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” explained NIST.

This practice guide can be used by HIPAA covered entities and their business associates to implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of PACS

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is available on this link.

The guidance was developed by NIST/NCCoE in collaboration with Cisco, Clearwater Compliance, DigiCert, Forescout, Hyland, Microsoft, Philips, Symantec, TDI Technologies, Tempered Networks, Tripwire, Virtua Labs, and Zingbox.

The post NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis.

HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in public health, without requiring prior individual authorization.

Such disclosures are permitted under the following circumstances:

  • When disclosures are required by federal, state, local, or other laws that are enforceable in court
  • When the HIE is acting under a grant of authority or contract with a PHA for a public health activity
  • When the HIE is a business associate of the covered entity or another business associate, and wishes to provide ePHI to a PHA for public health purposes*

*The HIPAA Privacy Rule only permits an HIE which is a business associate of the covered entity or another business associate to disclose ePHI to a PHA for public health purposes if it is expressly stated that they can do so in the business associate agreement (BAA) with the covered entity. However, earlier this year in response to the COVID-19 public health emergency, OCR issued a notice of enforcement discretion stating no action will be taken against a business associate for good faith disclosures of ePHI to a PHA for public health purposes if they are not expressly permitted to disclose ePHI to a PHA in their BAA. In such cases, the business associate must inform the covered entity within 10 calendar days of the disclosure. The notice of enforcement discretion is only valid for the duration of the COVID-19 public health emergency. When the Secretary of the HHS declares the COVID-19 public health emergency over, such disclosures will no longer be permitted unless expressly permitted in the BAA.

Disclosures of ePHI by an HIE to a PHA should be limited to the minimum necessary information to achieve the purpose for the disclosure. A covered entity can rely on a PHA’s request to disclose a summary record to the PHA or HIE as being the minimum necessary PHI to achieve the public health purpose of the disclosure.

A covered entity is permitted by the HIPAA Privacy Rule to disclose ePHI to a PHA through an HIE, even if a direct request for the PHI is not received from the PHA, provided the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.

While the above disclosures of ePHI for public health purposes do not require authorizations to be obtained from the individuals whose PHI is being disclosed, those individuals must be notified about such disclosures. That can be achieved by stating disclosures of ePHI will occur for public health purposes in the organization’s Notice of Privacy Practices.

You can view the OCR guidance, which includes several examples related to COVID-19, on the HHS website, which can be accessed on this link (PDF).

The post OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training.  A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

OCR 2016-2017 HIPAA Audits Industry ReportMost covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers

Posted by HIPAA Journal

Three serious vulnerabilities have been identified in Medtronic MyCareLink (MCL) Smart Patient Readers, which could potentially be exploited to gain access to and modify patient data from the paired implanted cardiac device. Exploitation of the vulnerabilities together could permit remote code execution on the MCL Smart Patient Reader, allowing an attacker to take control of a paired cardiac device. In order to exploit the vulnerabilities, an attacker would need to be within Bluetooth signal proximity to the vulnerable product.

The flaws are present in all versions of the MCL Smart Model 25000 Patient Reader. The first vulnerability, tracked as CVE-2020-25183, is an authentication protocol vulnerability. The method used to authenticate the MCL Smart Patient Reader and the Medtronic MyCareLink Smart mobile app can be bypassed. An attacker using another mobile device or malicious app on the patient’s smartphone could authenticate to the patient’s MCL Smart Patient Reader, tricking it into believing it is communicating with the patient’s smartphone app. The vulnerability has been assigned a CVSS v3 base score of 8.0 out of 10.

A heap-based buffer overflow event can be triggered in the MCL Smart Patient Reader software stack by an authenticated attacker running a debug command. Once triggered, an attacker could then remotely execute code on the vulnerable MCL Smart Patient Reader, potentially allowing the attacker to take control of the device. The vulnerability is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

MCL Smart Patient Readers are also vulnerable to a race condition in the software update system, which could be exploited to upload and execute unsigned firmware on the Patient Reader. This vulnerability could also allow remote execution of arbitrary code on the MCL Smart Patient Reader and could give an attacker control of the device. The flaw is tracked as CVE-2020-27252 and has been assigned a CVSS v3 base score of 8.8 out of 10.

The vulnerabilities were identified by researchers at the Israeli firm Sternum, with UC Santa Barbara, University of Florida, and University of Michigan researchers independently identifying the improper authentication vulnerability.

The flaws were reported to Medtronic which has now released a firmware update to fix the vulnerabilities. The firmware update can be applied by updating the MyCareLink Smartapp via the associated mobile application store. Updating to mobile application version v5.2 will ensure the update is applied on the next use; however, in order for the patch to work, the user’s smartphone must be running iOS 10 or above or Android 6.0 or above.

Users have also been advised to maintain strong physical control over their home monitors and to restrict use of the home monitors to private environments. Patients should only use home monitors that have been obtained directly from their healthcare provider or a Medtronic representative.

Medtronic has also taken steps to improve security, including implementing Sternum’s enhanced integrity validation (EIV) technology which provides early detection and real-time mitigation of known vulnerability exploitation attempts, and Sternum’s advanced detection system technology, which enables device-level logging and monitoring of all device activity and behavior.

The post Serious Vulnerabilities Identified in Medtronic MyCareLink Smart Patient Readers appeared first on HIPAA Journal.

HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights

Posted by HIPAA Journal

The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI).

OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data.

“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” said HHS Secretary Alex Azar. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”

HIPAA was initially signed into law in 1996 and the Privacy Rule took effect in 2003, prior to widespread adoption of electronic medical records and before many online and mobile services were available. The proposed updates are intended to remove some of the barriers to digital health, with definitions added for terms such as electronic health records and personal health applications.

Strengthening Patients’ Rights to their Own Healthcare Data

The HIPAA Privacy Rule gave patients the right to access their own healthcare data. The proposed changes will see those rights strengthened with regard to electronic protected health information (ePHI) and inspecting PHI in person. Individuals will be permitted to take notes and use personal resources to view and capture images of their own PHI, such as taking photographs of their own medical records and medical images. The time frame for providing patients with access to their own PHI has been shortened from 30 days to 15 days from the date of request and the identity verification burden on individuals has been eased.

Disclosures to Telecommunication Relay Services (TRS), which are used by the deaf and hard of hearing, are expressly permitted and TRS providers have been excluded from the definition of business associate.

The HHS has specified when ePHI must be provided to individuals at no cost – such as when ePHI is provided through online patient portals – and the permissible fee structure has been amended for responding to requests to direct healthcare records to a third party.

The HHS has also created a pathway for individuals to direct the sharing of ePHI in an EHR among covered health care providers and health plans. Covered entities will also be required to publish estimated fee structures on their websites for providing access to PHI and copies of PHI, as well as provide individuals with itemized bills for completed requests.

Improving Coordination of Care and Reducing the Administrative Burden

Several changes have been proposed to improve information sharing for care coordination and case management for individuals, which will make it easier for hospitals and physician practices to share patient information with other healthcare providers and social service and caregiving agencies.

If patients give their authorization for their healthcare provider or doctor to see their medical records from another healthcare provider, it will be the healthcare provider or doctor’s office that will be responsible for getting that information rather than the patient.

The privacy standard that permitted covered entities to make disclosures based on their professional judgement has been changed to permit uses and disclosures based on a covered entity’s good faith belief that a use or disclosure is in the best interests of the patient, which is more permissive.

Changes have also been proposed to remove the administrative burden on healthcare providers, such as long-awaited removal of the requirement to have patients sign a notice of privacy practices, instead they will only need to be provided with a notice of privacy practices. This change alone is expected to save the healthcare industry an estimated $3.2 billion over five years.

Changes have been proposed to improve the sharing of healthcare data in crises and emergencies. Currently, the HIPAA Privacy Rule permits covered entities to disclose patient health information to avert a serious and imminent threat to health or patient safety. The wording has been changed to avert threats when harm is ‘serious and reasonably foreseeable’. The change would make it easier for healthcare providers to share information when individuals have stated they are contemplating suicide, for instance, and would improve care coordination in emergencies such as the opioid and COVID-19 public health emergencies.

Commonsense, Bipartisan HIPAA Privacy Rules Changes

“Today’s announcement is a continuation of our ongoing work under my Regulatory Sprint to Coordinated Care to eliminate unnecessary regulatory barriers blocking patients from getting better care,” said HHS Deputy Secretary Eric Hargan. “These proposed changes reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA’s promise of privacy and security.”

The HHS is accepting comments from all healthcare industry stakeholders, including patients and their families, healthcare providers, health plans, business associates, health IT vendors and government entities. Comments must be submitted within 60 days of the publication of the notice of proposed rulemaking in the Federal Register.

With President-Elect Biden due to take office in January, it is likely there will be significant amendments to the proposed HIPAA Privacy Rule changes; however, many of the updates have been proposed to address issues that have been proving problematic for hospitals, doctors, and patients for many years and are non-partisan, commonsense changes. HHS officials hope the incoming administration will understand the need for these HIPAA Privacy Rule changes and will provide the support to ensure they are implemented.

You can view the proposed 2020 HIPAA Privacy Rule changes on this link (PDF).

The post HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights appeared first on HIPAA Journal.

Xavier Becerra Named Secretary of the Department of Health and Human Services

Posted by HIPAA Journal

President-elect Joe Biden has named California Attorney General Xavier Becerra as Secretary of the Department of Health and Human Services. While the decision has been made according to The New York Times, the appointment has yet to be announced by his transition team.

Biden is committed to building the most diverse administration in history and while progress has been made so far, Biden has faced criticism over the number of Latinos appointed to date. If the appointment of Becerra is confirmed by the senate, he will become the first ever Latino Secretary of the Department of Health and Human Services. The news of his selection has drawn praise from the Congressional Hispanic Caucus.

Becerra has a long record of supporting the Affordable Care Act and helped steer the legislation through Congress in 2009 and 2010. The former Los Angeles area congressman also led the coalition of Democratic states that defended the Affordable Care Act and resisted attempts by the Trump Administration to overturn it. Becerra will be responsible for expanding the Affordable Care Act and is likely to quickly rollback changes made by the Trump administration.

Becerra has worked with the Louisiana Attorney General to increase the availability of the drug Remdesivir in the state and with many Republican Attorneys General in legal actions against opioid manufacturers. His successes working with Republicans was one of factors that helped secure the position of Secretary of the HHS. Becerra will have the immediate task of overseeing the HHS response to the coronavirus pandemic, including the mass vaccination program due to be rolled out across the United States in early 2021.

Biden has nominated Dr. Rochelle Walensky to lead the Centers for Disease Control and Prevention.  Walensky is a leading infectious disease specialist at Massachusetts General Hospital, with extensive career experience combatting HIV/AIDS. Dr. Anthony Fauci, current director of the National Institute of Allergy and Infectious Diseases and chief medical advisor on COVID-19 will remain in those two positions.

Biden has named Jeff Zients, former economic advisor to President Barack Obama, as the White House coronavirus coordinator and co-chair of the coronavirus task force, Vivek Murthy, is expected to return to the position of Surgeon General that he held under the Obama administration.

Other nominations include Yale School of Medicine professor Dr. Marcella Nunez-Smith as COVID-19 Equity Task Force chair and deputy campaign manager Natalie Quillian as deputy coordinator of the COVID-19 Response. The remaining members of the health care team are expected to be announced in the next few days.

The post Xavier Becerra Named Secretary of the Department of Health and Human Services appeared first on HIPAA Journal.

AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks

Posted by HIPAA Journal

The American Medical Association has warned hospitals, health systems, and medical practices about the increase in cyber risks targeting the healthcare sector and has provided recommendations on the steps that can be taken to ensure threats are mitigated and network security is improved.

Laura Hoffman, AMA assistant director of federal affairs, explained the current threats in a recent AMA COVID-19 Update and announced a new resource has been developed by the AMA and American Hospital Association (AHA) on technology considerations for healthcare organizations for the remainder of 2020 to improve network security and bolster patient privacy efforts.

The COVID-19 pandemic has created many new challenges for healthcare organizations which are having to treat increased numbers of patients while working in ways that may be unfamiliar. The pandemic has seen a major expansion of telehealth services, with many patients now receiving care virtually using new technology platforms.

These new technologies and platforms have introduced vulnerabilities and broadened the attack surface and cybercriminals have taken advantage and have stepped up attacks on the healthcare sector. At the start of the pandemic there was an increase in phishing attacks on the industry. Virtual Private Networks have been used to support remote working, telehealth, and remote monitoring of medical devices, which has increased the attack surface. Several vulnerabilities have been identified in these solutions which have been exploited by threat actors to gain access to healthcare networks.

There has also been a major increase in ransomware attacks on the healthcare sector. The operators of Ryuk ransomware have been targeting the healthcare industry and have stepped up their attacks in recent weeks. These attacks prevent access to protected health information and disable mission critical systems, causing delays to patient care and placing patient safety at risk. The AMA has also observed an increase in insider threats during the pandemic. Insiders have identified security vulnerabilities and have taken advantage and exploited those vulnerabilities for financial gain.

“As practices reopen, and hospitals around the country prepare for a second wave of COVID-19 infections coinciding with cold and flu season, our organizations are providing this update on steps physicians should take to prepare for the coming months,” explained AMA/AHA in the new guidance document – Technology Considerations for the Rest of 2020.

The AMA recommends healthcare providers should request routine updates from their health information technology vendors or security professionals. The guidance document lists a series of questions that should be asked of those providers to ensure that vulnerabilities are identified and addressed. The questions cover network security, the use of legacy devices and software that is no longer supported, access rights to systems given to third parties and vendors during the pandemic, and the location of all protected health information.

In addition to addressing cybersecurity risks, healthcare providers should get prepared for when the Public Health Emergency comes to an end. During the pandemic, the HHS’ Office for Civil Rights announced it would be exercising enforcement discretion with respect to the good faith use of technology to support telehealth. When the Public Health Emergency ends, healthcare providers will be required to comply fully with HIPAA once again.

The telehealth platforms that have been used during the pandemic may no longer be suitable for use, and if use can continue, business associate agreements will need to be entered into with technology vendors. It is also necessary to conduct security risk assessments on telehealth platforms to identify risks and vulnerabilities to protected health information associated, if they have not already been conducted.

The AMA is encouraging physicians and hospitals to start having discussions with their telemedicine vendors and to take steps to conduct or implement a security risk analysis, so they are prepared for when the Public Health Emergency ends.

In the guidance, the AMA/AHA also suggest asking telemedicine vendors about their privacy practices, intended data use and security protocols. “Many physicians do not realize that a telemedicine platform or application may be low-cost or free because the vendor’s business model is based on aggregating and selling patients’ data. If possible, consult with your legal team to clarify how video, audio, and other data are being captured and stored by the vendor and who has access. You can also ask whether the vendor will share results of third-party security audits, including SOC 2 or HITRUST, in addition to the results of their penetration testing.”

It is also advisable to enable all available privacy and security tools when using telemedicine platforms, including end-to-end encryption to prevent third-parties from intercepting communications between providers and patients. Providers should also be open with patients about the potential privacy risks associated with the use of telemedicine platforms and make sure they are aware of any risks involved with virtual care.

The post AMA Issues Guidance to Help Healthcare Organizations Mitigate COVID-19 Cyber Risks appeared first on HIPAA Journal.

Vendor Access and HIPAA Compliance: Are you Secured?

Posted by HIPAA Journal

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine.

Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft, and the increasingly popular route of ransomware.

Gone are the days where healthcare companies only had to deal with issues related to patient care because they now find themselves grappling with complicated cybersecurity issues far outside the medical space.

Considering the risks of HIPAA noncompliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

How to Restrict Vendor Access

Who has access to the patients’ information, how are they accessing the information, and how much access do they have (or should they have)? These are crucial questions for any technology vendor.

First, each member of the IT team should have only the level of access required to ensure both HIPAA compliance and data security, including restrictions on time, scope, and job function. Each vendor rep should use a unique username and password to log into the system and go through multi-level authentication that’s attached to their identities. On top of that, an automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Why Auditable Reports are Necessary

An automatic audit system permits healthcare companies to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of access to the patients’ records, and other sensitive information.

These reports are not only necessary for internal security purposes, but are integral for proving HIPAA compliance in relation to allowing vendors on your network.

The Importance of Data Integrity and Security

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128-, 192-, and 256-bit modes, and data encryption standards (DES) of Triple DES10.

Be Sure, Be Secure

Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance. If you’re worried about your vendors not having your compliance in mind, it is of the utmost importance to ensure you are vetting them before onboarding them, as well as checking in on them and doing an “audit” of some sort to make sure you have a ledger of all vendors.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches. Know your vendors, why they’re connecting, and ensure compliance.

Author: Ellen Neveux, SecureLink

SecureLink provides a remote-access platform that reduces the risks associated with providing remote access to internal networks to vendors and clients

The post Vendor Access and HIPAA Compliance: Are you Secured? appeared first on HIPAA Journal.