Healthcare Data Privacy

OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions

Posted February 17, 2020 by HIPAA Journal

An audit conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed many pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ data.

OIG conducted the audit at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS) to determine whether there was inappropriate access and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals.

CMS was concerned that a mail order pharmacy and other healthcare providers were misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to verify Medicare recipients’ eligibility for certain coverage benefits.

OIG conducted the audit to determine whether E1 transactions were only being used for their intended purpose. Since E1 transactions contain Medicare beneficiaries’ protected health information (PHI), they could potentially be used for fraud or other malicious or inappropriate purposes.

An E1 transaction consists of two parts – a request and a response. The healthcare provider submits an E1 request that contains an NCPDP provider ID number or NPI, along with basic patient demographic data. The request is forwarded onto the transaction facilitator which matches the E1 request data with the data contained in the CMS Eligibility file. A response is then issued, which contains a beneficiary’s Part D coverage information.

The audit was conducted on one mail-order pharmacy and 29 providers selected by CMS. Out of 30 entities audited, 25 used E1 transactions for a purpose other than billing for prescriptions or to determine drug coverage order when beneficiaries are covered by more than one insurance plan. 98% of those 25 providers’ E1 transactions were not associated with prescriptions.

OIG found providers were obtaining coverage information for beneficiaries without prescriptions, E1 transactions were being used to evaluate marketing leads, some providers had allowed marketing companies to submit E1 transactions for marketing purposes, providers were obtaining information about private insurance coverage for items not covered under Part D, long term care facilities had obtained Part D coverage using batch transactions, and E1 transactions had been submitted by 2 non-pharmacy providers.

E1 transactions are covered transactions under HIPAA, PHI must be protected against unauthorized access while it is being electronically stored or transmitted between covered entities, and the minimum necessary standard applies. The findings suggest HIPAA is being violated and that this could well be a nationwide problem. Based on the findings of the audit and apparent widespread improper access and use of PHI, OIG will be expanding the audits nationwide.

OIG believes these issues have arisen because CMS has not yet fully implemented controls to monitor providers who are submitting high numbers of E1 transactions relative to prescriptions provided; CMS has yet to issue clear guidance that E1 transactions must not be used for marketing purposes; and CMS has not limited non-pharmacy access.

Following the audit, CMS took further steps to monitor for abuse of the eligibility verification system and will be taking appropriate enforcement actions when cases of misuse are discovered. OIG has recommended CMS issue clear guidance on E1 transactions and ensure that only pharmacies and other authorized entities submit E1 transactions.

The post OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions appeared first on HIPAA Journal.

eHI and CDT Collaborate to Develop Consumer Privacy Framework for Health Data not Covered by HIPAA

Posted February 14, 2020 by HIPAA Journal

The eHealth Initiative (eHI) and the Center for Democracy & Technology (CDT) have joined forces to develop a new consumer privacy framework for health data that address current privacy gaps that exist for health data not covered by Health Insurance Portability and Accountability Act Rules.

Personally identifiable health data collected, stored, maintained, processed, or transmitted by HIPAA-covered entities and their business associates is subject to the protections of the HIPAA Privacy and Security Rules. If the same data is collected, stored, maintained, processed, or transmitted by a non-HIPAA covered entity, those protections are not required by law.

Currently health data is collected, stored, and transmitted by health and wellness apps, wearable devices, and informational health websites, but without HIPAA-like protections the privacy of consumer health data is put at risk.

eHI and CDT have received funding for the new initiative, Building a Consumer Privacy Framework for Health Data, from the Robert Wood Johnson Foundation. They have already formed a Steering Committee for Consumer Health Privacy consisting of experts and leaders from healthcare, technology, privacy advocacy groups, and consumer groups. The Steering Committee will discuss the steps required to ensure the privacy of health data not covered by HIPAA privacy laws and will review various approaches to deal with the complexities of protecting non-HIPAA-covered health data.

“Our unique focus is evaluating ‘health-ish’ data that is not protected by HIPAA or other health privacy laws,” explained Jennifer Covich Bordenick, Chief Executive Officer of eHI. “It is critical that we bring a broad and inclusive array of collaborators to the table to work through some of the key concerns.”

The first meeting of the Steering Committee took place in Washington DC on February 11, 2019 and was attended by a diverse group of participants including 23andMe, American College of Physicians, American Hospital Association, American Medical Association, Ascension, Change Healthcare, Electronic Frontier Foundation, Elektra Labs, Fitbit, Future of Privacy Forum, Hispanic Technology and Telecom Partnership, Hogan Lovells, Microsoft, National Partnership for Women & Families, Salesforce, Under Armour, UnitedHealth Group, Waldo Law Offices, Wellmark Blue Cross and Blue Shield, and Yale University.

Further Steering Committee meetings will take place throughout 2020 and smaller workgroups will be formed to work on specific aspects of the privacy framework. eHI and CDT are encouraging privacy experts, consumer groups, and companies that manage wearable, genomic, and social media data to engage with the project.

“Consumers are increasingly skeptical of how their data is being used, with health-related data being especially sensitive,” said Lisa Hayes, Interim Co-Chief Executive Officer of CDT. “Our hope is that this framework is a first step to providing greater privacy rights and protections for consumers who want to take advantage of innovative digital health and wellness services.”

The post eHI and CDT Collaborate to Develop Consumer Privacy Framework for Health Data not Covered by HIPAA appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Posted February 13, 2020 by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Location of Breached Information
1	Optum360, LLC	Business Associate	11500000	Hacking/IT Incident	Network Server
2	Laboratory Corporation of America Holdings dba LabCorp	Healthcare Provider	10251784	Hacking/IT Incident	Network Server
3	Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc.	Health Plan	2964778	Hacking/IT Incident	Network Server
4	Clinical Pathology Laboratories, Inc.	Healthcare Provider	1733836	Unauthorized Access/Disclosure	Network Server
5	Inmediata Health Group, Corp.	Healthcare Clearing House	1565338	Unauthorized Access/Disclosure	Network Server
6	UW Medicine	Healthcare Provider	973024	Hacking/IT Incident	Network Server
7	Women’s Care Florida, LLC	Healthcare Provider	528188	Hacking/IT Incident	Network Server
8	CareCentrix, Inc.	Healthcare Provider	467621	Hacking/IT Incident	Network Server
9	Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico	Healthcare Provider	439753	Hacking/IT Incident	Network Server
10	BioReference Laboratories Inc.	Healthcare Provider	425749	Hacking/IT Incident	Other
11	Bayamon Medical Center Corp.	Healthcare Provider	422496	Hacking/IT Incident	Network Server
12	Memphis Pathology Laboratory d/b/a American Esoteric Laboratories	Healthcare Provider	409789	Unauthorized Access/Disclosure	Network Server
13	Sunrise Medical Laboratories, Inc.	Healthcare Provider	401901	Hacking/IT Incident	Network Server
14	Columbia Surgical Specialist of Spokane	Healthcare Provider	400000	Hacking/IT Incident	Network Server
15	Sarrell Dental	Healthcare Provider	391472	Hacking/IT Incident	Network Server
16	UConn Health	Healthcare Provider	326629	Hacking/IT Incident	Email
17	Premier Family Medical	Healthcare Provider	320000	Hacking/IT Incident	Network Server
18	Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey	Healthcare Provider	305737	Hacking/IT Incident	Network Server
19	Navicent Health, Inc.	Healthcare Provider	278016	Hacking/IT Incident	Email
20	ZOLL Services LLC	Healthcare Provider	277319	Hacking/IT Incident	Network Server

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization	Confirmed Victim Count
Quest Diagnostics/Optum360	11,500,000
LabCorp	10,251,784
Clinical Pathology Associates	1,733,836
Carecentrix	467,621
BioReference Laboratories/Opko Health	425,749
American Esoteric Laboratories	409,789
Sunrise Medical Laboratories	401,901
Inform Diagnostics	173,617
CBLPath Inc.	141,956
Laboratory Medicine Consultants	140,590
Wisconsin Diagnostic Laboratories	114,985
CompuNet Clinical Laboratories	111,555
Austin Pathology Associates	43,676
Mount Sinai Hospital	33,730
Integrated Regional Laboratories	29,644
Penobscot Community Health Center	13,299
Pathology Solutions	13,270
West Hills Hospital and Medical Center / United WestLabs	10,650
Seacoast Pathology, Inc	8,992
Arizona Dermatopathology	5,903
Laboratory of Dermatology ADX, LLC	4,082
Western Pathology Consultants	4,079
Natera	3,035
South Texas Dermatopathology LLC	15,982
Total Records Breached	26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

Hacking/IT incidents
Unauthorized access/disclosures
Theft
Loss
Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause	Incidents	Breached Records	Mean Breach Size	Median Breach Size
Hacking/IT Incident	303	36,210,097	119,505	6,000
Unauthorized Access/Disclosure	147	4,657,932	31,687	1,950
Theft	39	367,508	9,423	2,477
Loss	15	74,271	4,951	3,135
Improper Disposal	6	26,081	4,347	4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State	Breaches	State	Breaches	State	Breaches	State	Breaches	State	Breaches
Texas	60	Maryland	14	Arkansas	9	Alabama	4	Mississippi	2
California	42	Washington	14	South Carolina	9	Alaska	4	Montana	2
Illinois	26	Georgia	13	New Jersey	8	Iowa	4	South Dakota	2
New York	25	North Carolina	13	Massachusetts	7	Kentucky	4	Washington DC	2
Ohio	25	Tennessee	11	Puerto Rico	7	Nebraska	4	West Virginia	2
Minnesota	23	Arizona	10	Virginia	7	Oklahoma	4	Delaware	1
Florida	22	Colorado	10	Louisiana	6	Utah	4	Kansas	1
Pennsylvania	19	Connecticut	10	New Mexico	6	Wyoming	3	New Hampshire	1
Missouri	17	Indiana	10	Wisconsin	6	Idaho	2	Rhode Island	1
Michigan	16	Oregon	10	Nevada	5	Maine	2	Vermont	1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred

Posted January 28, 2020 by HIPAA Journal

Patients want easy access to their health data and for their health information to be presented in a concise, easy to understand format, according to a new poll conducted by Morning Consult on behalf of America’s Health Insurance Plans (AHIP). However, patients and consumers are well aware of the threat of cyberattacks and data breaches and they do not want their private health information to be compromised. A majority (62%) of patents and consumers said they would be willing to forego easy access to their health data if it meant greater privacy protections were in place to protect their health information.

In November 2019, President Trump signed an Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First. In response, the Department of Health and Human Services, the Department of Labor, and the Department of the Treasury proposed a new Transparency in Coverage Rule. The rule requires “employer-based group health plans and health insurance issuers offering group and individual coverage to disclose price and cost-sharing information to participants, beneficiaries, and enrollees up front.”

With access to that information, patients would be made aware of the costs they need to cover to meet the deductible of their plan or co-pay or co-insurance requirements. It would make it much easier for patients to make cost comparisons.

The cost of medical procedures is a key consideration for patients. 74% of respondents said they were very likely (52%) or somewhat likely (22%) to research how much they would have to pay for a medical procedure or service covered by their health insurance plan, and 68% said they would be very likely or somewhat likely to choose a lower cost medical procedure than one recommended by their doctor. 66% of respondents said they would consider making an appointment with a specialist, as recommended by a doctor, if they knew they would receive the same quality of care at a lower cost.

While easier access to cost information and greater transparency would be welcomed, 3 in 4 individuals who took part in the poll said they would not support a federal regulation that increases transparency if it also meant their insurance premiums would rise.

When it comes to obtaining information on medical procedures, patients want easy to understand information rather than comprehensive information. 82% of adults said that apps and websites that provide information on a medical procedure are more valuable if they provide concise, easy to understand information rather than comprehensive information that is confusing.

The survey also revealed there is strong support for federal legislation akin to HIPAA for technology companies that collect or are provided with health data. 90% of respondents said tech companies should also have to comply with strict standards for privacy and security as is the case with healthcare organizations.

The post Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred appeared first on HIPAA Journal.

Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products

Posted January 24, 2020 by HIPAA Journal

Critical vulnerabilities have been identified in GE Healthcare patient monitoring products by a security researcher at CyberMDX.

Elad Luz, Head of Research at CyberMDX, identified six vulnerabilities, five of which have been rated critical and one high severity. The five critical vulnerabilities have been assigned the maximum CVSS v3 score of 10 out of 10. The other vulnerability has a CVSS v3 score of 8.5 out of 10.

Exploitation of the flaws could render the affected products unusable. Remote attackers could also alter the functionality of vulnerable devices, including changing or disabling alarm settings, and steal protected health information stored on the devices.

CyberMDX initially investigated the CARESCAPE Clinical Information Center (CIC) Pro product, but discovered the flaws affected patient monitors, servers, and telemetry systems. The vulnerabilities have been collectively named MDHex and are tracked under the CVEs: CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020- 6965, and CVE-2020-6966. GE Healthcare has confirmed that the vulnerabilities could have serious consequences for patients and hundreds of thousands of devices may be affected.

CVE-2020-6961 (CVSS 10.0) is due to unprotected storage of credentials (CWE-256). The flaw could allow an attacker to obtain the SSH private key from configuration files via a SSH connection and remotely execute arbitrary code on vulnerable devices. The same SSH key is shared across all vulnerable products.

CVE-2020-6962 (CVSS 10.0) is an input validation vulnerability (CWE-20) in the configuration utility of the web-based system. If exploited, an attacker could remotely execute arbitrary code.

CVE-2020-6963 (CVSS 10.0) concerns the use of hard-coded Server Message Block (SMB) credentials (CWE-798). An attacker could establish an SMB connection and read or write files on the system. The credentials could be obtained through the password recovery utility of the Windows XP Embedded operating system.

CVE-2020-6964 (CVSS 10.0) is due to missing authentication for critical function (CWE-306) concerning the integrated Kavoom! Keyboard/mouse software. If exploited, an attacker could remotely input keystrokes and alter device settings on all vulnerable devices on the network without authentication.

CVE-2020- 6965 (CVSS 8.5) is due to the failure to restrict the upload of dangerous file types (CWE-434). An attacker could upload arbitrary files through the software update facility.

CVE-2020-6966 (CVSS 10.0) is due to inadequate encryption strength (CWE-326). Weak encryption is used for remote desktop control through VNC software, which cloud lead to remote code execution on vulnerable networked devices. The necessary credentials could also be obtained from publicly available product documentation.

According to a recent ICS-CERT Advisory, the following GE Healthcare products are affected:

ApexPro Telemetry Server, Versions 4.2 and prior
CARESCAPE Telemetry Server, Versions 4.2 and prior
Clinical Information Center (CIC), Versions 4.X and 5.X
CARESCAPE Telemetry Server, Version 4.3
CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
B450, Version 2.X
B650, Version 1.X; Version 2.X
B850, Version 1.X; Version 2.X

GE Healthcare is currently developing patches for the vulnerable products which are expected to be released in Q2, 2020. In the meantime, GE Healthcare has published a series of mitigations to reduce the risk of exploitation of the vulnerabilities.

Healthcare providers should follow standard network security best practices and ensure mission critical (MC) and information exchange (IX) networks have been configured correctly and meet the requirements outlined in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and product technical and service manuals.

If connectivity is required outside the MC and/or IX networks, a router/firewall should be used. GE Healthcare recommends blocking all incoming traffic from outside the network at the MC and IX router firewall, except when required for clinical data flows.

The following ports should be blocked for traffic initiated from outside the MC and IX network: TCP Port 22 for SSH and TCP and UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB as well as TCP Ports 10000, 5225, 5800, 5900, and 10001.

Physical access to Central Stations, Telemetry Servers, and the MC and IX networks should be restricted, password management best practices should be followed, and default passwords for Webmin should be changed.

Exploits for the vulnerabilities are not believed to have been made public and GE Healthcare is unaware of any attempted cyberattacks or injuries to patients as a result of the flaws.

The post Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products appeared first on HIPAA Journal.

Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories

Posted January 23, 2020 by HIPAA Journal

The operators of Maze ransomware are following through on their threats to publish data stolen from the victims of ransomware attacks when the ransom is not paid.

In December, the Carrollton, GA-based wire and cable manufacturer Southwire refused to pay a 200 BTC ransom ($1,664,320) and the threat actors went ahead and published some of the stolen data. Southwire filed a lawsuit in the Northern District of Georgia against the Maze team and the ISP hosting the Maze Team’s website. The case was won, and the website was taken offline; however, the website was back online with a different hosting provider a few days later.

Listed on the webpage are the names of the companies that have been attacked and refused to pay the ransom demand, along with some of the data stolen in the attacks.

One of those companies is New Jersey-based Medical Diagnostic Laboratories (MDLab). According to the Maze Team, MD Lab was attacked on December 2, 2019. MD Lab made contact with the Maze team, but negotiations stalled, and no ransom was paid.

According the Maze website, 231 workstations were encrypted in the attack. When MD Lab refused to negotiate, the Maze team went ahead and published 9.5GB of the company’s private research data, including immunology research. The Maze Team then advertised the stolen data on a hacking forum in an attempt to restart negotiations with the company. According to Bleeping Computer, 100GB of data was stolen in the attack. The Maze team have demanded a ransom payment of 100 BTC ($832,880) for the keys to unlock the encrypted files and a further 100 BTC payment to destroy the stolen data.

While threats have been issued in the past to publish data stolen in ransomware attacks, there have been no confirmed cases of attackers following through on their threats until the Maze gang started publishing data in December 2019. Currently, 29 companies are listed on the website as not having paid, along with samples of data stolen in the attacks.

Earlier this month, The Center for Facial Restoration, Inc. announced it had suffered a similar fate following a November 8, 2019 ransomware attack. The attackers stole patient data before deploying ransomware and issued ransom demands to the healthcare provider as well as 10-20 patients. Photographs and personal information of up to 3,500 are believed to have been stolen in the attack.

In order to steal data, access to the network must first be gained and the attackers then need to search for sensitive data and exfiltrate it without being detected. Since these types of attacks require more skill to pull off than a standard ransomware attack, they are likely to remain relatively limited. That said, these data theft incidents are becoming more common. Several ransomware operators, including the Sodinokibi and Nemty gangs, have now adopted this tactic and have been threatening to publish or sell stolen data to pressure victims into paying.

The post Maze Ransomware Gang Publishes Research Data of Medical Diagnostic Laboratories appeared first on HIPAA Journal.

NIST Privacy Framework Version 1.0 Now Released

Posted January 22, 2020 by HIPAA Journal

On January 16, 2020, the National Institute of Standards and Technology (NIST) issued version 1.0 of its Privacy Framework. The purpose of the Privacy Framework is to help organizations of all sizes use personal data such as protected health information while effectively managing privacy risks.

The Privacy Framework is a voluntary tool that not only helps with privacy risk management, it is also useful for achieving and demonstrating compliance with privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, and the EU’s General Data Protection Regulation (GDPR).

The Privacy Framework helps organizations identify the privacy outcomes they want to achieve, provides strategies to adopt to improve privacy protections and achieve those privacy goals, clarifies privacy management concepts, and explains how it can be used in conjunction with the NIST Cybersecurity Framework and how both work together. NIST explains that organizations that have adopted the NIST Cybersecurity Framework and have a good security posture but may not have addressed all of their privacy risks.

Version 1.0 retains the structure of the September 2019 draft version but includes several updates in response to public feedback. As with the draft version, the Privacy Framework consists of three sections: Core is a set of privacy activities, Profiles helps organizations determine which activities are required to achieve their privacy goals, and the Implementation Tiers section guides organizations through the process of optimizing their resources to address privacy risks.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” explained Naomi Lefkovitz, senior privacy policy adviser at NIST. “If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

The Privacy Framework is not only concerned with protecting sensitive data such as Social Security numbers, it will help to ensure that lower value data is also protected; such as data types that could be combined with others and become sensitive as a unit. New uses for data are regularly being discovered, such as for artificial intelligence. It is therefore important to adopt a framework for managing privacy risks that rather than having a checklist of tasks to perform. Adoption of the Privacy Framework will allow organizations to develop policies, procedures, and strategies to protect data, manage privacy risks effectively, and ensure those risks continue to be managed over time.

The framework will help organizations future-proof their products and services with privacy practices that will adapt to changing technologies, policies, and new legislation. The framework also addresses some privacy aspects that are missing from HIPAA but are particularly relevant today due to advances in technology.

“People continue to yearn for more guidance on how to do privacy risk management,” said Naomi Lefkovitz. “We have released a companion roadmap for the framework to point the way toward more research to address current privacy challenges, and we are building a repository of guidance resources to support implementation of the framework. We hope the community of users will contribute to it to advance privacy for the good of all.”

The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is available for download on NIST’s website (PDF).

The post NIST Privacy Framework Version 1.0 Now Released appeared first on HIPAA Journal.

California Bill Proposes Further Health Data Exemptions for CCPA

Posted January 20, 2020 by HIPAA Journal

On January 1, 2020, the California Consumer Protection Act (CCPA) came into effect. CCPA enhanced privacy protections for state residents and gave Californians new rights over their personal data.

Healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were exempted from CCPA but there is still potential for CCPA to cause compliance headaches for healthcare organizations.

A new bill – AB 713 – has now been introduced which aims to simplify compliance by adding further categories of data to the CCPA exemptions, specifically health data that has been de-identified in accordance with HIPAA Rules, personal information used for public health and safety purposes, medical research data, and health information collected, maintained, or used by business associates of HIPAA-covered entities. The bill was unanimously approved by the State Senate Health Committee this month.

The change to the exemption for deidentified health data is required as the definitions of deidentified data differ under HIPAA and CCPA and data de-identified in accordance with HIPAA could still contain data covered by CCPA. HIPAA only require identifiers to be removed that could be used to identify patients. It does not require the removal of identifiers for workforce members or providers, which is covered by CCPA.

AB 713 adds a new exemption for health data that is deidentified in accordance with HIPAA, provided the following three conditions are met:

Data is deidentified through either the safe harbor or expert determination method detailed in 45 CFR § 164.514 (b); data is derived from protected health information, medical information, individually identifiable health information, or identifiable private information, consistent with the Federal Policy for the Protection of Human Subjects (Common Rule); the business or business associate does not try to or actually re-identify individuals from the data.

The exemption applies to information deidentified in accordance with HIPAA. This exemption would therefore also apply to entities not covered by HIPAA.

While AB 713 would exempt deidentified information, a business will be required to disclose, via a consumer-facing public notice, if deidentified information will be provided to third parties and the method used to deidentify the data.

CCPA does not cover certain types of personal information used for research, such as data collected for clinical trials subject to the Common Rule. AB 713 adds further exemptions for personal information collected or used in biomedical research studies subject to institutional review board standards, the ethics and privacy requirements of the Common Rule, the International Council for Harmonization’s good clinical practice guidelines, or the FDA’s human subject protection requirements. An exemption is also added for personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information (45 CFR § 160.103) or medical information governed by the California Confidentiality of Medical Information Act (CMIA).

AB 713 also adds an exemption for personal information that is only used for the following purposes, provided the information is protected in accordance with all confidentiality and privacy provisions applicable under federal or state law:

Product registration and tracking consistent with applicable FDA regulations and guidelines.
Public health activities and purposes detailed in 45 CFR § 164.512
FDA-regulated quality, safety, and effectiveness activities

The post California Bill Proposes Further Health Data Exemptions for CCPA appeared first on HIPAA Journal.

Support for Windows 7 Finally Comes to an End

Posted January 14, 2020 by HIPAA Journal

Microsoft is stopping free support for Windows 7, Windows Server 2008, and Windows Server 2008 R2 on January 14, 2020, meaning no more patches will be released to fix vulnerabilities in the operating systems. Support for Office 2010 has also come to an end.

The operating systems will be up to date as of January 14, 2020 and all known vulnerabilities will have been fixed, but it will only be a matter of time before exploitable vulnerabilities are discovered and used by cybercriminals to steal data and deploy malware.

Even though Microsoft has given a long notice period that the operating system was reaching end of life, it is still the second most used operating system behind Windows 10. According to NetMarketShare, 33% of all laptop and desktop computers were running Windows 7 in December 2019.

Many healthcare organizations are still using Windows 7 on at least some devices. The continued use of those devices after support is stopped places them at risk of cyberattacks and violating the HIPAA Security Rule.

The natural solution is to update Windows 7 to Windows 10, although that may not be straightforward. In addition to purchasing licenses and upgrading the operating system, hardware may also have to be upgraded and some applications may not work on newer operating systems. The upgrade is therefore likely to be a major undertaking that may take a great deal of time.

If upgrading Windows 7 devices and Windows 2008 servers is not possible, steps should be taken to protect the devices and reduce the likelihood of a compromise and the impact of a cyberattack.

Steps to take to reduce the likelihood of a compromise include preventing the Windows 7 devices from accessing untrusted content. That means not using the devices for accessing email and browsing the internet and portable storage devices and removable media should not be used.

Local administrator rights should be removed from all Windows 7 devices and firewall protection should be strengthened. The devices should not be used for accessing sensitive data, such as protected health information and any sensitive data stored on the devices should be moved to devices running supported operating systems.

Since there is a greater chance of a malware infection on devices running unsupported operating systems, it is essential for anti-virus software to be installed and for it to be kept up to date. Regular scans should be conducted on the devices for malware and the devices should be monitored for potential cyberattacks in progress.

Microsegmentation can help to limit the harm caused in the event of a compromise. All devices running unsupported operating systems should be isolated from other networks and the devices should only be allowed to access critical services. Access to core servers and systems should be removed. It is also strongly advisable to review and revise business continuity plans to ensure that in the event of a compromise, critical business operations can continue. While it is costly to pay for extended support it is strongly recommended.

These measures can reduce risk, but they will not eliminate it. Organizations should therefore be accelerating their plans to upgrade their operating systems and hardware. Moving to a supported operating system is the only way to ensure devices remain secure.

The post Support for Windows 7 Finally Comes to an End appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information