Healthcare Data Privacy

Analysis of March 2018 Healthcare Data Breaches

Posted by HIPAA Journal

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February.

March 2018 Healthcare Data Breaches

Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February.

Records exposed by Healthcare Data Breaches (March 2018)

Causes of March 2018 Healthcare Data Breaches

March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March.

The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause with 9 incidents, followed by hacking/IT incidents with 5 breaches reported.

Severity of Breaches by Breach Cause

Breach Cause Total Records Exposed in March Median Records Exposed Mean Records Exposed
Unauthorized Access/Disclosure 166,859 3,551 11,919
Hacking/IT Incident 54,814 5,207 10,963
Theft 40,018 1,424 8,004
Loss 5,107 1,096 1,277
Improper Disposal 1,412 1,412 1,412

Largest Healthcare Data Breaches Reported in March 2018

There were ten healthcare data breaches reported in March that impacted more than 10,000 individuals. The largest data breach resulted in the exposure of 63,551 individuals’ PHI. That incident occurred and was discovered in December 2016, although the incident has only just been reported to the HHS’ Office for Civil Rights.

While hacking incidents usually result in the highest number of exposed/compromised records, in March it was unauthorized access/disclosure incidents that dominated the breach reports.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Middletown Medical P.C. Healthcare Provider 63,551 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35,136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34,637 Theft
Mississippi State Department of Health Healthcare Provider 30,799 Unauthorized Access/Disclosure
Barnes-Jewish Hospital Healthcare Provider 18,436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15,046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13,942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11,521 Hacking/IT Incident
Primary Health Care, Inc. Healthcare Provider 10,313 Unauthorized Access/Disclosure

March 2018 Healthcare Data Breaches by Covered Entity Type

No data breaches were reported by business associates of HIPAA-covered entities in March. The breach summaries published by the HHS’ Office for Civil Rights suggest there was no business associate involvement in any of the 29 incidents reported.

However, the largest reported incident – the breach at Middletown Medical – is marked as having no business associate involvement, when the breach notice uploaded to the provider’s website indicates the incident was caused by a subcontractor of a business associate. It is possible there were more security breaches in March that had some business associate involvement.

March 2018 Healthcare Data Breaches by Covered Entity Type

Records Exposed by Covered Entity Type

Unsurprisingly, given the number of incidents reported by healthcare providers, these incidents resulted in the highest number of exposed records – 154,325 records – followed by breaches at business associates/subcontractors – 63,551 records – and health plans – 50,334 records.

Breaches at business associates/subcontractors saw the highest number of records exposed per incident (Median & Mean = 63,551 records), followed by health plans (Median=13,943 records / Mean = 16,778 records), and healthcare providers (Median = 1,843 records / Mean = 6,173 records).

Location of Breached Protected Health Information

The main location of breached protected health information in March was portable electronic devices (laptops /other portable devices) with 9 incidents reported. Had encryption been used to protect ePHI on these devices, a breach of PHI could have easily been avoided.

The second biggest problem area was email with 8 reported incidents. These breaches include misdirected emails and phishing incidents.

Securing physical records continues to be a problem. There were five incidents reported in March that involved physical records such as paper and films.

Location of Breached Protected Health Information

March 2018 Healthcare Data Breaches by State

In March 2018, six states experienced multiple healthcare data breaches. While California usually tops the list for the most number of breaches, this month it was Massachusetts-based healthcare organizations that were the hardest hit, with 5 incidents reported.

California was in second place with four security incidents, followed by Missouri and New York with three, and Maryland and Texas with two. The 10 other states where breaches occurred were Arkansas, Colorado, District of Columbia, Florida, Georgia, Iowa, Illinois, Minnesota, Mississippi, and West Virginia.

Financial Penalties for Breaches and HIPAA Violations

There were no civil monetary penalties issued by the Department of Health and Human Services’ Office for Civil Rights in March, and no settlements with HIPAA-covered entities or business associates to resolve HIPAA violations.

The New York attorney general’s office has continued to take a hard line on companies discovered to have violated HIPAA Rules and suffered data breaches as a result with one further settlement reached in March.

Virtua Medical Group agreed to settle violations of HIPAA and state laws for $417,816. That penalty relates to the failure to secure an FTP server, although it was not the healthcare provider that was directly responsible. The error was made by a business associate of Virtua Medical Group.

The post Analysis of March 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks

Posted by HIPAA Journal

The high volume of SamSam ransomware attacks on healthcare and government organizations in recent months has prompted the Department of Health and Human Services’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) to issue a report of ongoing SamSam ransomware campaigns. The report includes tips to help organizations detect and block SamSam ransomware attacks.

There Have Been 10 Major SamSam Ransomware Attacks in the Past 4 Months

Since December 2017, there have been 10 major attacks, mostly on government and healthcare organizations in the United States. Additional attacks have been reported in Canada and India.

In January 2018, the EHR provider AllScripts experienced an attack that saw its systems taken out of action for several days, preventing around 1,500 medical practices from accessing patient data. In some cases, those practices were prevented from accessing patient data for as long as a week.

In March 2018, the City of Atlanta was forced to shut down its IT systems to halt the spread of the ransomware. In that case, the attack leveraged a Windows Server Message Block V1 vulnerability on a public-facing server to install the ransomware – the same vulnerability that was exploited in the global WannaCry and NotPetya in May and June 2017.

Hancock Health was attacked and chose to pay the ransom as it was seen to be preferable to the ongoing disruption that would have been caused by recovering files from backups. Hancock Health was one of two hospitals in Indiana to experience an attack. The Colorado Department of Transportation suffered two separate SamSam ransomware attacks in February and March.

Other healthcare organizations to be attacked include Erie County Medical Center which saw an unpatched vulnerability exploited. In that case, the ransom was not paid, although it took six weeks for the medical center to fully recover at a cost of several million dollars.

While the healthcare industry appears to have been targeted, that is not necessarily the case. The HHS and Cisco Talos suggest several of the attacks have been opportunistic in nature. However, ransomware gangs have been known to target the government, healthcare, and education sectors. The major disruption to services and the cost of mitigating attacks in these industries makes it far more likely that the ransom payment will be made.

Different attack methods have been used by the threat actors behind SamSam ransomware, although the group is known to exploit vulnerabilities on public-facing servers. Compromised RDP/VNC servers (Remote Desktop Protocol/Virtual Network Computing) are a common denominator in several of the attacks.

The threat actors also scan for open RDP connections and conduct brute force attacks which take advantage of weak passwords.

Once access to a server is gained, ransomware is installed and spread laterally. The goal of the attack is to cause massive disruption. Even though backups exist in most cases and data can be recovered, the continued disruption to business operations while files are recovered makes payment of the ransom preferable. Even if the ransom is paid the cost is considerable. The City of Atlanta was reportedly issued a ransom demand of $6,800 per infected endpoint.

Tips to Prevent and Block SamSam Ransomware Attacks

Several vulnerabilities have been exploited to gain access to servers including JBoss, SMBv1, RDP, and others. It is therefore strongly recommended to conduct regular vulnerability scans and ensure good patch management practices are adopted. Strong passwords should be used, and controls implemented to enforce password policies.

HCCIC offers the following advice to prevent and block SamSam ransomware attacks:

  • Conduct an organization-wide risk analysis to identify risks to ePHI and implement security measures to remediate those risks – A requirement of the HIPAA Security Rule
  • Train end users to help them detect malicious software
  • Implement procedures to protect against malicious software and use software solutions that can rapidly identify an attack in progress to ensure rapid action can be taken to prevent the spread of the infection
  • Ensure all data is backed up regularly – A good backup strategy is the 3-2-1 approach – Ensure 3 backups are made, on two different media, with one copy stored securely off site.
  • Develop contingency plans to minimize business disruption in the event of a cyberattack
  • Develop procedures for responding to security incidents, including procedures specifically for ransomware attacks.

As for payment of the ransom, that carries a risk. There are no guarantees that the attackers will make good on their promise to send keys to unlock the data or that the keys supplied will work. It is essential to ensure that recovery is possible without paying the ransom.

The HCCIC report, which includes indicators of compromise, can be downloaded from the American Hospital Association on this link (PDF).

The post HHS Report Offers Tips to Prevent and Block SamSam Ransomware Attacks appeared first on HIPAA Journal.

How Long Does It Take to Breach a Healthcare Network?

Posted by HIPAA Journal

A recent survey of hackers, incident responders, and penetration testers has revealed the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, identify sensitive data, and exfiltrate the data.

61% of Surveyed Hackers Took Less than 15 Hours to Obtain Healthcare Data

The data comes from the second annual Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States.

Respondents were asked about the time it takes to conduct attacks and steal data, the motivations for attacks, the techniques used, and the industries that offered the least resistance.

While the least protected industries were hospitality, retail, and the food and beverage industry, healthcare organizations were viewed as particularly soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were relatively easy to attack. As Nuix points out, many of the industries that were rated as soft targets are required to comply with industry standards for cybersecurity.

The retail and food and beverage industries are required to comply with Payment Card Industry Data Security Standard (PCI DSS) and healthcare organizations must comply with HITECH Act requirements and the HIPAA Security Rule, with the latter requiring safeguards to be implemented to ensure the confidentiality, integrity, and availability of healthcare data. As far as hackers are concerned, the data is certainly available. When asked how long it takes to breach the perimeter of a hospital or healthcare provider and exfiltrate useful data, 18% said less than 5 hours, 23% said 5-10 hours, and 20% said 10 to 15 hours. ‘Large numbers’ of hackers said they were able to identify and exfiltrate sensitive data within an hour of breaching the network perimeter.

Even though organizations are required to comply with certain standards for cybersecurity, that does not mean that appropriate safeguards are implemented, or that they are implemented correctly and are providing the required level of protection.

“Most organizations invest heavily in perimeter defenses such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass,” said Chris Pogue, Head of Services, Security and Partner Integration at Nuix and lead author of the report.

How Are Hackers Gaining Access to Networks and Data?

The most popular types of attacks are social engineering (27%) and phishing attacks (22%), preferred by 49% of hackers. 28% preferred network attacks.  The popularity of ransomware has soared in recent years, yet it was not a preferred attack method, favored by only 3% of respondents to the survey.

Social engineering is used sometimes or always by 50% of attackers, with phishing emails by far the most popular social engineering method. 62% of hackers who use social engineering use phishing emails, physical social engineering on employees is used by 22%, and 16% obtain the information they need over the telephone.

The most commonly used tools for attacks were open source hacking tools and exploit packs, which combined are used by 80% of surveyed hackers.

Interestingly, while the threat landscape is constantly changing, hackers do not appear to change their tactics that often. Almost a quarter of hackers only change their attack methods once a year and 20% said they update their methods twice a year.

As for the motivation for the attacks, it is not always financial. 86% hack for the challenge, 35% for entertainment/mischief, and only 21% attack organizations for financial gain.

One take home message from the survey is just how important it is to implement security awareness programs and train staff cybersecurity best practices and to be alert to the threat from social engineering and phishing attacks. With almost half of hackers preferring these tactics, ensuring the workforce can identify phishing and social engineering attacks will greatly improve organizations’ security posture.

The post How Long Does It Take to Breach a Healthcare Network? appeared first on HIPAA Journal.

GAO Discovers Inconsistencies in CMS Oversight of Medicare Beneficiary Data Security

Posted by HIPAA Journal

In response to recent data breaches, the chairmen of the U.S Senate Committee on Finance, the House Committee on Ways and Means, and the House Committee on Energy and Commerce requested the U.S. Government Accountability Office conduct a study of HHS’ Centers for Medicare and Medicaid Services (CMS) to assess its efforts to protect Medicare beneficiary data accessed by external entities.

The study had three main objectives: To determine the major external entities that collect, store, and share Medicare beneficiary data, to determine whether the requirements for protection of Medicare data align with federal guidance, and to assess CMS oversight of the implementation of those requirements.

The study revealed the CMS has only established security requirements that align with federal guidance for some external entities and oversight of the implementation of security controls by external entities has been inconsistent.

The CMS shares Medicare beneficiary data with three main types of external entities: Medicare Administrative Contractors (MACs), research organizations, and public or private entities that use claims data to assess the performance of Medicare service providers and equipment suppliers.

Each year, MACS process more than 1.2 billion Medicare fee-for-service claims and interact with over 1.5 million healthcare providers. Healthcare providers submit Medicare fee-for-service claims to the MACs, who check and process the claims.

In order to process claims, MACs require access to the CMS virtual data centers (VDCs) and connect directly to via the CMSNet telecommunications network. The VDCs contain personally identifiable information and protected health information of Medicare beneficiaries.

Researchers are provided with access to beneficiary data to study how healthcare services are provided to beneficiaries. That research benefits the public through the improved delivery of healthcare services. Researchers apply to the CMS and are granted access to the specific dataset necessary for the research.

Researchers are required to enter into a data use agreement with the CMS which details the data that will be accessed, for what purpose, how long, and the requirements to ensure confidentiality and protection of the data.  They can either access the data electronically by connecting to the CMS’s Chronic Conditions Warehouse/Virtual Research Data Center (CCW/VRDC) via a secure network connection or receive copies of encrypted data sent via the U.S. mail.

Qualified entities that access claims data to assess the effectiveness of Medicare service providers and equipment suppliers can access the data via a Secure File Transfer System connection to the CCW/VRDC or can receive encrypted data via U.S. mail. They too are required to enter into a data use agreement with the CMS.

The GAO study revealed that requirements for implementing security controls in line with federal guidance have only been developed for MACs and qualified entities, but not for researchers as they are not CMS contractors. The failure to provide risk-based requirements for implementing security controls to researchers could mean security controls meeting CMS standards are not applied.

GAO also discovered that while an oversight program has been developed for the security of MAC data, there is no equivalent program for the data handled by researchers and qualified entities.

The lack of oversight of data security by those two types of external entities means the CMS cannot determine whether Medicare beneficiary data is being adequately protected.

While the CMS has overseen independent assessments of MACs which identify whether security controls have been implemented correctly, there has been inconsistent tracking and monitoring of vulnerabilities identified by those assessments and the actions taken to correct those issues. The CMS therefore cannot be sure that all security gaps have been addressed in a timely fashion.

  • To ensure the security of Medicare beneficiary data, GAO has made three recommendations. The CMS should develop security guidance for researchers defining the minimum security controls that must be implemented and ensure the guidance is consistent with NIST guidelines.
  • All findings of MAC assessments should be classified and tracked, and processes and procedures should be developed to ensure researchers and qualified entities have implemented information security controls.
  • The CMS should also establish an effective oversight program for all external entities that access Medicare beneficiary data.

The CMS concurred with all three GAO recommendations.

The post GAO Discovers Inconsistencies in CMS Oversight of Medicare Beneficiary Data Security appeared first on HIPAA Journal.

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve security posture.

Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

Healthcare employees should be trained how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

The Ponemon/Merlin International study on 627 healthcare executives in the United States suggests healthcare organizations are not doing enough to improve security awareness and develop a security culture.  More than half of respondents (52%) said the lack of security awareness was affecting their organization’s security posture.

The Merlin International report, 2018 Impact of Cyber Insecurity on Healthcare Organizations, revealed 62% of respondents have experienced a cyberattack in the past 12 months, with half of those incidents resulting in the loss of healthcare data. Poor security awareness is contributing to a high percentage of those breaches.

When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively.

The main threats to the confidentiality, integrity, and availability of healthcare data were perceived to be unsecured medical devices (78%), BYOD (76%) and insecure mobile devices (72%).

57% of respondents felt use of the cloud, mobile, and IoT technologies has increased the number of vulnerabilities that could be exploited to gain access to healthcare data. 55% of respondents said medical devices were not included in their cybersecurity strategy and the continued use of legacy systems was seen to be a security issue by 58% of respondents.

Even though 62% of organizations have experienced a data breach in the last year and it is a requirement for HIPAA compliance, 51% of organizations have not developed an incident response program that allows them to rapidly respond and remediate breaches.

Staffing was seen to be the biggest roadblock preventing organizations from improving their security posture. 74% believed a lack of suitable staff was a major issue hampering efforts to improve cybersecurity. 60% of respondents do not believe they have the right cybersecurity qualifications in house and only 51% of surveyed organizations have appointed a CISO.

“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care,” said Brian Wells, Director of Healthcare Strategy at Merlin International.

The post Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks appeared first on HIPAA Journal.

HIPAA Compliance for Pharmacies

Posted by HIPAA Journal

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI), sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The penalties for failing to comply with HIPAA can be severe.

Key Elements of HIPAA Compliance for Pharmacies

The combined text of HIPAA Rules published by the Department of Health and Human Services’ Office for Civil Rights is 115 pages, so covering all elements of HIPAA compliance for pharmacies is beyond the scope of this post; however, some of the key elements of HIPAA compliance for pharmacies have been outlined below.

Conduct risk analyses – A comprehensive, organization wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks identified must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox item. Risk analyses must be conducted regularly, such as when there is a change to business practices or new technology is introduced.

Safeguard PHI at all times – One of the most important aspects of HIPAA compliance for pharmacies is ensuring safeguards are implemented to ensure the confidentiality, integrity, and availability of physical and electronic PHI. Pharmacies can decide on the best safeguards to implement with decisions guided by the findings of the risk analysis.

Appoint a privacy officer – A privacy officer must be appointed. Any member of staff can be your designated privacy officer. That person’s responsibility is to ensure policies and procedures are followed, documentation and filing is performed correctly, and patient requests for PHI are responded to in a timely manner. The privacy officer must also monitor for changes to HIPAA regulations and work with the owner or manager to ensure continued compliance.

Obtain authorizations – HIPAA permits the use of PHI for treatment purposes, requesting or receiving payment, or pharmacy operations. Any other use or disclosure of PHI must be authorized by the patient in writing prior to PHI being used or disclosed.

Obtain business associate agreements – A third party that needs access to PHI or copies of PHI to perform a service on behalf of the pharmacy is classed as a business associate and is also required to comply with HIPAA Rules. A business associate must provide reasonable assurances to the covered entity, by means of a business associate agreement, that the requirements of HIPAA have been understood and that HIPAA Rules will be followed.

Ensure PHI is not impermissibly disclosed – Accidentally or deliberately disclosing PHI for reasons not permitted by the Privacy Rule can cause considerable harm to patients. Policies and procedures must be developed and implemented to reduce the risk of impermissible disclosures. Care must be taken not to disclose more than the ‘minimum necessary’ PHI.

Provide patients with copies of their PHI – The HIPAA Privacy Rule gives patients the right to obtain copies of their PHI on request. While that right is typically exercised with healthcare providers, pharmacies must also provide copies of pharmacy records related to an individual if requested.

Dispose of PHI correctly – PHI such as prescription labels and documents must be disposed of in a manner that prevents the PHI from being viewed or reconstructed. Paperwork such as labels should be shredded, pulverized, pulped, or incinerated. ePHI on electronic devices must be permanently erased before disposal.

Provide training to staff – All pharmacy staff are required to comply with HIPAA Rules, as well as volunteers and interns that are required to come into contact with PHI. All staff must be trained and made aware of HIPAA Rules that apply to them and what constitutes PHI.  Training should be provided as soon as possible with refresher training provided regularly. Pharmacies must also provide security awareness training to staff.

Inform patients of privacy practices – All HIPAA covered entities must document their privacy practices and share that information with patients. Signatures should be obtained from patients confirming they have received the notice of privacy practices.

Notify patients/OCR of a privacy breach – Patients must be informed when their PHI has been exposed or stolen and OCR must also be notified. Notifications must be sent to patients and OCR within 60 days of the discovery of a breach. OCR can be notified of a breach impacting fewer than 500 individuals no later than 60 days from the end of the calendar year in which the breach occurred.

Since HIPAA compliance for pharmacies can be complex and the penalties for noncompliance severe, we suggest contacting a compliance specialist who will be able to walk you through the steps you need to take to comply with all aspects of HIPAA Rules. Alternatively, if you are unsure about any aspect of HIPAA compliance for pharmacies, contact a healthcare attorney.

Penalties for HIPAA Violations by Pharmacies

It doesn’t matter how large or small your business is, HIPAA compliance for pharmacies is not optional. There have been several penalties for HIPAA violations by pharmacies over the past few years. Not only can HIPAA violations attract a significant fine, they can also seriously damage the reputation of your pharmacy.

The HHS’ Office for Civil Rights has increased enforcement activity in the past two years and fines and settlements over HIPAA violations are now far more common. State attorneys general are also taking action over privacy breaches and are pursuing financial settlements when PHI is exposed or impermissibly disclosed. State attorneys general can issue fines up to $250,000 for violations of the same type that are experienced in a single year. The HHS’ Office for Civil Rights can issue fines up to $1.5 million per violation category, per year.

  • In 2009, CVS Pharmacy settled potential HIPAA violations with OCR for $2.25 million after it was discovered prescription bottles and receipts had been disposed of improperly.
  • In 2010, Rite Aid Corp settled with OCR for $1 million to resolve violations of HIPAA relating to the improper disposal of PHI.
  • In 2014, Walgreens was fined $1.4 million for the impermissible disclosure of a patient’s PHI. A pharmacist shared a patient’s PHI with her husband and at least three other people.
  • In 2015, Cornell Pharmacy, a small pharmacy in Denver, was fined $125,000 for the improper disposal of PHI.

The post HIPAA Compliance for Pharmacies appeared first on HIPAA Journal.

Alabama Governor Enacts Data Breach Notification Act

Posted by HIPAA Journal

Alabama has become the 50th state to require companies to issue breach notifications to individuals whose personal information has been exposed or compromised as a result of a data breach. Governor Kay Ivey signed the act into law on March 28. The effective date is May 1, 2018.

The data breach notification law has taken a long time to be enacted although Alabama residents will now have some of the best protections in the country, with the law one of the strictest introduced in any state.

While every state now has a data breach notification law that requires notifications to be issued to all individuals impacted by a data breach, only 28% of U.S. states – including Alabama – also require ‘covered entities’ to maintain reasonable security measures to protect the confidentiality of sensitive personally identifying information of state residents. Service providers must also be contractually required to maintain appropriate safeguards.

Sensitive personally identifying information is classed as a state resident’s first name or first initial and last name in combination with any of the following data elements:

  • A non-truncated Social Security or tax-identification number
  • A non-truncated driver’s license, passport, or other government identification number
  • A financial account number combined with security/access code, password, PIN or expiration date necessary to access or enter into a transaction that will “credit or debit the account”
  • An individual’s medical history, mental/physical condition, medical treatment/diagnosis by a health care professional, health insurance policy/subscriber number, or other insurance identifier
  • user name or email address combined with a password or security question/answer permitting access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain Sensitive personally identifying information.

The Data Breach Notification Act requires at least one employee to be designated to coordinate data security measures. Covered entities must determine ‘reasonable security measures’ by means of a risk assessment covering internal and external threats. Appropriate safeguards must then be implemented to address identified risks and reduce them to a reasonable level. The measures introduced must be reevaluated and adjusted when circumstances change.

When personal information is no longer required, covered entities must take reasonable steps to ensure the information is permanently destroyed.

In the event of a breach of personal information, the covered entity must conduct a “good faith and prompt investigation” to determine the nature and scope of the breach, the types of sensitive personally identifying information involved, the likelihood of the information being acquired by an unauthorized individual, and whether the acquisition of sensitive personally identifying information is likely to cause substantial harm. The covered entity must also ensure measures are introduced to restore the security of its systems after a breach has occurred.

Data breach notifications must be issued to all individuals impacted by the breach “without unreasonable delay” and no later than 45 days after the discovery of a breach of sensitive personally identifying information.

The breach notice must include the date – or estimated date – of the breach, the type of information exposed or stolen, a general description of remedial measures taken by the covered entity in response to the breach, and a list of actions that individuals can take to protect themselves against identity theft and fraud. Contact information must also be suppled to allow individuals to find out more about the breach should they wish to do so.

In addition to personal notifications, the Alabama state attorney general must also be notified of a breach within 45 days if it impacts more than 1,000 individuals.

HIPAA covered entities should note that they are not deemed to be in compliance with the Alabama Data Breach Notification Act by complying with HIPAA Rules.

Any entity that violates the Alabama Data Breach Notification Act will be subject to penalties for an unlawful trade practice under the Alabama Deceptive Trade Practices Act, although a violation would not be classed as a criminal offense. The maximum civil monetary penalty is $5,000 for each day past the 45-day deadline for issuing data breach notifications. The maximum civil monetary penalty for violations of the Act is $500,000.

The post Alabama Governor Enacts Data Breach Notification Act appeared first on HIPAA Journal.

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Posted by HIPAA Journal

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.

For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents.

In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents.

The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted for financial gain. 31% involved accessing medical data out of curiosity or for fun, 10% of incidents were attributed to easy access to data, with 3% of incidents occurring due to a grudge and a further 3% for espionage. External attacks are primarily conducted for financial gain – extortion and the theft and sale of data.

Verizon also looked at the actions that lead to PHI incidents and data branches, with the most common problem being errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category.

The second biggest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were attributed to privilege abuse – accessing records without authorization. Data mishandling was behind 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.

The physical category includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were placed in this category, with theft accounting for 95.2% of all incidents. The theft of laptops was the main incident type. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of encryption would prevent the majority of these incidents from exposing PHI.

Hacking may make the headlines, but it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents), with credentials often stolen via phishing attacks. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.

Malware was involved in 10.8% of all PHI incidents. While there were a wide range of malware types and variants used in attacks, by far the biggest category was ransomware, which accounted for 70.5% of attacks.

Social attacks accounted for 8% of all incidents. This category involves attacks on employees. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails – BEC attacks for example.

Verizon offers three suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.

Full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed in the event of loss or theft of an electronic device.

The routine monitoring of medical record access – a requirement of HIPAA – will not prevent breaches, but it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.

The final course of action is to implement solutions to combat ransomware and malware. While defenses can and should involve the use of spam filters and web filters, simple measures can also be taken such as not allowing laptops to access the Internet if they are used to store large quantities of PHI.

The post Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches appeared first on HIPAA Journal.

Security Breaches in Healthcare in the Last Three Years

Posted by HIPAA Journal

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years.

There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017.

reported healthcare data breaches in 2017

More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years.

In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or stolen. The majority of those records were exposed in three data breaches. The 78.8 million-record data breach at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.

Other major security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million records.

In 2016, 14,679,461 healthcare records were exposed or stolen, with three incidents involving more than 1 million records: The 3.62 million-record breach at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach at 21st Century Oncology.

In 2017, the worst year for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or stolen. There were two breaches involving more than half a million records. The 500,000-record breach at Airway Oxygen, Inc., and the 697800-record breach at Commonwealth Health Corporation

15 Largest Security Breaches in Healthcare in the Last Three Years

 

Rank Year Covered Entity Entity Type Records Exposed/Stolen Breach Cause
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
5 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
6 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
7 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
8 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
9 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
10 2016 Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants Healthcare Provider 882590 Hacking/IT Incident
11 2016 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749017 Hacking/IT Incident
12 2017 Commonwealth Health Corporation Healthcare Provider 697800 Theft
13 2015 Virginia Department of Medical Assistance Services (VA-DMAS) Health Plan 697586 Hacking/IT Incident
14 2016 Bon Secours Health System Incorporated Healthcare Provider 651971 Unauthorized Access/Disclosure
15 2015 Georgia Department of Community Health Health Plan 557779 Hacking/IT Incident

 

Main Causes of Security Breaches in Healthcare in the Last Three Years

The three main causes of security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and the loss/theft of physical records and unencrypted electronic devices containing ePHI.

There has been a downward trend in the number of theft/loss incidents over the past three years as healthcare organizations have started encrypting records on portable electronic devices. However, improper disposal incidents have risen year over year as have hacking incidents. In 2017, hacking/IT incidents were the main cause of healthcare data breaches.

healthcare data breaches in 2017 (hacking)

healthcare data breaches in 2017 (Unauthorized access/disclosures)

Healthcare Data Breaches in 2017 (loss/theft)

Financial Penalties for Security Breaches in Healthcare in the Last Three Years

In addition to annual increases in data breaches, financial penalties for HIPAA violations have also been increasing, both in terms of number of settlements and civil monetary penalties issued and the penalty amounts.

The HHS’ Office for Civil Rights is now enforcing HIPAA Rules far more aggressively and multi-million-dollar fines are regularly issued. The last three years have seen 29 HIPAA covered entities and business associates financially penalized for data breaches that have occurred as a result of noncompliance with HIPAA Rules.

In the last three years, the HHS’ Office for Civil Rights has collected $49,091,700 in financial penalties from its enforcement actions. The average settlement amount in 2017 was $1.94 million.

The post Security Breaches in Healthcare in the Last Three Years appeared first on HIPAA Journal.