Healthcare Data Privacy

Hacking Responsible for 83% of Breached Healthcare Records in January

Posted by HIPAA Journal

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records.

The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches.

While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing.

Protenus has drawn attention to one particular insider breach. A nurse was discovered to have accessed the health information of 1,309 patients without authorization over a period of 15 months. If the healthcare organization had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been violated.

The second biggest cause of healthcare data breaches in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare organizations in January – 30% of all breaches. In contrast to insider incidents, these were not small breaches. They accounted for 83% of all breached records in January. One single hacking incident involved 279,865 records. That’s 59% of all breached records in the month.

In total, 393,766 healthcare records were exposed by hacks and other IT incidents. The final figure could be substantially higher as figures for five of those breaches have not been obtained. One of the incidents involving an unknown number of records was the ransomware attack on the EHR company Allscripts, which resulted in some of its applications being unavailable for several days. That incident could well be the biggest breach of the month.

Ransomware attacks are still a major problem in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in at least two breaches.

The loss or theft of electronic devices containing ePHI or physical records accounted for 22% of the breaches. Two incidents involving the loss of patient records impacted 10,590 individuals and four out of the six theft incidents impacted 50,929 individuals. The number of individuals affected by the other two theft incidents is unknown. The cause of 16% of January’s data breaches has not yet been disclosed.

The types of breached entities followed a similar pattern to previous months, with healthcare providers accounting for the majority of breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other entities.

Information on the length of time it took to detect breaches was only obtained for 11 of the 37 incidents. The median time from the incident to detection was 34 days and the average was 252 days. The average was affected by one incident that took 1445 days to discover.

The median time from discovery of a breach to reporting the incident was 59 days; one day shy of the 60-day absolute limit of the Breach Notification Rule. The average was 96 days. Four healthcare organizations took longer than 60 days to report their breaches, with one taking more than 800 days.

The post Hacking Responsible for 83% of Breached Healthcare Records in January appeared first on HIPAA Journal.

Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year

Posted by HIPAA Journal

According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights.

All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person.

Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal.

The revelations were made at a recent meeting of the hospital’s board of trustees. MUSC opted for transparency, which is considered important to help prevent future privacy breaches. The medical university has made it abundantly clear what actions will be taken against employees discovered to have violated HIPAA Rules.

According to the Post and Courier, one board member questioned whether the decision to terminate employees for minor privacy breaches was a Draconian measure; however, the threat of federal audits over data breaches involving employees has made such swift and decisive action necessary. Heavy fines can be imposed when audits reveal HIPAA Rules have not been followed. The actions taken by MUSC clearly show that it takes privacy and security seriously and that HIPAA violations by employees will not be tolerated.

OCR may be focused on pursuing financial penalties for serious breaches of PHI that affect large numbers of individuals, but that does not mean that investigations do not take place for smaller breaches. There have been multiple investigations of small breaches that have resulted in financial penalties for HIPAA violations by covered entities and their business associates.

The most recent example was in early February when a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was announced. FMCNA had experienced five small data breaches in a six-month period in 2012. In 2013, Hospice of North Idaho settled with OCR for $50,000 over a breach impacting 441 patients. Further, in 2016, OCR made it clear that it would be stepping up investigations of covered entities that had experienced small breaches of PHI.

While small breaches may not make the headlines, they are serious for the individuals concerned, which is something MUSC makes clear in its employee training sessions. Efforts to communicate the importance of privacy have also been stepped up, and it is made clear to employees that the hospital has a clear policy of terminating employees for violating HIPAA Rules.

It would be unreasonable to single out MUSC as having a poor record for privacy breaches, as many hospitals are likely to have similar stats. What is certainly commendable is the full transparency and swift and decisive action when patient privacy is violated with malicious intent or when the privacy of patients is violated by curious employees.

The post Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year appeared first on HIPAA Journal.

OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit

Posted by HIPAA Journal

The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has issued a Flash Audit Alert alleging Health Net of California has refused to cooperate with a recent security audit.

Health Net provides benefits to federal employees, and under its contract with OPM, is required to submit to audits. OPM has been conducting security audits on FEHBP insurance carriers for the past 10 years, which includes scanning for vulnerabilities that could potentially be exploited to gain access to the PHI of FEHBP members.

When OPM conducts audits, it is focused on the information systems that are used to access or store the data of Federal Employee Health Benefit Program (FEHBP) members. However, OPM points out that many insurance carriers do not segregate the data of FEHBP members from the data of commercial and other Federal customers. Audits of technical infrastructure need to be conducted on all parts of the system that have a logical or physical nexus with FEHBP data. Consequently, systems containing data other than that of FEHBP members will similarly be assessed for vulnerabilities.

In its Flash Audit Alert, OPM said Health Net refused to allow OPM to conduct vulnerability and configuration management testing and documentation was not provided that would allow OPM to test whether Health Net was able to remove information system access for contractors who no longer needed data access and for terminated employees.

By refusing to cooperate, OPM was unable to determine whether Health Net has been acting as a responsible custodian of sensitive protected health information of FEHBP members.

Health Net maintains that it has cooperated with OPM and allowed the agency to conduct the audit, although the insurance carrier consulted with its external counsel and was advised that if it cooperated fully with OPMs requests and submitted to certain parts of the audit process, it would risk violating contracts with other third parties. Health Net has obligations to those third parties to ensure their data is protected.

Health Net maintains that it has – and will – be able to satisfy the requests of OPM and OIG without compromising the security of its system and the privacy and confidentiality of members’ and employees’ data. Health Net also claims that the allegations made in the OPM report are unfounded.

“We understand the concerns associated with work of this nature, we take great care to minimize risk. Our procedures were developed as part of a collaborative working group comprised of health insurance industry Chief Information Officers and Chief Information Security Officers,” said OPM in its report. “There is nothing unique about Health Net, its technical environment, or the nature of our proposed testing that would exempt Health Net from our oversight and this testing.”

At this stage it is unclear what, if any, action OPM will take against Health Net if the company continues to refuse to comply with its audit requests in full.

The post OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit appeared first on HIPAA Journal.

Is Google Sheets HIPAA Compliant?

Posted by HIPAA Journal

Is Google Sheets HIPAA compliant? Can HIPAA-covered entities use Google Sheets to create, view, or share spreadsheets containing identifiable protected health information or would using Google Sheets violate HIPAA Rules? In this post we assess whether Google Sheets supports HIPAA compliance. 

Under HIPAA Rules, healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. While it is straightforward to implement controls internally to keep data secure, oftentimes third parties are contracted to provide services that require access to PHI. They too must abide by HIPAA Rules covering privacy, security, and breach notifications.

A third-party that requires access to PHI – or copies of health data – to perform services on behalf of a covered entity is considered a business associate. A covered entity and business associate must enter into a contract – a business associate agreement – in which the business associate agrees to comply with certain aspects of the HIPAA Privacy, Security, and Breach Notification Rules. Without a business associate agreement in place, any sharing of PHI would be considered a HIPAA violation.

While Google does not look at the information uploaded to Google Sheets, since Google can potentially access the information, and data is stored on its servers, a business associate agreement would be required.

Will Google Sign a BAA with HIPAA Covered Entities for Google Sheets?

Google is committed to protecting the privacy of its customers’ data and ensuring all of its services are secure and data can always be accessed. Google is aware of the requirements of the Health Insurance Portability and Accountability Act and the firm is prepared to enter into a business associate agreement with HIPAA covered entities for certain services.

Google offers a BAA for G Suite, which includes Google Drive. Google Sheets, Google Docs, Google Slides, and Google Forms are all part of Google Drive and are covered by the BAA.

Google explains in its terms and conditions that any HIPAA covered entity or business associate of a HIPAA covered entity that wishes to use G Suite in connection with any PHI must enter into a BAA with Google before any of its services are used in connection with PHI.

Is Google Sheets HIPAA Compliant?

Since Google offers a BAA, is Google Sheets HIPAA compliant? Google can be considered a HIPAA compliant service provider as Google supports HIPAA compliance for G Suite Basic, G Suite for Education, G Suite Business, and G Suite Enterprise domains and will enter into a BAA with healthcare customers.

Once a BAA has been obtained, it is the responsibility of the covered entity or business associate to ensure that Google Sheets and all other Google Drive and G Suite products and services are used correctly in a manner that does not violate HIPAA Rules.

The post Is Google Sheets HIPAA Compliant? appeared first on HIPAA Journal.

Is IBM Cloud HIPAA Compliant?

Posted by HIPAA Journal

Is IBM Cloud HIPAA compliant? Is the cloud platform suitable for healthcare organizations in the United States to host infrastructure, develop health applications and store files? In this post we assess whether the IBM Cloud supports HIPAA compliance and the platform’s suitability for use by healthcare organizations.

IBM offers a cloud platform to help organizations develop their mobile and web services, build native cloud apps, and host their infrastructure along with a wide range of cloud-based services for the capture, analysis, and processing of data.

The platform has already been adopted by many healthcare providers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their health information.

IBM Cloud Security

IBM is a leader in the field of network and data security, and its expertise has meant its cloud platform is highly secure. Security is built into the core of all of the firm’s software and services to ensure that sensitive data remains confidential and cannot be accessed by unauthorized individuals. Its audit and security reports are made available to its clients to assess during risk analysis and risk management processes.

Business Associate Agreement for the IBM Cloud Platform

Since 2014, IBM has been offering its cloud services to healthcare clients and has been entering into business associate agreements for its social, mobile, meetings, and mail cloud offerings.

IBM’s business associate agreements covers the IBM Cloud and details its responsibilities for security, including technical and physical controls in its data centers, permitted uses and disclosures of PHI, use of subcontractors, and its reporting requirements in the event of a security breach.

Healthcare customers must ensure they have a signed copy of the business associate agreement from IBM before any IBM cloud services are used in conjunction with protected health information.

IBM also offers HIPAA covered entities and their business associates services to help them configure their cloud applications correctly and create appropriate privacy and security solutions.

Is the IBM Cloud HIPAA Compliant?

Is the IBM Cloud HIPAA compliant? IBM meets its responsibilities as a business associate by ensuring its cloud platform meets and exceeds the minimum requirements of the HIPAA Security Rule and IBM agrees to abide by the HIPAA Privacy Rule and Breach Notification Rule.

IBM will enter into a business associate agreement with HIPAA covered entities covering the IBM Cloud, So the IBM Cloud can be considered a HIPAA compliant cloud platform.

However, HIPAA compliance is a shared responsibility. IBM only provides the security and the tools to ensure its cloud platform can be used without violating HIPAA Rules. It is the responsibility of HIPAA-covered entities to ensure that cloud-based infrastructure and applications are not misconfigured, and that stored files are appropriately secured.

The post Is IBM Cloud HIPAA Compliant? appeared first on HIPAA Journal.

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Posted by HIPAA Journal

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection.

The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients.

The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician.

Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23, 2017, following an extensive investigation into the hacker’s activities. Patients impacted by the breach were notified by mail this month.

UVa has since implemented a number of additional security controls to prevent further incidents of this nature from occurring.

Thousands of Victims’ Sensitive Information Viewed

fruitfly malware

Phillip R. Durachinsky

UVa is only one victim of the hacker. Other businesses were also affected and had information compromised, although the extent of the hacker’s activities have not fully been determined. The FBI investigation is continuing, although the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including violations of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and the production of child pornography.

The hacker has been identified as Phillip R. Durachinsky, 28, of North Royalton, Ohio. Durachinsky allegedly developed a Mac malware called FruitFly more than 13 years ago and used the malware to spy on thousands of individuals and companies. The malware provided Durachinsky with full access to an infected device, including access to the webcam. The malware took screenshots, allowed the uploading and downloading of files, and could log keystrokes. Durachinsky also developed the malware to give him a live feed from multiple infected computers simultaneously.

Victims include schools, businesses, healthcare organizations, a police department, and local, state, and federal government officials. Over 13 years, Durachinsky spied on thousands of individuals, mainly using the Mac form of the malware, although a Windows-based variant was also used.

In addition to gaining access to UVa patients records, Durachinsky used the malware to view highly sensitive information of other non-UVa victims. He was able to gain access to financial accounts, photographs, tax records, and internet search histories. Durachinsky also allegedly surreptitiously took photographs of his victims via webcams and kept notes on what he was able to view.

The FBI discovered that an IP address associated with the malware was also used to access Durachinsky’s alumni email account at Case Western Reserve University, which led to his arrest. More than 20 million images were discovered on Durachinsky’s devices by the FBI agents.

The post 1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware appeared first on HIPAA Journal.

Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days

Posted by HIPAA Journal

In January, a new data breach notification bill was introduced in Colorado that proposed updates to state laws to improve protections for residents affected by data breaches. The bill introduced a maximum time frame of 45 days for companies to notify individuals whose personal information was exposed or stolen as a result of a data breach. The definition of personal information was also updated to include a much wider range of information including data covered by HIPAA – medical information, health insurance information, and biometric data.

Last week, Colorado’s House Committee on State, Veterans, and Military Affairs unanimously passed an updated version of the bill, which has now been passed to the Committee on Appropriations for consideration.

The updated bill includes further new additions to the list of data elements classed as personal information – passport numbers, military, and student IDs. There has also been a shortening of the time frame organizations have to issue notifications. Instead of the 45 days proposed in the original bill, the time frame has been cut to just 30 days following the date of determination that a security breach has occurred.

Typically, when states propose legislation to improve protections for state residents whose personal information is exposed, organizations in compliance with federal data breach notification laws are deemed to be in compliance with state laws.

However, the new bill clarifies that will not necessarily be the case. Healthcare organizations covered by HIPAA laws have up to 60 days to issue notifications to breach victims. The amended bill states that when federal laws require notifications to be sent, the breached entity will be required to comply with the law with the shortest time frame for issuing notices.

That means HIPAA covered entities who experience a data breach that impacts Colorado residents would have half as long to issue notifications.

The original bill required breached entities to issue notifications to the state attorney general within 7 days of the discovery of a breach impacting 500 or more Colorado residents. The amended bill has seen that requirement relaxed to 30 days following the discovery of a breach of personal information. Further, the state attorney general does not need to be notified of a breach if there has been no misuse of breached data or if data misuse is unlikely to occur in the future.

If the new legislation is passed, Colorado residents will be among the best protected individuals in the United States. Only Florida has introduced such strict time scales for sending notifications to breach victims. Colorado residents would also be much better protected when their data is exposed by a healthcare organization, with the time frame for notification cut in half.

The post Updated Colorado Data Breach Notification Advances: Reporting Period Cut to 30 Days appeared first on HIPAA Journal.

Research Institutions Given Additional 6 Months to Comply with Updated Common Rule

Posted by HIPAA Journal

Updates to the Common Rule – The Federal Policy for the Protection of Human Subjects – that were initially due to come into effect on January 19, 2018 have been delayed by 6 months, giving research organizations more time to comply with the new provisions. The new compliance date is July 19, 2018, although the provision covering cooperative research still has a compliance date of Jan 20, 2020.

Several healthcare organizations, including the American Medical Informatics Association (AMIA), the Associated of American Medical Colleges (AAMC), and the Association of American Universities (AAU), called for the compliance date to be pushed back due to uncertainty surrounding the final rule. A delay would allow institutions additional time to ensure compliance and would allow federal agencies more time to issue guidance to researchers to help them implement the updated regulations.

16 federal departments, including the Department of Health and Human Services, made revisions to the Common Rule. In a notice of proposed Rulemaking, the need for the delay to the compliance date was explained. “Without a delay, and without guidance, institutions that have expected a delay who hastily attempt to implement the revised rule without adequate preparation are bound to make mistakes, the consequences of which may jeopardize the proper conduct of research and the safety and wellbeing of human subjects.”

While the delay will be welcomed by many organizations, those that had already prepared to comply with the new provisions of the Common Rule ahead of the January 19 compliance date will now need to continue with their old policies and procedures for a further six months, which may cause some conflicts.

Changes to the Common Rule

The final rule update to the Common Rule was issued on January 19, 2017 on the last day of the Obama administration. One of the main reasons for the update was since the Common Rule was introduced in 1991, there have been many changes to how research is conducted.

At the time, research was mainly conducted in universities and medical institutions, with studies taking place at a single site. Today, the scale of research studies has increased, they often involve multiple sites, data is now digital, and the research is now more diverse. An update to the Common Rule was therefore long overdue.

The changes will improve privacy protections for research participants. The updated Common Rule is closely with the HIPAA Privacy Rule and introduces further safeguards to protect the privacy of research participants, while also improving the availability of health data for secondary research.

The update sees consent requirements changed to require information about research studies to be detailed on consent forms in language that a reasonable person would understand. The changes also make it possible for broad consent for secondary research to be obtained, which will improve the availability of patient-reported data and biospecimens for research.  The changes will also help research institutions obtain up-to-the-minute data from mobile applications and devices used by patients.

The updates clarify that certain public health surveillance activities are exempt from Common Rule restrictions, which will help with monitoring the spread of disease in the United States. Certain low-risk studies conducted by HIPAA Covered entities will also be exempt.

The HHS has also pointed out that the oversight system will not add an unnecessary administrative burden and the update has introduced greater flexibility to match today’s dynamic research environment.

Comments on the Interim Final Rule are being accepted until March 23, 2018 and guidance to help institutions comply with the Common Rule changes will be released over the coming weeks.

The post Research Institutions Given Additional 6 Months to Comply with Updated Common Rule appeared first on HIPAA Journal.

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

Posted by HIPAA Journal

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk.

The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016.

Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records.

While hacks were commonly experienced, it was not electronic healthcare data that was the biggest problem area. Paper and film were the most common locations of breached protected health information. 65 hospitals reported paper/film data breaches over the time period that was studied; however, while those breaches were the most common, they typically affected a relatively small number of patients.

Recently, there has been an increase in hacks and malware and ransomware attacks on network servers, although between 2009 and 2016 – for hospitals at least – network servers were the least common location of breached PHI. While the least common, they were the most severe. Network server breaches resulted in the highest number of stolen records.

The second most common location of breaches was PHI stored in locations other than paper/film, laptops, email, desktops, EHRs, or network servers. Those breaches had been reported by 56 hospitals. In third place was laptop breaches, reported by 51 hospitals.

The types of data breaches most commonly experienced were theft incidents, which had been reported by 112 hospitals. Unauthorized access/disclosures were in second place with incidents reported by 54 hospitals. Hacking/IT incidents was third and was behind 27 hospital data breaches.

Multivariate logistic regression analyses were performed to explore factors associated with hospital data breaches. The researchers found significant differences between hospitals that had experienced a data breach and those that had not.

Teaching hospitals and pediatric hospitals were found to be the most susceptible to data breaches. 18% of teaching hospitals had experienced at least one data breach, compared to 3% without a breach. Six percent of pediatric hospitals had experienced a breach compared to 2% that had not.

Larger hospitals were also more prone to data breaches than smaller facilities. 26% of large hospitals had experienced a data breach, compared to 10% that had no breaches. Investor-owned hospitals had reported fewer breaches than not-for profit hospitals.

There were no significant differences based on the level of IT sophistication, health system membership, biometric security use, hospital region, or area characteristics.

The researchers suggest that while hospitals have invested in technology and have digitized health data to meet Meaningful Use requirements, security has not been a major focus and investment in data security has been lacking. Hospitals are typically only spending 5% of their IT budgets on security and that needs to improve if hospital data breaches are to be prevented. Security measures also need to be improved for paper/films to reduce the opportunity for unauthorized access and theft.

The researchers suggest hospitals should be conducting regular audits to determine who is accessing PHI, while audits of data security protections will help hospitals identify vulnerabilities before they are exploited.

The use of biometric identifiers can limit the potential for unauthorized access of ePHI and 2-Factor authentication should be implemented on all user accounts.

The researchers also suggest access to PHI should be limited to the minimum necessary amount to allow employees to complete their work duties. By restricting access, the severity of data breaches will be reduced.

The methodology, full results, and conclusions can be found on this link.

The post AJMC Study Reveals Common Characteristics of Hospital Data Breaches appeared first on HIPAA Journal.