Healthcare Data Privacy

How Can Healthcare Organizations Prevent Phishing Attacks?

Posted by HIPAA Journal

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information.

Phishing on an Industrial Scale

More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years.

Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’ credentials. Many of those websites also have an SSL certificate, so they appear to users to be secure websites. A website starting with HTTPS is no guarantee that it is not being used for phishing.

Study Provides Insight into Phishing Tactics

While phishers often use their own domains to phish for credentials, a recent report from Duo Security showed legitimate websites are increasingly being compromised and loaded with phishing kits. The study identified more than 3,200 unique fishing kits spread across 66,000 URLs. These phishing kits are being traded on underground marketplaces and sold to accomplished phishers and wannabe cybercriminals. 16% of those URLs were on HTTPS websites.

Duo Security notes that persistence is maintained by creating a .htaccess file that blocks the IP addresses of threat intelligence gathering firms to prevent detection. The Webroot report also highlighted an increase in the use of benign domains for phishing.

The phishing kits are typically loaded into the wp-content, wp-includes, and wp-admin paths of WordPress sites, and the signin, images, js, home, myaccount, and css folders on other sites. Organizations should monitor for file changes in those directories to ensure their sites are not hijacked by phishers. Strong passwords should also be used along with non-standard usernames and rate limiting on login attempts to improve resilience against brute force attacks.

How to Prevent Phishing Attacks

Unfortunately, there is no single solution that will allow organizations to prevent phishing attacks, although it is possible to reduce risk to an acceptable level. In the healthcare industry, phishing defenses are a requirement of HIPAA and steps must be taken to reduce risk to a reasonable and acceptable level. The failure to address the risk from phishing can result in financial penalties for noncompliance.

Defenses should include a combination of technological solutions to prevent the delivery of phishing emails and to block access to phishing URLs. Employees must also receive regular training to help them identify phishing emails.

As OCR pointed out in its July Cybersecurity newsletter, HIPAA (45 C.F.R. § 164.308(a)(5)(i)) requires organizations to provide regular security awareness training to employees to help prevent phishing attacks. OCR explained that “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”

Due to the increased use of HTTPS, it is no longer sufficient for users to check that the site is secure to avoid phishing scams. While a site starting with HTTPS does give an indication that the site is secure, it is important that end users do not automatically trust those websites and let their guard down. Just because a website has an SSL certificate it does not mean it can be trusted. Users should also be told to pay particular attention to the domain name to make sure that they are visiting their intended website, and always to exercise caution before deciding to disclose any login credentials.

Even with security awareness training, employees cannot be expected to recognize all phishing attempts. Phishers are developing increasingly sophisticated phishing emails that are barely distinguishable from genuine emails. Websites are harder to identify as malicious, emails are well written and convincing, and corporate branding and logos are often used to fool end users. Technological solutions are therefore required to reduce the number of emails that reach inboxes, and to prevent users from visiting malicious links when they do.

A spam filtering solution is essential for reducing the volume of emails that are delivered. Organizations should also consider using a web filtering solution that can block access to known phishing websites. The most effective real-time URL filtering solutions do not rely on blacklists and banned IP addresses to block attacks. Blacklists still have their uses and can prevent phishing attacks, but phishing websites are typically only active for a few hours – Before the sites are identified as malicious and added to blacklists. A range of additional detection mechanisms are required to block phishing websites. Due to the increase in phishing sites on secure websites, web filters should be able to decrypt, scan, and re-encrypt web traffic.

Healthcare organizations should also sign up to threat intelligence services to receive alerts about industry-specific attacks. To avoid being swamped with irrelevant threat information, services should be tailored to ensure only treat information relevant to each organization is received.

The post How Can Healthcare Organizations Prevent Phishing Attacks? appeared first on HIPAA Journal.

Can A Patient Sue for A HIPAA Violation?

Posted by HIPAA Journal

Yes, a patient can sue for a HIPAA violation and there are an increasing number of class action suits for protected health information data breaches, although not under the provisions of the HIPAA law. There is no private cause of action in HIPAA, so it is not possible for a patient to directly sue for a HIPAA violation under the HIPAA law. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Laws. So, if it is not possible for a patient to directly sue for a HIPAA violation, does that mean legal action cannot be taken against a covered entity when HIPAA has clearly been violated? While HIPAA does not have a private cause of action, it is possible for patients to take legal action against healthcare providers and obtain damages for violations of state laws.

In some states, it is possible to file a lawsuit against a HIPAA covered entity on the grounds of negligence or for a breach of an implied contract, such as if a covered entity has failed to protect medical records. In such cases, it will be necessary to prove that damage or harm has been caused as a result of negligence or the theft of unsecured personal information.

Taking legal action against a covered entity can be expensive and there is no guarantee of success. Patients should therefore be clear about their aims and what they hope to achieve by taking legal action. An alternative course of action may help them to achieve the same aim.

Filing Complaints for HIPAA Violations

If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government and in most cases complaints are investigated. Action may be taken against the covered entity if the compliant is substantiated and it is established that HIPAA Rules have been violated. The complaint should be filed with the Department of Health and Human Services’ Office for Civil Rights (OCR).

While complaints can be filed anonymously, OCR will not investigate any complaints against a covered entity unless the complainant is named and contact information is provided.

A complaint should be filed before legal action is taken against the covered entity under state laws. Complaints must be filed within 180 days of the discovery of the violation, although in limited cases, an extension may be granted.

Complaints can also be filed with state attorneys general, who also have the authority to pursue cases against HIPAA-covered entities for HIPAA violations.

The actions taken against the covered entity will depend on several factors, including the nature of the violation, the severity of the violation, the number of individuals impacted, and whether there have been repeat violations of HIPAA Rules.

The penalties for HIPAA violations are detailed here, although many complaints are resolved through voluntary compliance, by issuing guidance, or if an organization agrees to take corrective action to resolve the HIPAA issues that led to the complaint. Complaints may also be referred to the Department of Justice to pursue cases if there has been a criminal violation of HIPAA Rules.

Complaints about individuals can also be filed with professional boards such as the Board of Medicine and the Board of Nursing.

How to File a Lawsuit for a HIPAA Violation

If you have been informed that your protected health information has been exposed as a result of a healthcare data breach, or you believe your PHI has been stolen from a specific healthcare organization, you may be able to take legal action against the breached entity to recover damages for any harm or losses suffered as a result of the breach.

The first step to take is to submit a complaint about the violation to the HHS’ Office for Civil Rights. This can be done in writing or via the OCR website. If filing a complaint in writing, you should use the official OCR complaint form and should keep a copy to provide to your legal representative.

You will then need to contact an attorney to take legal action against a HIPAA covered entity. You can find attorneys through your state or local bar association. Try to find an attorney or law firm well versed in HIPAA regulations for the greatest chance of success and contact multiple law firms and speak with several attorneys before making your choice.

There will no doubt be many other individuals who are in the same boat, some of whom may have already taken legal action. Joining an existing class action lawsuit is an option. The more individuals involved, the stronger the case is likely to be.

Many class action lawsuits have been filed on behalf of data breach victims that have yet to experience harm due to the exposure or theft of their data. The plaintiffs claim for damages for future harm as a result of their data being stolen. However, without evidence of actual harm, the chances of success will be greatly reduced.

Can a Patient Sue for a HIPAA Violation? FAQs

What kind of lawyer deals with HIPAA violations?

Most lawyers will be prepared to offer advice about whether you have a claim for a HIPAA violation; and, if the violation occurred with the previous 180 days, may pursue a civil claim on your behalf against a Covered Entity or Business Associate. Often the lawyer´s willingness to take on a claim will depend on the nature of the violation, the nature of harm you suffered, and the state laws that apply in your location.

What happens after a HIPAA complaint is filed?

This depends on who you make the complaint to. If you complain directly to the organization that violated your HIPAA rights, the complaint will be dealt with internally (unless it involves a breach of unsecured PHI, in which case the organization is required by law to notify HHS´ Office for Civil Rights.

If you complain to a state Attorney General, the Office of the Attorney General may investigate the organization directly on your behalf or escalate your complaint to HHS´ Office for Civil. If the complaint is escalated – or you complain directly to the Office for Civil Rights – your compliant will be acknowledged and sent for review.

If the review confirms a HIPAA violation, the organization will be contacted to obtain their “side of the story”. Depending on how the organization responds, the Office for Civil Rights may initiate an investigation or reject your compliant. You will be informed of the decision and any subsequent outcome of an investigation.

Has a patient ever successfully sued for a HIPAA violation?

No. However, the HIPAA Privacy Standards have been used in court cases as a benchmark of the level of privacy an individual can reasonably expect. One of the most frequently-quoted cases in this respect is Byrne versus the Avery Center for Obstetrics and Gynecology. This case was originally denied when the plaintiff pursued compensation for a violation of HIPAA, but the decision was reversed on appeal when the claim was changed to a violation in the duty of confidentiality.

Have there ever been successful class actions for a HIPAA violation?

There have been several settled class actions involving HIPAA Covered Entities who have failed to adequately protect personal information (note: not for violating HIPAA). Furthermore, class actions are frequently settled without an admission of liability (as in Jessie Seranno et al. v. Inmediata Corp.), so it would be incorrect to classify the class actions as “successful”.

How can I find out if my state has a privacy law I can use to claim for a HIPAA violation?

The International Association of Privacy Professionals maintains a web page tracking privacy legislation by state. It is important to note that many of the privacy laws listed on the web page are still to be passed or enacted, and some may not contain provisions that could support a claim for a HIPAA violation. To establish whether you have a claim for a HIPAA violation under your state´s consumer rights legislation, you should speak with an attorney.

I have received a letter stating my health data has been breached. What should I do?

Your response to the breach should be appropriate to nature of the data disclosed. The nature of the data exposed should be explained to you in the letter as well as advice on the measures you should take to protect yourself from fraud and theft. The letter should also contain contact information to find out more about the breach. In several cases, healthcare organizations have provided free credit monitoring services, and it may be in your best interests to find out if these are available to you.

What happens after a HIPAA complaint is filed?

This depends on who the complaint is made to, the nature of the violation, and whether it involves a criminal motive. Complaints made by patients directly to their healthcare provider are usually dealt with internally unless they involve an impermissible disclosure of unsecured PHI – in which case the healthcare provider will escalate it to HHS´ Office for Civil Rights under the Breach Notification Rule.

When a complaint is escalated – or when a complaint is made directly to HHS´ Office for Civil Rights – the complaint is reviewed to see if it is justifiable and, if so, if it can be resolved via technical assistance. If the resolution of the complaint requires more than technical assistance, HHS´ Office for Civil Rights will conduct an investigation and potentially impose a correct action plan or fine.

Complaints can also be made to state attorneys general, who work with HHS´ Office for Civil Rights to resolve the violation. However, if a violation potentially involves a criminal motive, the Office for Civil Rights will refer the complaint to the Department of Justice for investigation. In these cases, the person making the complaint may be required to provide evidence for the investigation to proceed.

The post Can A Patient Sue for A HIPAA Violation? appeared first on HIPAA Journal.

When Should You Promote HIPAA Awareness?

Posted by HIPAA Journal

All employees must receive training on HIPAA Rules, but when should you promote HIPAA awareness? How often should HIPAA retraining take place?

HIPAA-covered entities, business associates and subcontractors are all required to comply with HIPAA Rules, and all workers must receive training on HIPAA. HIPAA training should ideally be provided before any employee is given access to PHI.

Training should cover the allowable uses and disclosures of PHI, patient privacy, data security, job-specific information, internal policies covering privacy & security, and HIPAA best practices.

The penalties for HIPAA violations, and the consequences for individuals discovered to have violated HIPAA Rules, must also be explained. If employees do not receive training, they will not be aware of their responsibilities and privacy violations are likely to occur.

Additional training must also be provided whenever there is a material change to HIPAA Rules or internal policies with respect to PHI, following the release of new guidance, or implementation of new technology.

HIPAA Training Cannot be a One-Time Event

The provision of training at the start of an employment contract is essential, but training cannot be a one-time event. It is important to ensure employees do not forget about their responsibilities, so retraining is necessary and a requirement for continued HIPAA compliance.

HIPAA does not specify how often retraining should occur, as this is left to the discretion of the covered entity. HIPAA only requires retraining to be conducted ‘regularly.’ The industry best practice is for retraining to take place annually.

The HIPAA Privacy Rule Administrative requirements, detailed in 45 CFR § 164.530, require all members of the workforce to receive training on HIPAA Rules and policies and procedures with respect to PHI. Training should be provided, as appropriate, to allow employees to conduct their work duties and functions within the covered entity. One training program therefore does not fit all. HIPAA training for the IT department is likely to be different to training provided to administrative workers. The Privacy Rule requires training to be provided for all new employees “within a reasonable timeframe”.

The HIPAA standard 45 CFR § 164.308(a)(5) covers two types of training – Job-specific training and security awareness training, neither of which can be a one-time event.

While it is important to provide training for HIPAA compliance and security awareness, it is also important to ensure that training has been understood, that it is remembered, and to ensure HIPAA Rules are followed on a day to day basis. It therefore recommended that you promote HIPAA awareness throughout the year.

How to Promote HIPAA Awareness

There is no hard and fast rule for HIPAA retraining and there are many ways that healthcare organizations can promote HIPAA awareness. While formal training sessions can be conducted on an annual basis, the use of newsletters, email bulletins, posters, and quizzes can all help to raise and maintain awareness of HIPAA Rules.

In the case of security awareness training this is especially important. Annual training on HIPAA is a good best practice, but it is important to promote HIPAA awareness with respect to security more frequently. It is a good best practice to provide security awareness training biannually and issue cybersecurity updates on a monthly basis. Any specific threats to the workforce should be communicated as necessary – new phishing threats for instance. However, care should be taken not to bombard employees with threat information, to avoid employees suffering from alert fatigue.

When HIPAA Retraining Required?

In addition to annual refresher training sessions, retraining on HIPAA Rules is recommended following any privacy or security violation and after a data breach has been experienced.

While the individuals concerned should be retrained, it is a good best practice to take these incidents as a training opportunity for all staff to ensure similar breaches do not occur in the future. If one employee makes a mistake with HIPAA, it is possible that others have failed to understand HIPAA requirements or are making similar mistakes.

The post When Should You Promote HIPAA Awareness? appeared first on HIPAA Journal.

Former Employees of Virginia Medical Practice Inappropriately Used Patient Information

Posted by HIPAA Journal

Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies.

The list was used to inform patients of a new practice that was opening in the area. One of the employees used the list to send postcards to Valley Family Medicine patients to advise them that a new practice, unaffiliated to Valley Family Medicine, was being opened. Patients were invited to visit the new practice.

The mailing was sent in mid-July this year, although it was not discovered by Valley Family Medicine until September 15. The discovery prompted a full investigation of the breach, which confirmed that the only information used by the employees was the information contained on the list. That information was limited to names and addresses. No other protected health information was taken or used by the employees.

Those two individuals are no longer employed at the practice and the list has now been recovered. Valley Family Medicine is satisfied that there have been no further misuses or disclosures of the information, and that no other copies of the list exist.

In compliance with HIPAA Rules, the breach has been reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights. All 8,450 patients on the list have been sent a breach notification letter explaining the nature of the incident and informed that there should be no further consequences for patients.

The post Former Employees of Virginia Medical Practice Inappropriately Used Patient Information appeared first on HIPAA Journal.

Is G Suite HIPAA Compliant?

Posted by HIPAA Journal

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules?

Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider.

Making G Suite HIPAA Compliant (by default it isn’t)

As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules.

Obtain a BAA from Google

One important requirement of HIPAA is to obtain a signed, HIPAA-compliant business associate agreement (BAA).

Google first agreed to sign a business associate agreement with healthcare organizations in 2013, back when G Suite was known as Google Apps. The BAA must be obtained prior to G Suite being used to store, maintain, or transmit electronic protected health information. Even though privacy and security controls are in place, the failure to obtain a BAA would be a HIPAA violation.

Obtaining a signed BAA from Google is the first step toward HIPAA compliance, but a BAA alone will not guarantee compliance with HIPAA Rules.

Configure Access Controls

Before G Suite can be used with any ePHI, the G Suite account and services must be configured correctly via the admin console. Access controls must be set up to restrict access to the services that are used with PHI to authorized individuals only. You should set up user groups, as this is the easiest way of providing – and blocking – access to PHI, and logs and alerts must be also be configured.

You should also make sure all additional services are switched off if they are not required, switch on services that include PHI ‘on for some organizations,’ and services that do not involve PHI can be switched on for everyone.

Set Device Controls

HIPAA-covered entities must also ensure that the devices that are used to access G Suite include appropriate security controls. For example, if a smartphone can be used to access G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized individuals. A login must be required to be entered on all mobiles before access to G Suite is granted, and devices configured to automatically lock. Technology that allows the remote erasure of all data (PHI) stored on mobile devices should also be considered. HIPAA-covered entities should also set up two-factor authentication.

Not All Google Services are Covered by the BAA

You may want to use certain Google services even if they are not covered by the BAA, but those services cannot be used for storing or communicating PHI. For example, Google+ and Google Talk are not included in the BAA and cannot be used with any PHI.

If you do decide to leave these services on, you must ensure that your policies prohibit the use of PHI with these services and that those policies are effectively communicated to all employees. Employees must also receive training on G Suite with respect to PHI to ensure HIPAA Rules are not accidentally violated.

What Services in G Suite are HIPAA Compliant?

At the time of writing, only the following core services of G Suite are covered by Google’s BAA, and can therefore be used with PHI:

  • Gmail (Not free Gmail accounts)
  • Calendar
  • Drive
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Hangouts (Chat messaging only)
  • Google Cloud Search
  • Vault

Google Drive

In the case of Google Drive, it is essential to limit sharing to specific people. Otherwise it is possible that folders and files could be accessed by anyone over the Internet> drives should be configured to only allow access by specific individuals or groups. Any files uploaded to Google Drive should not include any PHI in titles of files, folders, or Team Drives.

Gmail

Gmail, the free email service offered by Google, is not the same as G Suite. Simply using a Gmail account (@gmail.com) to send PHI is not permitted. The content of Gmail messages is scanned by third parties. If PHI is included, it is potentially being ‘accessed’ by third parties, and deleting an email does not guarantee removal from Google’s servers. Free Gmail accounts are not HIPAA compliant.

G Suite HIPAA Compliance is the Responsibility of Users

Google encourages healthcare organizations to use G Suite and has done what it can to make G Suite HIPAA compliant, but Google clearly states it is the responsibility of the user to ensure that the requirements of HIPAA are satisfied.

Google help healthcare organziations make G Suite HIPAA compliant, Google has developed guidance for healthcare organizations on setting up G Suite: See Google’s G Suite HIPAA Implementation Guide.

The post Is G Suite HIPAA Compliant? appeared first on HIPAA Journal.

What Happens if a Nurse Violates HIPAA?

Posted by HIPAA Journal

What happens if a nurse violates HIPAA Compliance Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?  

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules?

What are the Penalties if a Nurse Violates HIPAA?

Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA Rules may not have negative consequences and can be dealt with internally. Employers may decide to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.

If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here.

Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Termination for a HIPAA violation does not just mean loss of current employment and benefits. It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules.

Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties for HIPAA violations. HIPAA-covered entities are likely to report such incidents to law enforcement and investigations will be launched. Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.

There is no private cause of action in HIPAA. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. There may be a viable claim, in some cases, under state laws.

Further information on the penalties for HIPAA violations are detailed here.

Examples of HIPAA Violations by Nurses

The list of possible HIPAA violations by nurses is long, although the most common nurse HIPAA violations are listed below.

  • Accessing the PHI of patients you are not required to treat
  • Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues
  • Disclosing PHI to anyone not authorized to receive the information
  • Taking PHI to a new employer
  • Theft of PHI for personal gain
  • Use of PHI to cause harm
  • Improper disposal of PHI – Discarding protected health information with regular trash
  • Leaving PHI in a location where it can be accessed by unauthorized individuals
  • Disclosing excessive PHI and violating the HIPAA minimum necessary standard
  • Using the credentials of another employee to access EMRs/Sharing login credentials
  • Sharing PHI on social media networks (See below)

Nurses Who Violate HIPAA with Social Media

Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media.

Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless prior authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media sites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media (on this link).

There have been several recent cases of nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking embarrassing or degrading photographs and sharing them with friends via social media networks.

There has been considerable publicity surrounding the practice, following the publication of a report on the extent to which this is occurring by ProPublica (Summarized here). In that case it involved the sharing of photographs of patients on Snapchat. 35 separate cases were uncovered.

In January, a nursing assistant was fired for sharing videos and photos of abuse of a patient with Alzheimer’s on Snapchat. A criminal complaint was filed and the nursing assistant faces up to three and a half years in jail if convicted.

What Happens when a Nurse Violates HIPAA? FAQs

What are the most common causes of HIPAA violations by nurses?

Each year, HHS publishes a table indicating the top five issues in investigated cases. While the table does not distinguish between HIPAA violations by nurses and Covered Entities´ non-compliance, the most common causes of HIPAA violations in recent years that could be attributed to nurses include impermissible uses and disclosures of PHI, the failure to respond to – or a delay in responding to – patient access requests, and failing to comply with the Minimum Necessary Standard.

If a nurse accidently discloses ePHI due to a Covered Entity failing to implement a technical safeguard, who is at fault?

The designation of fault can depend on many factors. For example: Should the nurse have known their actions may have resulted in an accidental disclosure of ePHI? Had the actions been covered in security and awareness training? Was the technical safeguard an addressable or required safeguard? What was the impact of the accidental disclosure? Without knowing the answers to these questions, it is impossible to determine who is at fault for the accidental disclosure.

What happens if a nursing student violates HIPAA?

The consequences of HIPAA violation by a nursing student can also depend on many factors. For example: Had the nursing student received adequate training before being exposed to PHI/ePHI? Was the nursing student accompanied by a preceptor or supervisor who should have prevented the HIPAA violation? Was the HIPAA violation attributable to a lack of knowledge, or was it a malicious act? Had the nursing student been given a copy of the Covered Entity´s sanctions policy? Again, without knowing the answers to these questions, it is impossible to discuss potential consequences.

Can a nurse be held responsible for a HIPAA violation if the non-compliant event occurs frequently in the nursing unit?

Nurses are under intense pressure to work as efficiently as possible; and, due to this pressure, there may be times when shortcuts are taken with HIPAA compliance in order to “get the job done”. When shortcuts develop into a “cultural norm”, HIPAA violations can occur frequently without them being recognized as HIPAA violations. However, although the HIPAA violations might not be recognized as such within the nursing unit, a nurse can still be held responsible for a violation – albeit an unintentional violation – that results from an unofficial working practice.

Why is it a violation of HIPAA to share EMR login credentials?

Under the Administrative Safeguards of the Security Rule (45 CFR § 164.308) Covered Entities are required to implement procedures that record system activity including who accesses systems containing ePHI and when. If nurses share EMR login credentials, it is impossible for Covered Entities to accurately monitor system access or determine if a system containing ePHI has been access by a person without authorization.

The post What Happens if a Nurse Violates HIPAA? appeared first on HIPAA Journal.

New Study Reveals Lack of Phishing Awareness and Data Security Training

Posted by HIPAA Journal

There is a commonly held view among IT staff that employees are the biggest data security risk; however, when it comes to phishing, even IT security staff are not immune. A quarter of IT workers admitted to falling for a phishing scam, compared to one in five office workers (21%), and 34% of business owners and high-execs, according to a recent survey by Intermedia.

For its 2017 Data Vulnerability Report, Intermedia surveyed more than 1,000 full time workers and asked questions about data security and the behaviors that can lead to data breaches, malware and ransomware attacks.

When all it takes is for one employee to fall for a phishing email to compromise a network, it is alarming that 14% of office workers either lacked confidence in their ability to detect phishing attacks or were not aware what phishing is.

Confidence in the ability to detect phishing scams was generally high among office workers, with 86% believing they could identify phishing emails, although knowledge of ransomware was found to be lacking, especially among female workers. 40% of female workers did not know what ransomware was, compared to 28% of male workers. 31% of respondents said they did not know what ransomware was prior to taking part in staff training sessions.

The survey revealed security awareness training was lacking at many businesses. 30% of office workers said they did not receive regular training on how to deal with cyber threats. Even though the threat level has risen significantly in the past two years, many businesses have not responded. The 2015 data vulnerability report shows 72% of companies regularly communicated cyber threat information to employees and provided regular training, but in 2017 little has changed. Only 70% of companies provide regular training and threat information to employees. 11% of companies offered no security training whatsoever.

The recently published Global State of Security Survey by Pricewaterhouse Coopers, which was conducted globally on 9,500 executives in 122 countries, suggests the percentage of companies that do not provide security awareness training may well be far higher – 48% of respondents to that survey said they have no employee security awareness training program in place.

Many Employees Pay Ransoms Personally

One of the most interesting insights into ransomware attacks on businesses from the Intermedia study was many employees are so embarrassed and concerned about installing ransomware that they pay the ransom demand out of their own pocket.

Out of the office workers that had experienced a ransomware attack, 59% personally paid the ransom. 37% said the ransom was paid by their employer. The average ransom payment was $1,400. The ransom was typically paid quickly in the hope that data could be restored before anyone else found out about the attack.

While employees were not asked whether they would be made to pay the ransom by their employers, paying the ransom quickly to prevent anyone discovering the attack is unlikely to work. Even when the ransom is paid, businesses still experience considerable downtime. The same study also indicates one in five ransom payments will not see viable decryption keys provided by the attackers.

The post New Study Reveals Lack of Phishing Awareness and Data Security Training appeared first on HIPAA Journal.

HIMSS Draws Attention to Five Current Cybersecurity Threats

Posted by HIPAA Journal

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information.

Wi-Fi Attacks

Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks.

BadRabbit Ransomware

Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption rather than for financial gain. The attacks are now known to use NSA exploits that were also used in other global ransomware attacks. Mitigations include ensuring software and operating systems are kept 100% up to date and all patches are applied promptly. It is also essential for that backups are regularly performed. Backups should be stored securely on at least two different media, with one copy stored securely offsite on an air-gapped device.

Advanced Persistent Threats

A campaign conducted by an APT group known as Dragonfly has been ongoing since at least May 2017. The APT group is targeting critical infrastructure organizations. The typical attack scenario is to target small networks with relatively poor security, and once access has been gained, to move laterally to major networks with high value assets. While the group has primarily been attacking the energy sector, the healthcare industry is also at risk. Further information on the threat and the indicators of compromise can be found on the US-CERT website.

DDE Attacks

In October, security researchers warned of the risk of Dynamic Data Exchange (DDE) attacks targeting Outlook users. This attack scenario involves the use of calendar invites sent via phishing emails. The invites are sent in Rich Text Format, and opening the invites could potentially result in the installation of malware. Sophos warned of the threat and suggested one possible mitigation is to view emails in plaintext. These attacks will present a warning indicating attachments and email and calendar invites contain links to other files. Users should click no when asked to update documents with data from the linked files.

Medical Device Security

HIMSS has drawn attention to the threat of attacks on medical devices, pointing out that these are a soft-spot and typically have poor cybersecurity protections. As was pointed out with the APT critical infrastructure attacks, it is these soft spots that malicious actors look to take advantage of to gain access to networks and data. HIMSS has warned healthcare organizations to heed the advice of analysts, who predict the devices will be targeted with ransomware. Steps should be taken to isolate the devices and back up any data stored on the devices, or the computers and networks to which they connect.

Medical device security was also the subject of the Office for Civil Rights October cybersecurity newsletter.

While not specifically mentioned in its list of current cybersecurity threats, the threat from phishing is ongoing and remains one of the most serious threats to the confidentiality, integrity, and availability of PHI. The threat can be reduced with anti-phishing defenses such as spam filtering software and with training to improve security awareness.

The post HIMSS Draws Attention to Five Current Cybersecurity Threats appeared first on HIPAA Journal.

Survey Reveals Sharing EHR Passwords is Commonplace

Posted by HIPAA Journal

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses.

The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research.

The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password.

Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is no longer possible to accurately record which individuals have viewed health information – a violation of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.

The survey suggests that sharing EHR passwords is commonplace, even though the practice is prohibited by hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another individual to access EHR records on at least one occasion. 57% of respondents estimated the number of times they had accessed EHR information – The average number of occasions was 4.75.

All medical students surveyed said they had accessed EHRs using the credentials of another individual, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so were highly varied.

Common reasons for sharing EHR passwords were permissions on the user’s account did not allow them to complete their work duties, technical problems prevented them from using their own credentials, and personal logins had not been issued, even though EHR access was required to complete work duties.

The researchers suggest the provision of timely and efficient care is often at odds with security protections. The researchers noted, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”

The researchers made two recommendations: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”

The post Survey Reveals Sharing EHR Passwords is Commonplace appeared first on HIPAA Journal.