Healthcare Data Privacy

New Study Reveals Lack of Phishing Awareness and Data Security Training

Posted by HIPAA Journal

There is a commonly held view among IT staff that employees are the biggest data security risk; however, when it comes to phishing, even IT security staff are not immune. A quarter of IT workers admitted to falling for a phishing scam, compared to one in five office workers (21%), and 34% of business owners and high-execs, according to a recent survey by Intermedia.

For its 2017 Data Vulnerability Report, Intermedia surveyed more than 1,000 full time workers and asked questions about data security and the behaviors that can lead to data breaches, malware and ransomware attacks.

When all it takes is for one employee to fall for a phishing email to compromise a network, it is alarming that 14% of office workers either lacked confidence in their ability to detect phishing attacks or were not aware what phishing is.

Confidence in the ability to detect phishing scams was generally high among office workers, with 86% believing they could identify phishing emails, although knowledge of ransomware was found to be lacking, especially among female workers. 40% of female workers did not know what ransomware was, compared to 28% of male workers. 31% of respondents said they did not know what ransomware was prior to taking part in staff training sessions.

The survey revealed security awareness training was lacking at many businesses. 30% of office workers said they did not receive regular training on how to deal with cyber threats. Even though the threat level has risen significantly in the past two years, many businesses have not responded. The 2015 data vulnerability report shows 72% of companies regularly communicated cyber threat information to employees and provided regular training, but in 2017 little has changed. Only 70% of companies provide regular training and threat information to employees. 11% of companies offered no security training whatsoever.

The recently published Global State of Security Survey by Pricewaterhouse Coopers, which was conducted globally on 9,500 executives in 122 countries, suggests the percentage of companies that do not provide security awareness training may well be far higher – 48% of respondents to that survey said they have no employee security awareness training program in place.

Many Employees Pay Ransoms Personally

One of the most interesting insights into ransomware attacks on businesses from the Intermedia study was many employees are so embarrassed and concerned about installing ransomware that they pay the ransom demand out of their own pocket.

Out of the office workers that had experienced a ransomware attack, 59% personally paid the ransom. 37% said the ransom was paid by their employer. The average ransom payment was $1,400. The ransom was typically paid quickly in the hope that data could be restored before anyone else found out about the attack.

While employees were not asked whether they would be made to pay the ransom by their employers, paying the ransom quickly to prevent anyone discovering the attack is unlikely to work. Even when the ransom is paid, businesses still experience considerable downtime. The same study also indicates one in five ransom payments will not see viable decryption keys provided by the attackers.

The post New Study Reveals Lack of Phishing Awareness and Data Security Training appeared first on HIPAA Journal.

HIMSS Draws Attention to Five Current Cybersecurity Threats

Posted by HIPAA Journal

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information.

Wi-Fi Attacks

Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks.

BadRabbit Ransomware

Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption rather than for financial gain. The attacks are now known to use NSA exploits that were also used in other global ransomware attacks. Mitigations include ensuring software and operating systems are kept 100% up to date and all patches are applied promptly. It is also essential for that backups are regularly performed. Backups should be stored securely on at least two different media, with one copy stored securely offsite on an air-gapped device.

Advanced Persistent Threats

A campaign conducted by an APT group known as Dragonfly has been ongoing since at least May 2017. The APT group is targeting critical infrastructure organizations. The typical attack scenario is to target small networks with relatively poor security, and once access has been gained, to move laterally to major networks with high value assets. While the group has primarily been attacking the energy sector, the healthcare industry is also at risk. Further information on the threat and the indicators of compromise can be found on the US-CERT website.

DDE Attacks

In October, security researchers warned of the risk of Dynamic Data Exchange (DDE) attacks targeting Outlook users. This attack scenario involves the use of calendar invites sent via phishing emails. The invites are sent in Rich Text Format, and opening the invites could potentially result in the installation of malware. Sophos warned of the threat and suggested one possible mitigation is to view emails in plaintext. These attacks will present a warning indicating attachments and email and calendar invites contain links to other files. Users should click no when asked to update documents with data from the linked files.

Medical Device Security

HIMSS has drawn attention to the threat of attacks on medical devices, pointing out that these are a soft-spot and typically have poor cybersecurity protections. As was pointed out with the APT critical infrastructure attacks, it is these soft spots that malicious actors look to take advantage of to gain access to networks and data. HIMSS has warned healthcare organizations to heed the advice of analysts, who predict the devices will be targeted with ransomware. Steps should be taken to isolate the devices and back up any data stored on the devices, or the computers and networks to which they connect.

Medical device security was also the subject of the Office for Civil Rights October cybersecurity newsletter.

While not specifically mentioned in its list of current cybersecurity threats, the threat from phishing is ongoing and remains one of the most serious threats to the confidentiality, integrity, and availability of PHI. The threat can be reduced with anti-phishing defenses such as spam filtering software and with training to improve security awareness.

The post HIMSS Draws Attention to Five Current Cybersecurity Threats appeared first on HIPAA Journal.

Survey Reveals Sharing EHR Passwords is Commonplace

Posted by HIPAA Journal

While data on the practice of password sharing in healthcare is limited, one survey suggests the practice of sharing EHR passwords is commonplace, especially with interns, medical students, and nurses.

The research was conducted by Ayal Hassidim, MD of the Hadassah-Hebrew University Medical Center, Jerusalem, and also involved researchers from Duke University, Harvard Medical School, Ben Gurion University of the Negev, and Hadassah-Hebrew University Medical Center. The study was conducted on 299 medical students, nurses, medical residents, and interns and the results of the survey were recently published in Healthcare Informatics Research.

The information stored in EHRs is sensitive and must be protected. Regulations such as HIPAA control access to that information. All individuals that require access to the information in EHR systems must be issued with a unique user ID and password.

Any attempts to access protected health information must be logged to allow healthcare organizations to monitor for unauthorized access. If login credentials are shared with other individuals, it is no longer possible to accurately record which individuals have viewed health information – a violation of HIPAA Rules. The researchers note that sharing EHR passwords is one of the most common HIPAA violations and causes of healthcare data breaches.

The survey suggests that sharing EHR passwords is commonplace, even though the practice is prohibited by hospital policies and HIPAA Rules. 73% of all respondents admitted to using the password of another individual to access EHR records on at least one occasion. 57% of respondents estimated the number of times they had accessed EHR information – The average number of occasions was 4.75.

All medical students surveyed said they had accessed EHRs using the credentials of another individual, and 57% of nurses admitted to using another individual’s credentials to access EHRs. The reasons for doing so were highly varied.

Common reasons for sharing EHR passwords were permissions on the user’s account did not allow them to complete their work duties, technical problems prevented them from using their own credentials, and personal logins had not been issued, even though EHR access was required to complete work duties.

The researchers suggest the provision of timely and efficient care is often at odds with security protections. The researchers noted, “In an attempt to achieve better security, usability is hindered to the level the users feel that the right thing to do is to violate the security regulations altogether.”

The researchers made two recommendations: “Usability should be added as the fourth principal in planning EMRs and other PHI-containing medical records. Second, an additional option should be included for each EMR role that will grant it maximal privileges for one action. When this option is invoked, the senior physician/the PHI security officer would be informed. This would allow junior staff to perform urgent, lifesaving, decisions, without outwitting the EMR, and under formal retrospective supervision by the senior members in charge.”

The post Survey Reveals Sharing EHR Passwords is Commonplace appeared first on HIPAA Journal.

FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has released final guidance for medical device manufacturers sharing information with patients at their request.

Legally marketed medical devices collect, store, process, and transmit medical information. When patients request copies of the information recorded by or stored on the devices, manufacturers may share patient-specific information with the patient that makes the request.

The FDA encourages information sharing as it can help patients be more engaged with their healthcare providers. When patients give their healthcare providers data collected by medical devices, it can help them make sound medical decisions.

While information sharing is not a requirement of the Federal Food, Drug, and Cosmetic Act (FD&C Act), the FDA felt it necessary to provide medical device manufacturers with recommendations about sharing patient-specific information with patients. The guidelines are intended to help manufacturers share information appropriately and responsibly.

The FDA explains that in many cases, patient-specific information recorded by medical devices is shared with the patient’s healthcare providers, and oftentimes the patient is able to obtain copies of that information from their healthcare providers. However, sometimes patients may submit a request to the device manufacturer for a copy of the patient-specific information recorded by the device.

The FDA explains that patient-specific information is information that is unique to a particular patient – or unique to the patient’s diagnosis and treatment – that has been recorded, stored, processed, or derived from a legally marketed medical device. “This information may include, but is not limited to, recorded patient data, device usage/output statistics, healthcare provider inputs, incidence of alarms, and/or records of device malfunctions or failures.”

The FDA notes that patient-specific information does not include labelling, which is covered by the FD&C Act. Labelling covers information such as descriptions of intended use, benefit and risk information, and instructions for use and the sharing of such information is subject to applicable requirements of the FD&C Act.

The FDA encourages device manufacturers to share information with patients when copies are requested, even though data sharing is not a requirement FD&C Act. The FDA also explains that data can be shared with patients at the patient’s request, without the need to undergo an additional premarket review in advance.

Some medical devices record, store, and transmit information in a format that makes it difficult to share the information with patients, or in some cases, information is recorded in a closed system that cannot be accessed by the device manufacturer. The FDA is aware that in such cases it may not be feasible to share data with patients.

When information sharing is possible, device manufacturers should respond to requests promptly and information should be “comprehensive and contemporary.” Data should include all information that is available, up until the point that the request is made.

The FDA points out that its guidance does not establish any legally enforceable responsibilities, and neither does it affect any federal, state or local laws. That includes HIPAA, and specifically the HIPAA Privacy Rule, which will apply if the device manufacturer is a business associate of a HIPAA-covered entity.

The post FDA Publishes Final Guidance for Medical Device Manufacturers Sharing Information with Patients appeared first on HIPAA Journal.

Tips for Reducing Mobile Device Security Risks

Posted by HIPAA Journal

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level.

As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI).

As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records.

17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand encryption for mobile devices, yet such a security measure could have prevented a high percentage of the 71 data breaches reported to OCR.

When a mobile device containing ePHI is lost or stolen, the HIPAA Breach Notification Rule requires the breach to be reported and notifications to be sent to affected individuals. If PHI has been encrypted and a device containing ePHI is lost or stolen, notifications need not be sent as it would not be a HIPAA data breach. A breach report and patient notifications are only required for breaches of unencrypted PHI, unless the key to decrypt data is also obtained.

Even though HIPAA does not demand the use of encryption, it must be considered. If the decision is taken not to encrypt data, the decision must be documented and an alternative safeguard – or safeguards – must be employed to ensure the confidentiality, integrity, and availability of ePHI. That alternative safeguard(s) must provide a level of protection equivalent to encryption.

Before the decision about whether or not to encrypt data can be made, HIPAA covered entities must conduct an organization-wide risk analysis, which must include all mobile devices. All risks associated with the use of mobile devices must be assessed and mitigated – see 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).

OCR Reminds Covered Entities of Need to Address Risks Associated with Mobile Devices

In its October 2017 Cybersecurity Newsletter, OCR reminded covered entities of the risks associated with mobile devices that are used to create, receive, maintain, or transmit ePHI. HIPAA covered entities were reminded of the need to conduct an organization-wide risk assessment and develop a risk management plan to address all mobile device security risks identified during the risk analysis and reduce them to an appropriate and acceptable level.

While many covered entities allow the use of mobile devices, some prohibit the use of those devices to create, receive, maintain, or transmit ePHI. OCR reminds covered entities that if such a policy exists, it must be communicated to all staff and the policy must be enforced.

When mobile devices can be used to create, receive, maintain, or transmit ePHI, appropriate safeguards must be implemented to reduce risks to an appropriate and acceptable level. While loss or theft of mobile devices is an obvious risk, OCR draws attention to other risks associated with the devices, such as using them to access or send ePHI over unsecured Wi-Fi networks, viewing ePHI stored in the cloud, or accessing or sharing ePHI via file sharing services.

OCR also remined covered entities to ensure default settings on the devices are changed and how healthcare employees must be informed of mobile device security risks, taught best practices, and the correct way to uses the device to access, store, and transmit ePHI.

OCR offers the following advice to covered entities address mobile security risks and keep ePHI secure at all times.

To access OCR’s guidance – Click here.

OCR’s Tips for Reducing Mobile Device Security Risks

  • Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

Penalties for Failing to Address Mobile Security Risks

The failure to address mobile device security risks could result in a data breach and a penalty for noncompliance with HIPAA Rules. Over the past few years there have been several settlements reached between OCR and HIPAA covered entities for the failure to address mobile device security risks.

These include:

Covered Entity HIPAA Violation Individuals Impacted Penalty
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3.2 million
Oregon Health & Science University Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 $2,700,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2.5 million
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000

Addressing Mobile Device Security Risks

Mobile device security risks must be reduced to a reasonable and appropriate level.  Some of the mobile device security risks, together with mitigations, have been summarized in the infographic below. (Click image to enlarge)

mobile device security risks

The post Tips for Reducing Mobile Device Security Risks appeared first on HIPAA Journal.

HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy

Posted by HIPAA Journal

Deven McGraw, the Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) has stepped down and left OCR. McGraw vacated the position on October 19, 2017.

McGraw has served as Deputy Director for Health Information Privacy since July 2015, replacing Susan McAndrew. McGraw joined OCR from Manatt, Phelps & Phillips, LLP where she co-chaired the company’s privacy and data security practice. McGraw also served as Acting Chief Privacy Officer at the Office of the National Coordinator for Health IT (ONC) since the departure of Lucia Savage earlier this year.

In July, ONC National Coordinator Donald Rucker announced that following cuts to the ONC budget, the Office of the Chief Privacy Officer would be closed out, with the Chief Privacy Officer receiving only limited support. It therefore seems an opportune moment for Deven McGraw to move onto pastures new.

OCR’s Iliana Peters has stepped in to replace McGraw in the interim and will serve as Acting Deputy Director until a suitable replacement for McGraw can be found. Peters has vacated her position as senior advisor for HIPAA Compliance and Enforcement at OCR. There are no plans to bring in a replacement for McGraw at the ONC.

One of the first tasks for Peters will be to ensure the statutory obligations of the 21st Century Cures Act are met, and to issue guidance for healthcare organizations and patients on health data access and guidance on the allowable uses and disclosures of protected health information for patients receiving treatment for mental health or substance use disorder.

McGraw is an expert in HIPAA and privacy laws and will be sorely missed at OCR. McGraw said on Twitter, “The HIPAA team at OCR is in good hands with Iliana Peters as Acting Deputy.”

Politico reports that McGraw will be heading to Silicon Valley and will be joining a health tech startup that will be focused on “empowering consumers.” At present, no announcement has been made about which company she is joining. Politico reports that McGraw will be “part of a very small team doing the thinking about what the product will look like, the data we’re collecting and how we’ll manage and secure it.”

The post HHS Privacy Chief Deven McGraw Departs OCR: Iliana Peters Now Acting Deputy appeared first on HIPAA Journal.

OCR Clarifies HIPAA Rules on Sharing Patient Information After Opioid Overdose

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has cleared confusion about HIPAA Rules on sharing patient information after an opioid overdose. The HIPAA Privacy Rule permits healthcare providers to share limited PHI in certain emergency and dangerous situations. Those situations include natural disasters and during drug overdoses, if sharing information can prevent or lessen a serious and imminent threat to a patient’s health or safety.

Some healthcare providers have misunderstood the HIPAA Privacy Rule provisions, and believe permission to disclose information to the patient’s loved ones or caregivers must be obtained from the patient before any PHI can be disclosed.

In an emergency or crisis situation, such as during a drug overdose, healthcare providers are permitted to share limited PHI with a patient’s loved ones and caregivers without permission first having been obtained from the patient.

During an opioid overdose, healthcare providers can share health information with the patient’s family members, close friends, and caregivers if:

  • The healthcare provider determines, based on professional judgement, that sharing information about an incapacitated or unconscious patient is in the best interests of the patient, provided the information shared is limited to that directly related to the individual’s involvement in the patient’s care or payment of care. Information on the overdose can be shared, but not unrelated health information unless permission has been obtained.
  • Informing the above individuals would help to prevent or lessen a serious threat to the patient’s health and safety – Such as continued opioid abuse on discharge.

In cases when a patient is not unconscious or incapacitated and has decision-making capability, healthcare providers must give the patient the opportunity to object to the disclosure of their overdose to loved ones, close friends, caregivers, or individuals involved in the payment for care. If a patient has decision making capability, or if permission to share the information is denied, healthcare providers cannot share information unless “there is a serious and imminent threat of harm to health.”

There will be situations when a patient is only temporarily incapacitated, and their decision-making capability will be recovered during the course of treatment. In such cases, it is down to the discretion of the healthcare provider whether health information is shared while the patient is incapacitated, the type of information that is shared, and how much. When the patient regains consciousness and decision-making capability, permission must then be obtained before any further disclosures of health information are made.

OCR also points out that it is not only HIPAA Rules that may apply in such situations, explaining “HIPAA does not interfere with state laws or medical ethics rules that are more protective of patient privacy.”

The guidance on HIPAA Rules on sharing patient information after opioid overdose can be viewed on this link.

The post OCR Clarifies HIPAA Rules on Sharing Patient Information After Opioid Overdose appeared first on HIPAA Journal.

Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017

Posted by HIPAA Journal

As recent healthcare breach notices have shown, phishing poses a major threat to the confidentiality of protected health information (PHI). The past few weeks have seen several healthcare organizations announce email accounts containing the PHI of thousands of patients have been accessed by unauthorized individuals as a result of healthcare employees responding to phishing emails.

Report Shows Massive Rise in Phishing Attacks Using Malicious URLs

This week has seen the publication of a new report that confirms there has been a major increase in malicious email volume over the past few months.

Proofpoint’s Quarterly Threat Report, published on October 26, shows malicious email volume soared in quarter 3, 2017. Compared to the volume of malicious emails recorded in quarter 2, there was an 85% rise in malicious emails in Q3.

While attachments have long been used to deliver malware downloaders and other malicious code, Q3 saw a massive rise in phishing attacks using malicious URLs. Clicking those links directs end users to websites where malware is downloaded or login credentials are harvested.

Proofpoint’s analysis shows there was a staggering 600% increase in phishing attacks using malicious URLs in Q3. Compared to 2016, the use of malicious URLs has increased by a staggering 2,200%. The volume of malicious emails has not been that high since 2014.

Locky is Back With a Vengeance

For its report, Proofpoint analyzed more than one billion emails and hundreds of millions of social media posts, and identified and analyzed more than 150 million malware samples.

Out of all of the email threats analyzed, 64% were used to deliver ransomware. At the start of the year, Cerber ransomware was the biggest ransomware threat, having taken over from Locky, but in Q3, Locky came back with a vengeance. Locky ransomware accounted for 55% of all malicious payloads and 86% of all ransomware payloads. There were also notable increases in other ransomware variants, including Philadelphia and Globelmposter.

The second biggest threat was banking Trojans, which accounted for 24% of all malicious payloads. Proofpoint’s report shows the Dridex Trojan has fallen out of favor somewhat, with The Trick now the biggest threat in this category. Downloaders accounted for 6% of malicious emails and information stealers 5%.

In the first half of 2016, exploit kits were being extensively used to deliver malware and ransomware, although exploit kit activity dwindled throughout the year and all but stopped by 2017. However, exploit kit activity is climbing once again, with the Rig the most commonly used exploit kit. Proofpoint notes that rather than just using exploits, the actors behind these EKs are now incorporating social engineering techniques into their campaigns to fool users into downloading malware.

Social media attacks also rose, in particular so called “angler attacks” via Twitter. These attacks involve the registration of bogus support accounts. Twitter is monitored for customers who are experiencing difficulty with software, and when a complaint is made, the user is sent a tweet from the bogus account containing malicious links.

Proofpoint also noted a 12% rise in email fraud in Q3, up 32% from last year, and a notable rise in typosquatting and domain spoofing. The registration of suspicious domains now outnumbers defensive domain registrations by 20 to 1.

The advice to all organizations is to implement robust spam filtering software to block malicious emails, use solutions to block malicious URLS such as web filters, use email authentication to stop domain spoofing, and to take steps to protect brands on social media. The risk from look-alike domains can be greatly reduced with defense domain purchases – registering all similar domains before the typosquatters do.

The post Phishing Attacks Using Malicious URLs Rose 600 Percent in Q3, 2017 appeared first on HIPAA Journal.

Is AWS HIPAA Compliant?

Posted by HIPAA Journal

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules.

Amazon Will Sign a Business Associate Agreement for AWS

Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA.

Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case.

As part of its efforts to help healthcare organizations use AWS safely and securely without violating HIPAA Rules, Amazon has published a 26 page guide – Architecting for HIPAA Security and Compliance on Amazon Web Services – to help covered entities and business associates get to grips with securing their AWS instances, and setting access controls.

AWS HIPAA Compliance is Something of a Misnomer

Amazon supports HIPAA compliance, and AWS can be used in a HIPAA compliant way, but no software or cloud service can ever be truly HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used.

The Amazon Simple Storage Service (S3) that is provided through AWS can be used for data storage, data analysis, data sharing, and many other purposes. Data can be accessed from anywhere with an Internet connection, including via websites, and mobile apps. AWS has been developed to be secure, otherwise no one would use the service. But it has also been developed to make data easy to access, by anyone with the correct permissions. Make a mistake configuring users or setting permissions and data will be left exposed.

Just because AWS is HIPAA compliant, it does not mean that using AWS is free from risk, and neither that a HIPAA violation will not occur. Leaving AWS S3 buckets unprotected and accessible by the public is a clear violation of HIPAA Rules. It may seem obvious to secure AWS S3 buckets containing PHI, but this year there have been multiple healthcare organizations that have left their PHI open and accessible by anyone.

Amazon S3 buckets are secure by default. The only way they can be accessed is by using the administrator credentials of the resource owner. It is the process of configuring permissions and providing other users with access to the resource that often goes awry.

When is AWS not HIPAA Compliant?

When is AWS HIPAA compliant? When a BAA has been signed, users have been instructed on the correct way to use the service, and when access controls and permissions have been set correctly. Misconfigure an Amazon S3 bucket and your data will be accessible by anyone who knows where to look.

Documentation is available on the correct way to configure Amazon S3 services and manage access and permissions. Unfortunately, since there are several ways to grant permissions, there are also several points that errors can occur, and simple mistakes can have grave consequences.

On numerous occasions, security researchers have discovered unprotected AWS S3 buckets and have alerted healthcare organizations that PHI has been left unprotected. However, security researchers are not the only ones checking for unsecured data. Hackers are always on the prowl. It is far easier for a hacker to steal data from cloud storage services that have had all protections removed than it is to attack organizations in other ways.

One of the mistakes that has been made time and again is setting access controls to allow access by ‘authenticated users.’ That could be taken to mean anyone who you have authenticated to have access to your data. However, that is not Amazon’s definition of an authenticated user. An authenticated user is anyone with an AWS account, and anyone can obtain an AWS account free of charge.

How Common are AWS Misconfigurations?

AWS misconfigurations are very common. So much so, that Amazon recently emailed users who had potentially misconfigured their S3 buckets to warn them that data could be accessed by anyone.

Amazon said in its email, “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet,” going on to explain, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”

Some of those public disclosures have been by healthcare organisations, but the list is long and varied, including military contractors, financial institutions, mobile carriers, entertainment companies, and cable TV providers. One data analytics firm left data unprotected, exposing the records of 200 million voters. Verizon exposed the data of between 6 and 14 million customers, and World Wide Entertainment exposed the data of 3 million individuals. Patient Home Monitoring, a HIPAA covered entity, left 47GB of data unprotected.

There is no excuse for these oversights. Checking for unprotected AWS buckets is not only a quick and easy process, software can be used free of charge for this purpose. A tool has been developed Kromtech called S3 Inspector that can be used to check for unsecured S3 buckets.

Is AWS HIPAA Compliant?

So, in summary, is AWS HIPAA compliant? Yes, it can be, and AWS offers healthcare organizations huge benefits.

Can the use of AWS violate HIPAA Rules and leave PHI unprotected? Very easily.

Would misconfiguration of AWS lead to a HIPAA violation penalty? That is a distinct possibility. AWS is secure by default. Only if settings are changed will stored data be accessible. It would be hard to argue with OCR auditors that manually changing permissions to allow anyone to access a S3 bucket containing PHI is anything other than a serious violation of HIPAA Rules.

The post Is AWS HIPAA Compliant? appeared first on HIPAA Journal.