Healthcare Data Privacy

U.S. Data Breaches Hit Record High

Posted by HIPAA Journal

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout.

In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches.

Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches.

ITRC says it is becoming much more common to withhold this information. In the first 6 months of 2017, 67% of data breach notifications and public notices did not include the number of records exposed, which is a 13% increase year on year and a substantial increase from the 10-year average of 43%. The lack of full information about data breaches makes it harder to produce meaningful statistics and assess the impact of breaches.

81.5% of healthcare industry data breach reports included the number of people impacted – a similar level to 2016. ITRC points out that does not mean healthcare organizations are failing to provide full reports, only that HITECH/HIPAA regulations do not require details of breaches of employee information to be reported.

The OCR breach portal shows healthcare industry data breaches in the year to June 30, 2017 increased by 14% year on year. 169 breaches were reported in the first six months of 2017 compared to 148 in the same period in 2016.

Hacking is Still the Biggest Cause of U.S Data Breaches

The biggest cause of U.S data breaches is still hacking according to the report, accounting for 63% of data breaches reported in the first half of the year across all industries – and increase of 5% year on year. Phishing, ransomware, malware and skimming were also included in the totals for hacking. 47.7% of those breaches involved phishing and 18.5% involved ransomware or malware.

The second biggest causes of U.S. data breaches were employee error, negligence and improper disposal, accounting for 9% of the total, followed by accidental exposure on the Internet – 7% of breaches.

The OCR breach portal shows 63 healthcare data breaches were attributed to hacking/IT incidents – 37% of the half yearly total. That represents a rise of 19% from last year.

In close second place is unauthorized access/disclosure – 58 incidents or 35% of the total. A 14% decrease year on year. In third place is loss/theft of devices – 40 incidents or 24% of all healthcare data breaches. A 4% fall year on year. The remaining 4% of healthcare data breaches – 7 incidents – were caused by improper disposal of PHI/ePHI.

Matt Cullina, CEO of CyberScout, said “All these trends point to the need for businesses to take steps to manage their risk, prepare for common data breach scenarios, and get cyber insurance protection.”

The post U.S. Data Breaches Hit Record High appeared first on HIPAA Journal.

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

Posted by HIPAA Journal

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018.

Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought.

One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could assist and take on additional tasks.

The HITECH Act required ONC to appoint a Chief Privacy Officer; however, an alternative is for ONC to request personnel from other HHS agencies. Faced with a $22 million cut in its operating budget, ONC will turn to the HHS’ Office for Civil Rights to assist with privacy functions with the ONC only maintaining ‘limited support’ for the position of Chief Privacy Officer.

The Chief Privacy Officer has been instrumental in improving understanding of HIPAA Rules with respect to privacy since the HITECH Act was passed. Many healthcare organizations have impeded the flow of health information due to a misunderstanding of the HIPAA Privacy Rule. The Chief Privacy Officer has helped to explain that HIPAA Rules do not prevent the exchange of health information – They only ensure information is shared securely and the privacy of patients is preserved. These outreach efforts are likely to be impacted by the loss of the Office of the Chief Privacy Officer.

Rucker explained that discussions are now taking place between ONC and OCR to determine how these and other tasks will be performed, but explained that privacy and security are implicit in all aspects of the work performed by ONC and that will not change.

Cutbacks are inevitable with the trimming of the ONC’s budget but Rucker has explained that the HHS will continue to ensure privacy and security issues are dealt with and efforts to improve understanding of the HIPAA Privacy and Security Rules will also continue.

The post Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018 appeared first on HIPAA Journal.

University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years

Posted by HIPAA Journal

University of Iowa Health Care has discovered patient information has been accidentally exposed on the Internet for a period of around 2 years. The exposed data was limited and did not include any clinical data, financial information or Social Security numbers, only patients’ names, admission dates and medical record numbers. 5,292 patients of University of Iowa Hospitals and Clinics have been impacted by the incident.

The data were saved in unencrypted files which were posted online via an application development website. The data were accessible via the Internet since May 2015, with the error detected on April 29, 2017, prompting an immediate investigation. University of Iowa Health Care acted quickly to mitigate risk, with the files deleted from the website on May 1, 2017.

The investigation did not uncover any evidence to suggest any information was misused, and while the exposed data were extremely limited, University of Iowa Health Care has advised all affected individuals to follow good practices and monitor for any data misuse including checking Explanation of Benefits statements from health insurers for signs of suspicious activity. All affected individuals have now been notified of the security incident by mail, with the breach notification letters sent on June 22.

The data breach prompted University of Iowa Health Care to conduct a thorough risk assessment to identify vulnerabilities that could threaten the confidentiality, integrity and availability of PHI. Action has now been taken to mitigate risks and University of Iowa Health Care has strengthened training and its information oversight efforts to prevent future security incidents.

The post University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years appeared first on HIPAA Journal.

Indiana Senate Passes New Law on Abandoned Medical Records

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information.

HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely.

For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or incineration.

For physical PHI, OCR recommends shredding, burning, pulping, or pulverization to render PHI unreadable and indecipherable and to ensure the data cannot be reconstructed.

If PHI is not disposed of in accordance with HIPAA Rules, covered entities can face heavy financial penalties. Those penalties are decided by OCR, although state attorneys general can also fine covered entities since the introduction of the Health Information Technology for Clinical and Economic Health (HITECH) Act.

While state attorneys general can take action against covered entities for HIPAA violations that impact state residents, few have exercised that right – Only Connecticut, Vermont, Massachusetts, New York and Indiana all done so since the passing of the HITECH Act.

Even though few states are taking action against covered entities for HIPAA violations as allowed by the HITECH Act, many states have introduced laws to protect state residents in the event of a data breach.

In Indiana, a new state law has been recently passed that allows action to be taken against organizations that fail to dispose of medical records securely.

Indiana Updates Legislation Covering Abandoned Medical Records

In Indiana, legislation has previously been introduced covering ‘abandoned records’. If medical records are abandoned, such as being dumped or disposed of without first rendering them unreadable, action can be taken against the organization concerned.

Abandoned records are those which have been “voluntarily surrendered, relinquished, or disclaimed by the health care provider or regulated professional, with no intention of reclaiming or regaining possession.” The state law previously only covered physical records, although a new Senate Bill (SB 549) has recently been unanimously passed that has expanded the definition to also include ePHI stored in databases. The definition of ‘abandoned records’ has also been expanded to include those that have been “recklessly or negligently treated such that an unauthorized person could obtain access or possession” to those records.”

While there are exceptions under SB 549 for organizations that maintain their own data security procedures under HIPAA and other federal legislation, the new law closes a loophole for organizations that are no longer HIPAA covered entities. In recent years, there have been numerous cases of healthcare organizations going out of business and subsequently abandoning patients’ files. SB 549 allows the state attorney general to take action against HIPAA covered entities that have gone out of business if they are discovered to have abandoned PHI or disposed of ePHI incorrectly.

The new legislation came into effect on July 1, 2017. The new law allows the Indiana attorney general to file actions against the organization concerned and recover the cost of securing and disposing of the abandoned records. That should serve as a deterrent and will help to keep state residents’ PHI private.

The post Indiana Senate Passes New Law on Abandoned Medical Records appeared first on HIPAA Journal.

AMIA Urges HHS to Provide More Information on Common Rule Updates

Posted by HIPAA Journal

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated.

The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use.

The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified.

Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented.

The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication to stakeholders on the status of the Common Rule updates. It is unclear whether the proposed effective date of January 19, 2018 will be met.

The American Medical Informatics Association (AMIA) is concerned over the lack of progress and has recently voiced its concerns in a letter to the Department of Health and Human Services and the Office of Management and Budget.

In its letter, AMIA strongly encourages federal officials to keep the original effective date due to the pressing need for changes to the Common Rule, although AMIA has recommended moving the compliance date forward to June 19, 2018 to give researchers more time “to harmonize old and new provisions”.

The lack of any further information is a concern. AMIA suggests an official announcement should be made about the Common Rule updates immediately.

In the letter, AMIA says, “Over the last several years, a paradigm shift has occurred in the nature, scope and frequency of research involving human subjects, their biospecimens, and their data. Combined with rapid adoption of electronic health records (EHRs) by care providers and dramatic improvements in computing technology, we believe the final revisions to the Common Rule are necessary to improve discovery of new health insights and advance healthcare transformation.”

The Common Rule updates include new protections for individuals who choose to take part in research studies, but the updates will also reduce administrative burdens, particularly for low-risk research studies. For example, exemptions have been included when low risk studies are conducted by HIPAA-covered entities. This would also allow more secondary research of EHR data. The administrative burden is further reduced by eliminating the need for a continuous review for many studies.

The changes also allow researchers to obtain broad consent which will greatly improve availability of biospecimens and patient-reported data for secondary research. Important changes are also made to consent, requiring the most important information to be communicated to participants clearly and concisely in a way that a reasonable person would understand.

The changes will also mean potential research participants are screened more effectively, which will help identify patients who qualify for new treatments and ensure those individuals learn about their options.

AMIA President and CEO Douglas B. Fridsma, said, “Patients expect researchers to leverage their data for improved care in responsible ways. The updated Common Rule enables and encourages better transparency so that new discoveries are possible.”

Peter J. Embi, MD, MS, President and CEO Regenstrief Institute, Inc., said, “It is critical that we adopt these changes for the sake of our national research enterprise,” Embi went on to explain, “We need to know that important aspects of the finalized Common Rule will proceed as planned. Without such a clear signal, the revised Common Rule’s new benefits will be delayed, leaving in place a 26-year old rule that doesn’t serve the needs of research participants or the research community.”

The post AMIA Urges HHS to Provide More Information on Common Rule Updates appeared first on HIPAA Journal.

Office of Inspector General Releases Results of VA FISMA Audit

Posted by HIPAA Journal

The Department of Veteran Affairs’ Office of Inspector General has conducted its annual security review of the VA, the largest healthcare provider in the United States. The aim of the security review is to assess the VA’s information security program in accordance with the Federal Information Security Modernization Act (FISMA).

The report reveals there are many ongoing security vulnerabilities that need to be addressed, although this year’s report only adds three new recommendations. In total, OIG made 33 recommendations about how the VA can make improvements to addresses security weaknesses.

Those 33 recommendations are spread across 8 areas: The security management program, identity management and access controls, configuration management controls, system development and change management controls, contingency planning, incident response/planning, continuous monitoring and contractor systems oversight.

The three new recommendations in this year’s report are:

  • Weaknesses have been identified in the agencywide information and risk management program. OIG recommends processes are implemented to ensure all systems used by the VA are formally Authorized to Operate. System security controls should also be evaluated prior to systems connecting to the Internet or the VA network.
  • Weaknesses have been identified in the VA’s configuration management controls. OIG recommends the VA should improve and implement processes to ensure all devices and platforms are evaluated using credentialed vulnerability assessments.
  • Weaknesses have been discovered in incident response and monitoring. OIG recommends that the VA’s Network Security and Operations Center should be provided with full access to security incident data to help raise awareness of information security events.

The OIG report says considerable improvements have been made and security has been improved. New policies and procedures have been implemented and great strides are being made to improve agencywide security; however, many vulnerabilities persist and the VA faces considerable challenges implementing various components of its information security continuous monitoring and risk management program. OIG found significant deficiencies in the VA’s access controls, configuration management controls, continuous monitoring controls and service continuity practices.

OIG says the VA must concentrate its efforts on four key areas to better achieve FISMA outcomes. These are:

  • Address security issues that contributed to the information technology material weaknesses detailed in the FY 2016 audit of VA’s Consolidated Financial Statements.
  • Address process deficiencies to ensure system Authorizations to Operate and conducted in accordance with VA policy.
  • Make improvements to the speed of deployment of system upgrades, system configurations and security patches to address known vulnerabilities, and enforce a consistent process across all field offices.
  • Make improvements to performance monitoring to ensure security controls are operating as intended in all facilities. Identified security deficiencies should also be effectively communicated to appropriate personnel to ensure action can be taken to mitigate risks.

Many of the deficiencies identified in the report are common in the healthcare industry. While it is not possible to totally eliminate risks, it is possible to reduce those risks to an acceptable level. Some of the vulnerabilities are expected to be addressed when the VA transitions from its VistA EHR to the new Cerner EHR.

The post Office of Inspector General Releases Results of VA FISMA Audit appeared first on HIPAA Journal.

Delaware Data Breach Notification Law to be Strengthened

Posted by HIPAA Journal

Delaware data breach notification law is likely to be expanded to include medical information in the definition of personal information.

The data breach notification law in Delaware has remained unchanged for 12 years so an update is certainly due. The bill was sponsored by Rep. Paul Baumbach (D), with an updated version (House Substitute No. 1 for HB 180) passed by the House on June 28 with a vote of 37-3. The bill will now go before the Senate where it is expected to be passed. Gov. John Carney (D) is in favor of the amendment and is expected to sign the bill.

The updated breach notification law will see the definition of personal information expanded to include biometric data, usernames together with passwords, routing numbers to accounts, taxpayer identification numbers, health insurance identifiers, passport numbers and medical information.

If passed, the new legislation will apply to all legal and commercial entities that do business in the state of Delaware that collect or use personal information; however, the updated Delaware data breach notification law will still not apply to HIPAA-covered entities or any other industry that is already covered by more stringent federal data protection and notification laws.

Companies will be required to conduct a risk analysis to determine whether a security breach is likely to result in breach victims coming to harm. Only if that risk analysis determines there is a low risk of harm will breach notifications not be required. In line with HIPAA, the updated Delaware data breach notification law will require breach notifications to be issued to all affected individuals within 60 days of the discovery of a data breach.

The bill will also require a substitute breach notice to be placed on the company website, if a website is maintained by the company and a notification must be sent to the state attorney general if a breach impacts more than 500 individuals.

The bill also calls for companies to offer a minimum of one year of complimentary identity theft protection services to breach victims whose Social Security number has been compromised in a breach. Only two other states – California and Connecticut – have similar measures in place.

The post Delaware Data Breach Notification Law to be Strengthened appeared first on HIPAA Journal.

U.S. Healthcare Providers Affected by Global Ransomware Attack

Posted by HIPAA Journal

NotPetya ransomware attacks have spread to the U.S. Decryption may not be possible even if the ransom is paid. Details of how to prevent attacks are detailed below.

NotPetya Ransomware Attacks Spread to the United States

Tuesday’s global ransomware attack continues to cause problems for many organizations in Europe, with the attacks now having spread to North America. The spread of the ransomware has been slower in the United States than in Europe, although many organizations have been affected including at least three healthcare systems.

Pennsylvania’s Heritage Valley Health System has confirmed that its computer systems have been infected with the ransomware. The ransomware has affected the entire health system including both of its hospitals and its satellite and community facilities.

While medical services continue to be provided, computer systems were shut down and some non-urgent medical procedures were postponed. 14 of the health system’s community facilities were closed on Wednesday as a result of the attack and lab and diagnostic services were also affected

The health system’s communications director, Suzanne Sakson said, “Corrective measures supplied by our antivirus software vendor have been developed and are being implemented and tested within the health system.”

No evidence has been uncovered to suggest protected health information has been accessed, although an investigation into the incident is ongoing.

West Virginia’s Princeton Community Hospital has also been affected with many of the hospital’s computers taken out of action following infection with ransomware. An investigation has been launched to determine whether patient health information was potentially accessed. Hospital spokesperson Rick Hypes said the hospital has implemented its protocols for cyberattacks and patient care is continuing to be provided.

The New Jersey-based pharmaceutical firm Merck has also been affected.

While it was initially believed the attacks involved Petya ransomware, security researchers believe this is a Petya-like ransomware variant from the same family. It has already attracted a variety of names including NotPetya, SortaPetya, GoldenEye, Petna, Nyeta and ExPetr.

Decryption Unlikely, Even if the Ransom is Paid

The ransomware variant deletes and replaces the Master File Table (MFT) which prevents computers from being able to locate files. The attackers have collected some ransom payments, although recovering systems by paying the ransom may not be possible.

The attacker was using an email account through a German email provider; however, that email account has been suspended. The email account was used to verify payment of a ransom. Without access to that email account, payment verification would be prevented.

Security researchers at Kaspersky Lab have also discovered a flaw in the ransomware which prevents data recovery, even if the ransom is paid. Kaspersky Lab issued a statement saying “We have analyzed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.”

Some security researchers have suggested that the goal of the attack was therefore not extortion but sabotage. Matt Suiche suggested in a recent analysis of the attack that “The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.” However, also likely is a mistake by the attackers when developing their ransomware.

The number of victims has been steadily rising, with Kaspersky Lab identifying 2,000 attacks on Tuesday, while Microsoft now reports there has been at least 12,500 infections across 65 countries.

The attacks have hit multinational companies hard, with infections first occurring in European facilities but then subsequently spreading across networks to other geographical locations. Shipping firm Maersk had its Danish facilities infected, followed by infections in Ireland, the UK and other countries.

How to Prevent Infection with NotPetya Ransomware

Two exploits released by Shadow Brokers have been used to spread infections – EternalBlue and EternalRomance – both of which were addressed with the MS17-010 patch issued by Microsoft in March, which was subsequently expanded for use on non-supported Windows versions such as Windows XP following the WannaCry ransomware attacks last month.

However, if one computer on a network has not been patched the machine can be infected. The infection can then spread across a network to patched computers.

Even if all vulnerable machines have been patched, infection may still occur. The attackers are using multiple attack vectors including spam emails containing malicious attachments.

To protect against these NotPetya ransomware attacks – and other similar attacks – the MS17-010 patch must be applied to all Windows devices. Since data recovery may not be possible it is essential for data to be backed up, with multiple copies made, including one copy on an air-gapped machine that is not exposed via the Internet.

Rapid7 recommends organizations should “employ network and host-based firewalls to block TCP/445 traffic from untrusted systems.” Additionally, “if possible, block 445 inbound to all internet-facing Windows systems.”

PsExec and wmic.exe should also be disabled to limit the ability of the ransomware to spread.

Since infection can occur via email, organizations should send alerts to company employees alerting them to the risk of attack from infected email attachments, specifically – but not exclusively – Microsoft Excel spreadsheets.

Security researcher Amit Serper at Cyberreason suggests it is possible to ‘vaccinate’ computers to prevent encryption, with his method confirmed by a number of firms such as Emisoft and PT security.

Serper says, “Create a file called perfc in the C:\Windows folder and make it read only.” Details of how to do this are available on Beeping Computer.

The post U.S. Healthcare Providers Affected by Global Ransomware Attack appeared first on HIPAA Journal.

World’s Largest Data Breach Settlement Agreed by Anthem

Posted by HIPAA Journal

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

The post World’s Largest Data Breach Settlement Agreed by Anthem appeared first on HIPAA Journal.