Healthcare Data Privacy

AMIA Suggests it’s Time for a HIPAA Update

Posted by HIPAA Journal

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world.

The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology.

HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are.

The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access.

Healthcare providers often provide access to a limited range of patients’ health information via patient portals – information such as prescribed medications, allergies and lab test results; however, AMIA suggests the HIPAA Privacy Rule should be clarified so patients are aware they have the right to access all health data held by a covered entity in a designated record set or to obtain a digital copy of their legal health record. In the paper it is suggested this could be clarified in guidance from the Office for Civil Rights rather than a HIPAA legislation update.

However, an update to the legislation has been suggested to cover mHealth apps and related technologies. Currently, health data is collected, stored, and transmitted by a wide range of non-HIPAA-covered entities, yet non-covered entities are not required to provide users with access to their data.

If HIPAA is not extended to include these non-covered entities, AMIA suggests there should at least be HIPAA-like requirements for non-covered entities that would allow users of mHealth apps to gain access to their data. An alternative would be for industry stakeholders to develop codes of conduct that could be followed to ensure patients are able to access their data, if required.

Currently, non-covered entities are able to collect, use, and share ‘PHI’ in ways that may place patients’ data at risk of exposure or could result in data being shared improperly. The researchers suggest “HIPAA should be strengthened and extended, in particular to accommodate the broader set of data and stakeholders that are relevant to patient health, such as data from the use of Fitbit and Apple Watch.”

AMIA also suggests more needs to be done to make it easier not only for patients to access their data, but to pass on the information to other healthcare organizations. “EHR certification and health care system accreditation should be tied to making it easy for patients not only to obtain their data, but to obtain the data in a manner that preserves “computability” and standardization such that the data can be readily transferred to and consumed by other health IT systems with little or no need for further processing.”

AMIA also recommends federal officials and private sector stakeholders develop a process for vetting mHealth applications to ensure they have a minimum level of privacy, security, and safety protections.

Federal agencies should also collaborate to create a policy framework for research and innovation; “a framework that includes “common rule” updates to facilitate secondary use of data for research, common Data Use and Reciprocal Support Agreements, common enforced technical functionalities and specifications based on standard APIs, and data portability from HIPAA-covered entities.”

In total,  17 policy recommendations were made. The paper was recently published in JAMIA.

The post AMIA Suggests it’s Time for a HIPAA Update appeared first on HIPAA Journal.

918,000 Patients’ Sensitive Information Exposed Online

Posted by HIPAA Journal

The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months.

The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root folder on an Amazon Web Service installation owned by a software developer who had previously worked on a database for HealthNow Networks. The project was abandoned long ago although the data provided to the developer were not secured and could be accessed online.

The database contained a range of highly sensitive data including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions. The data had been collected by the telemarketing firm and individuals had been offered discounted medical equipment in exchange for providing the firm with their data.

The data breach was investigated by ZDNet and Databreaches.net, who contacted AWS to report the exposure of sensitive data. Amazon made contact with the software developer who removed the data. ZDNet/Databreaches.net also managed to contact the owner of HealthNow Networks – which is no longer in business – and the software developer, both of whom confirmed the database has now been deleted.

While the data are no longer accessible online, the investigation revealed that many of the individuals whose data were exposed had their email addresses listed on the Have I Been Pwned website, suggesting the database may already have been accessed and downloaded and used for spamming and fraud. However, the logs detailing who accessed the data were not provided to ZDNet/Databreaches.net.

The data breach has now been reported to the FTC, FBI and other law enforcement agencies.  The report of the breach and investigation can be viewed on Databreaches.net and ZDNet.

Affected Individuals May Not be Notified

The database contained a number of data elements that are included in the HIPAA description of protected health information (PHI).

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires HIPAA covered entities to notify patients of any breach of their protected health information (PHI). However, HIPAA only applies to HIPAA-covered entities and their business associates. Individuals whose information has been exposed will not necessarily be notified of the breach of their information as telemarketing firms are not HIPAA-covered entities.

Non-HIPAA-covered entities are required to issue breach notifications, although only under state laws. Many states have now introduced data breach notification laws to protect residents in the event of a breach of their sensitive data by non-HIPAA-covered entities, although gaps exist.

Only 47 states have introduced data breach notification laws, and the definitions of ‘personal information’ that warrant notifications to be issued differ state by state. Residents in Alabama, New Mexico, and South Dakota have yet to introduce breach notification laws so residents may not be notified of data breaches.

Whether individuals affected by a data breach will be notified depends on which company has experienced a data breach and where affected individuals live in the United States. Even if health data is exposed or stolen, breach notifications may not be issued.

The post 918,000 Patients’ Sensitive Information Exposed Online appeared first on HIPAA Journal.

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

Posted by HIPAA Journal

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches.

The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records.

33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches.

The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS cost reports. Unlinked hospitals included those run by the Department of Veteran Affairs and military hospitals and long term care hospitals.

The study revealed that larger hospitals were statistically more likely to experience a data breach. More than one third of hospitals (37%) that had experienced a data breach are classed as major teaching hospitals.

Linked hospitals had a median of 262 beds, while an analysis of 2852 acute care hospitals that had not reported a data breach had a median of 134 beds. 265 (9%) of those unbreached hospitals were major teaching hospitals.

The researchers found that both the size of hospitals and their teaching status were positively associated with the risk of experiencing data breaches.

The researchers used multivariable and regression analyses to compare the 141 linked acute care hospitals with other hospitals to determine why they faced a higher risk of experiencing data breaches.

The researchers suggest the reason why larger hospitals and teaching hospitals experience more data breaches is due to having broader access to sensitive patient data. The more individuals who require access to data, the greater the risk of data breaches occurring. The report suggests “There is a fundamental trade-off between data security and data access.” When data are made available to a greater number of individuals for research and education purposes it makes “zero breach” an extremely challenging objective.

While investment in information technology such as EHRs has certainly made hospitals more efficient and has improved the provision of care to patients, it has also made security and privacy breaches more likely.

While many hospitals have invested heavily in cybersecurity defenses to reduce the risk of data breaches, the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights clearly show that healthcare data breaches are increasing in frequency.

The fast-evolving threat landscape requires hospitals to invest in cybersecurity defenses to mitigate data breach risk and hospitals must continuously evaluate data security risks and apply best data security practices to prevent breaches from occurring; however, it is difficult for hospitals to determine which technologies and best practices are the most effective at preventing data breaches.

Lead author of the study, Ge Bai, an assistant professor at John Hopkins Business School said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”

The post Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches appeared first on HIPAA Journal.

Dr. Donald Rucker Named New National Coordinator for Health IT

Posted by HIPAA Journal

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology.

Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator.

Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator.

Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years.

While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician order entry workflow that won the 2003 HIMSS Nicholas Davies Award for the best hospital computer system in the United States.

Donald Rucker has previously served as Clinical Assistant Professor of Emergency Medicine at the University of Pennsylvania Health System and as an Emergency Department Physician at Beth Deaconess Medical Center in Boston. Rucker has also practiced emergency medicine at Kaiser Permanente in California and at University of Pennsylvania’s Penn Presbyterian and Pennsylvania Hospitals. Rucker also worked at Datamedic in 1988 where he co-developed the first Windows-based electronic medical record system.

Donald Rucker graduated in Chemistry at Harvard University and medicine at the University of Pennsylvania School of Medicine, and also holds an MBA and a Masters in Medical Computer Science from Stanford University

This will be Dr. Rucker’s first government position.

The post Dr. Donald Rucker Named New National Coordinator for Health IT appeared first on HIPAA Journal.

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

Posted by HIPAA Journal

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained.

Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password.

The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data

The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud.

Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name TheDarkOverlord conducted a number of attacks on healthcare organizations. The protected health information of patients was stolen and organizations were threatened with the publication of data if a sizable ransom payment was not made. In some cases, patient data were published online when payment was not received.

There are reasons why IT departments require FTP servers to accept anonymous requests; however, if that is the case, those servers should not be used to store any protected health information of patients. If PHI must be stored on the servers, they cannot be configured to run in anonymous mode.

In anonymous mode, any information stored on the server can potentially be accessed by the public. Hacking skills would not be required. Default usernames are freely available on the Internet.

Even if PHI is not stored on the servers, healthcare organizations may still be at risk. Any sensitive data could be accessed and used against the organization, ransomware could be installed or the servers could be used by hackers and other cybercriminals to store illegal content or malicious tools.

In the alert, the FBI said “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud.”

Large healthcare organizations may already have ensured their servers are not configured to allow anonymous access or that all sensitive information has been removed from those servers; however, that may not be the case for smaller healthcare organizations. Smaller medical and dental organizations are more likely to be placing patient data and other sensitive information at risk.

The FBI suggests all healthcare organizations should instruct their IT departments to check the configuration of their FTP servers to ensure they are not running in anonymous mode and to take immediate action to secure those servers and reduce risk if they are.

The post FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks appeared first on HIPAA Journal.

Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County

Posted by HIPAA Journal

A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC.

The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state officials who were conducting an audit.

County officials discovered the HIPAA breach on Monday and immediately launched an investigation to determine how such an error could have been made. County officials are furious about the privacy breach. Commissioner Vilma Leake said she wanted “to fire everybody on the health department.” County Manager Dena Diorio said “I am absolutely speechless with anger about how something like this could happen.”

This is the second HIPAA breach in a month to be discovered by Meklenburg County. WSOCTV said it had previously been sent information that contained the name of an individual that should not have been released. A request was received to return that information.

The latest mistake was allegedly made while a county worker was attempting to resolve the first privacy violation. County Commissioner Jim Puckett told WSOCTV Channel 9 “We had a relatively small problem that has escalated into a large one.”

The latest incident has prompted the County to implement new policies and procedures to prevent HIPAA breaches of this nature from occurring in the future.

Those policies will include prohibiting the inclusion of any protected health information in spreadsheets. ‘Gap measures’ have also been put in place to reduce the potential for a repeat HIPAA breach. Those measures include signing off any information coming out of the health department by two employees. A long-term solution is also being developed to ensure that public information requests are processed correctly without violating individuals’ privacy.

The Department of Health and Human Services’ Office for Civil Rights and affected patients will be notified of the privacy breach in the next 60 in accordance with HIPAA Rules.

Healthcare organizations should have policies in place to ensure responses to information requests are checked by multiple members of staff before they are released outside an organization.

All workers can make mistakes, but policies should be in place to prevent an error by a single employee resulting in a HIPAA violation and potentially, a significant HIPAA violation penalty. This incident shows how easy it is for a HIPAA breach to occur if adequate checks are not conducted.

The post Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County appeared first on HIPAA Journal.

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients

Posted by HIPAA Journal

The Kentucky-based 6-hospital health system Med Center Health has reported a data breach affecting approximately 160,000 patients. Med Center Health believes a former employee may have stolen patients’ protected health information (PHI) prior to leaving employment.

The former employee has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing information. Medical records were not compromised at any point.

The FBI has been notified and is also investigating along with other federal agencies. Med Center health is in the process of notifying patients of the breach, although the process is expected to take a couple of weeks due to the number of individuals that have been impacted.

While the breach has only recently been announced, the data theft incidents date back to 2014 and 2015. The former employee is understood to have taken an encrypted CD and encrypted portable storage device in August 2014 and February 2015. There was no legitimate work reason for ePHI to have been taken, although on both occasions the former employee claimed the data were needed for word-related duties.

The Bowling Green Daily News suggests Med Center Health discovered the breach several months ago, although notifications were delayed. A spokesperson for Med Center Health told Bowling Green Daily News “Med Center Health informed patients as expeditiously as possible. It is important to understand that the information leading Med Center Health to report the incident pursuant to HIPAA developed over time during an intensive internal investigation.”

Patients affected by the breach had received medical services at one of six Med Center Health facilities between 2011 and 2014: Cal Turner Rehab and Specialty Care, Medical Center EMS, the Commonwealth Regional Specialty Hospital, the Medical Center at Bowling Green, the Medical Center at Franklin and the Medical Center at Scottsville.

Patients impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. Med Center Health has not uncovered any evidence to suggest that any of the stolen information was used to commit fraud, although the possibility cannot be ruled out.

The post Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients appeared first on HIPAA Journal.

UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI

Posted by HIPAA Journal

Prenatal patients who visited certain obstetric clinics operated by UNC Health Care are being notified that some of their protected health information has been disclosed to local health departments by mistake.

Pregnancy Home Risk Screening Forms of Medicaid-eligible patients are sent to local health departments to ensure those individuals are connected with appropriate support services. However, UNC Health Care has discovered that in addition to Medicaid-eligible patients, forms relating to patients who were not eligible for Medicaid were also sent to local health departments. In total, around 1,300 patients have been affected.

The privacy breach affects women who had prenatal appointments at the UNC Maternal-Fetal Medicine at Rex Hospital or the Women’s Clinic at the North Carolina Women’s Hospital between April 2014 and February 2017.

Pregnancy Home Risk Screening Forms contain patients’ names and addresses, race and ethnicity, Social Security numbers, health and mental health histories, details of patients’ HIV status, any sexually transmitted diseases contracted, medical diagnoses related to the pregnancy or past pregnancies, details of drug and alcohol use and whether the patients were smokers.

Patients whose privacy has been violated were informed of the breach by mail on March 20, 2017. Patients have been advised that the health departments that have been sent the information are covered by state and federal laws put in place to protect patient privacy. Those health departments must have appropriate administrative, technical and physical safeguards in place to protect all protected health information that is received and stored.

Consequently, the risk of any sensitive information being used inappropriately is believed to be low, although as a precaution, all individuals affected by the breach have been offered fraud resolution services in case any experience identity theft or fraud as a result of the incident.

To prevent future breaches of this nature from occurring, UNC Health Care has updated its policies and procedures covering patients who complete the Pregnancy Home Risk Screening Form and all staff members have been trained on the new procedures. In future, only forms completed by Medicaid-eligible individuals will be sent to county health departments.

UNC Health Care has requested all county health departments purge any information relating to non-Medicaid-patients from their databases.

The post UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

Posted by HIPAA Journal

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.