Healthcare Data Privacy

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks.

While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework.

While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations.

The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more streamlined assessment approach, is easier to understand, yet will still help smaller healthcare organizations with their risk management and compliance efforts.

To develop the pilot CSFBASICs program, HITRUST collaborated with small businesses and the physician community. The pilot is now in the final phase and HITRUST expects to make the CSFBASICs program widely available by Q3, 2017.

Dr. J. Stefan Walker of Corpus Christi Medical Associates (CCMA), a Corpus Christi, TX-based five-physician primary healthcare practice, explained the problem, “I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA.” Walker went on to say, “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Enhancements Made to HITRUST CSF and CSF Assurance Program

 

In addition to the CSFBASICs program, HITRUST has also announced that it has enhanced its HITRUST CSF programs (V8.1 and V9) along with the supporting HITRUST CSF Assurance Program (V9). The updates include new guidance and better assurance and support for healthcare organizations to help them deal with the increase in cyber threats and to improve resilience against those threats.

HITRUST (and the HITRUST CSF Advisory Council) sought input from healthcare industry stakeholders on potential changes and updates to the framework. From the comments received, a number of enhancements have now been made.

HITRUST CSF v8.1, which was made available on February 6, 2017, includes updated content and support for PCI DSS v3.2 and MARS-E v2. The CSF Assurance Program V9 has been enhanced with the HITRUST CSF Assessment also including a NIST Cybersecurity Framework certification, a HIPAA risk assessment and auditable documentation.

HITRUST CSF v9 update includes the latest OCR Audit Protoco (v2), FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security. The updated version is not expected to be available until July, 2017. That will give HITRUST time to harmonize the new requirements of the program with the current program to ensure that the changes to not overly add to the complexity of the framework.

The post Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management appeared first on HIPAA Journal.

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported.

St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed.

University of North Carolina Reports Theft of Dental Patients’ ePHI

A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health histories, and referral letters including contact information.

Affected patients have been offered one year of credit monitoring services, staff have been retrained on the proper procedures for storing patient health information and disciplinary sanctions have been imposed on the individual who had been issued with the devices.

Family Services Rochester: Systems Hacked; ePHI Potentially Viewed; Data Encrypted

Family Services Rochester in Minnesota has discovered that some of its systems were compromised by a hacker. The accessed part of its computer system contained a range of sensitive electronic information including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical insurance numbers and medical information.

Access to the computer system was first gained on December 26, 2016 and continued until January 25, 2017, when the attacker installed ransomware that encrypted a range of sensitive data. The incident is being investigated internally and by law enforcement and affected individuals have been offered credit monitoring services to protect them against identity theft.

St. Joseph’s Hospital and Medical Center Breach: Improper Access by Employee

The electronic protected health information of 623 patients of Dignity Health’s St. Joseph Hospital and Medical Center in Phoenix, AZ., has been improperly accessed by one of the center’s employees. The part-time employee was discovered to have accessed the records of patients without any legitimate work purpose for doing so between October 1, 2016 and November 22, 2016. The types of data accessed include patients’ names, demographic data, diagnostic information, clinical information (including doctor’s orders) and medication records. No Social Security numbers or financial data were accessed. The employee in question is not believed to have accessed the records with malicious intent and patients are not believed to be at risk of identity theft.  Dignity Health says “appropriate action has been taken in response to the event.”

Lexington Medical Center – Employee Information Accessed by an Unauthorized Individual

Lexington Medical Center, in Lexington, SC., has discovered that a database – eConnect/Peoplesoft – containing the sensitive information of employees has been accessed by an unauthorized individual. The database contained the types of information criminals seek when sending W-2 Form phishing emails. In this case, the database does not appear to have been accessed as a result of an employee falling for such a scam. The data accessed includes the names and Social Security numbers of employees, but no patient information. Action has been taken to secure the database to prevent further access by unauthorized individuals.

Healthcare Data Breaches Reported to Office for Civil Rights in February 2017

Other recent healthcare data breaches reported to the Department of Health and Human Services Office for Civil Rights in February include:

 

Covered Entity Location Entity Type Records Breached Cause of Breach
Universal Care, Inc. DBA Brand New Day CA Health Plan 14,005 Unauthorized Access/Disclosure
Family Medicine East, Chartered KS Healthcare Provider 6,800 Theft
Walgreen Co IL Healthcare Provider 4,500 Unauthorized Access/Disclosure
Catalina Post-Acute Care and Rehabilitation AZ Healthcare Provider 2,953 Improper Disposal
Jeffrey D. Rice, O.D., L.L.C. OH Healthcare Provider 1,586 Theft
Benesch, Friedlander, Coplan & Aronoff LLP OH Business Associate 1,134 Unauthorized Access/Disclosure
Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service AZ Healthcare Provider 500 Unauthorized Access/Disclosure

The post Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles appeared first on HIPAA Journal.

Quarter of Americans Have Been Impacted by a Healthcare Data Breach

Given the volume of healthcare records that have been exposed or stolen over the past two years, it comes as little surprise that 26% of Americans believe their health data have been stolen. The figures come from a recent survey conducted by Accenture.

The survey was conducted on 2,000 U.S. adults and more than a quarter said that their medical information has been stolen as a result of a healthcare data breach.

Healthcare information is attractive for cybercriminals as the information in health records does not expire. Credit card numbers can only be used for an extremely limited time before cards are blocked. However, Social Security numbers can be used for a lifetime and health insurance information can similarly be used for extended periods. The information can also be used for a multitude of nefarious activities such as tax fraud, identity and medical identity theft and insurance fraud.

It is also unsurprising that many victims of healthcare data breaches have reported suffering losses as a result of the theft of their data. According to Accenture, half of the individuals who said their data have been stolen said they have experienced medical identity theft as a result. The survey revealed that when medical identity theft occurs, out of pocket expenses of $2,500 are incurred on average.

The report shows half of the individuals who said their data have been stolen did not find out from a breach notification letter. They discovered they were a victim of a healthcare data breach after seeing charges on bank/credit card statements and suspicious entries on their Explanation of Benefits statements. Only a third of respondents said they were notified of the breach by the breached entity.

Even with record numbers of healthcare data breaches occurring, Americans still have faith in providers’ abilities to keep electronic protected health information secure. 88% of respondents said they trusted their providers to secure their ePHI. 85% said they trusted pharmacies, 84% trusted hospitals and 82% trusted health insurance companies. Healthcare technologies fared much worse (57%), as did government organizations (56%).

Businesses that experience data breaches know all too well that there is considerable fallout after a breach announcement is made. Many customers simply take their business elsewhere. That was clearly evident after the Target breach.

However, changing healthcare provider is less straightforward. That said, many breach victims said they did change healthcare provider or insurer after they were notified that their health information had been stolen. A quarter of breach victims said they had already changed healthcare provider following a data breach, while 21% said they had changed health insurance provider.

If a data breach or an attack is experienced, healthcare organizations should carefully assess what went wrong and how their cybersecurity defenses can be improved. Considering the impact healthcare data breaches have on patients and the considerable fallout following a data breach, healthcare organizations should ensure that their cybersecurity defenses are up to scratch to prevent data breaches from occurring in the first place.

The post Quarter of Americans Have Been Impacted by a Healthcare Data Breach appeared first on HIPAA Journal.

American Senior Communities Says 17,000 Employees Impacted by W-2 Scam

American Senior Communities, a nursing home chain based in central Indiana, has announced that one of its employees responded to a W-2 phishing email and sent the tax information of more than 17,000 employees to tax fraudsters.

There have now been more than 70 organizations that have responded to W-2 Form phishing emails so far this year according to Databreaches.net, although the latest addition to the list is the largest confirmed breach of employee information to have occurred this year.

The massive haul of W-2 Form data included employees’ names, Social Security numbers, birth dates, and addresses. An investigation suggests that the individual behind the campaign was based offshore.

In many cases, organizations discover they have been scammed soon after the email has been sent, allowing rapid action to be taken to limit the harm caused. However, that was not the case here.

The phishing email was sent to a payment processor for American Senior Communities in mid-January; however, the incident was not discovered for a month.

The employee’s error was only identified on February 17 after some of the nursing home chain’s staff members had reported that they had attempted to file their tax returns for the previous fiscal year, only to have those claims rejected as a tax return had already been submitted in their name.

Once it became clear that the tax fraud was made possible because of the actions of an employee, the IRS was notified. The incident has also been reported to the Indiana Office of Attorney General, Law enforcement and the Indiana Department of Revenue. It is unclear how many of the 17,000 employees have already had tax returns filed in their name by fraudsters.

All employees affected by the incident have been offered free credit monitoring service to protect them against identity theft and further fraudulent use of their information.

The post American Senior Communities Says 17,000 Employees Impacted by W-2 Scam appeared first on HIPAA Journal.

Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam

Another healthcare provider has announced that one of its employees has been fooled by a W-2 phishing scam. Citizens Memorial Hospital in Bolivar, MO., says a request for W-2 Form data was sent to one of its employees by email.

The employee responded to the request believing the message was legitimate and had been sent internally. W-2 Forms for all employees at the 86-bed hospital who had taxable earnings for the 2016 fiscal year were sent via email to the scammers as requested. No announcement has been made about the number of employees impacted by the incident. The hospital discovered it was the victim of a scam the following day.

The incident has been reported to both the FBI and the IRS and affected employees have been notified and offered 2 years of identity theft protection services without charge through Experian. The incident is not a HIPAA breach as HIPAA Rules do not apply to employee data.

To prevent repeat attacks, Citizens Memorial Hospital will be enhancing its data security education programs. Staff will receive further training to help them identify any further phishing scams sent via email.

The W-2 phishing scam has already claimed many victims this year. The scammers send an email to a member of the payroll/HR department requesting W-2 Form data for all employees who worked for the organization in 2016. The scammers usually impersonate the CEO/CFO and use an email address similar to that used by the targeted organization. Oftentimes, there is one letter missing from the domain part of the email address. A casual glance at the sender’s address is unlikely to reveal that the email is a scam. A careful check will reveal that the email account has been spoofed.

This type of scam was popular last tax season. There were at least 145 victims of the scam last year and tens of thousands of employees had their Social Security numbers, personal information, and earnings disclosed to tax fraudsters. Earlier this month, the IRS issued a warning to educational institutions, nonprofits, tribal organization and healthcare organizations about the W-2 phishing scam advising them to be on high alert.

Databreaches.net is tracking reports of W-2 Form phishing scams. There have already been 62 organizations that have announced they have been fooled by the W-2 phishing scam in 2017.

In addition to Citizens Memorial Hospital, the following healthcare organizations have reported that an employee responded to the scam and disclosed employee data:

  • Adventist Health, Tehachapi Valley, CA
  • Campbell County Health, WY
  • EHealthInsurance, CA
  • Point Coupee Hospital, LA
  • SouthEast Alaska Regional Health Consortium, AK

The post Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam appeared first on HIPAA Journal.

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed.

Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data.

When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed.

As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security solution that is effective across multiple cloud environments is not only critical to securing patient data, but to remaining HIPAA compliant.” However, the lack of encryption is a cause for concern.

Health Insurance Portability and Accountability Act (HIPAA) Rules permit the use of cloud services for storing and processing ePHI. However, before any cloud service is used, covered entities are required to conduct a comprehensive risk assessment to assess threats to the confidentiality, integrity, and availability of ePHI.

Covered entities must make sure that appropriate technical safeguards are employed to ensure the confidentiality of cloud-stored ePHI is preserved, and data encryption must be considered. If a decision not to use encryption for cloud-stored data is made, the reason for that decision must be documented, along with the alternative controls that are put in place to provide a similar level of protection.

HHS pointed out in last year’s cloud computing guidance for HIPAA-covered entities that encryption can significantly reduce the risk of ePHI being accessed, exposed, or stolen.  That said, HHS also explained that encryption alone is not sufficient to ensure the confidentiality, integrity, and availability of ePHI stored in the cloud.

Encryption may cover the confidentiality aspect, but it will do nothing to ensure that ePHI is always available, nor will it safeguard the integrity of ePHI. Alternative controls must be put in place to ensure ePHI can always be accessed, while access controls must be used to ensure the integrity of ePHI is maintained. The use of encryption alone to safeguard ePHI may therefore constitute a violation of the HIPAA Security Rule.

Healthcare organizations that choose to use cloud services provided by a separate entity must ensure that the cloud service provider is aware of its responsibilities with respect to ePHI. Cloud service providers are classed as business associates of covered entities, and as such, they are required to abide by HIPAA Rules. Healthcare organizations must obtain a signed business associate agreement from each cloud service provider used, if the service is used to store any ePHI. HHS has also explained that even if ePHI is stored in the cloud and the cloud service provider does not hold a key to decrypt the data, the cloud service provider is still classed as a HIPAA-business associate.

The post Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud appeared first on HIPAA Journal.

2016 Healthcare Data Breach Report Ranks Breaches By State

A new 2016 healthcare data breach report has been released that analyzes incidents reported to the Department of Health and Human Services’ Office for Civil Rights last year. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016.

Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers.

The top ten states for healthcare data breaches were found to be:

  1. California – 39 breaches
  2. Florida – 28 breaches
  3. Texas – 23 breaches
  4. New York – 15 breaches
  5. Illinois, Indiana, & Washington – 12 breaches
  6. Ohio & Pennsylvania – 11 breaches
  7. Michigan – 10 breaches
  8. Arizona & Arkansas – 9 breaches
  9. Georgia & Minnesota – 8 breaches
  10. Colorado & Missouri – 7 breaches

The states least affected by healthcare data breaches in 2016 were:

  1. Idaho
  2. Maine
  3. North Dakota
  4. South Dakota
  5. Vermont
  6. West Virginia

HIPAA-covered entities based in each of those states survived 2016 without experiencing a data breach that impacted more than 500 individuals. Only one HIPAA breach impacting more than 500 individuals was reported last year by a HIPAA-covered entity based in Alaska, Delaware, Hawaii, New Hampshire, Nevada, Utah and Wyoming.

The five worst hit states in terms of the numbers of records exposed were as follows:

  1. Arizona – 4,524,278 records
  2. New York – 3,588,554 records
  3. Florida – 2,872,912 records
  4. California – 1,436,701 records
  5. Georgia – 782,956 records

The main causes of healthcare data breaches in 2016 were unauthorized access/disclosure, which accounted for 41.5% of breaches, followed by hacking/IT incidents (31.8%), theft (19%), loss (5.4%) and improper disposal (2.3%).

Theft of physical PHI and devices used to store electronic protected health information was significantly lower than in 2015 when theft accounted for 30% of reported data breaches. In 2015, unauthorized access/disclosure was cited as the cause of 38% of breaches, hacking/IT incidents accounted for 21.4% of breaches, loss of PHI and devices used to store ePHI was the cause of 8.3% of breaches, and improper disposal was the cause of 2.3% of breaches.

The post 2016 Healthcare Data Breach Report Ranks Breaches By State appeared first on HIPAA Journal.

Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information

Healthcare data breaches in 2016 reached record levels, while 2015 saw more healthcare records stolen than the combined total stolen over the previous six years. Those data breaches have naturally had an effect on how healthcare patients view the security of their medical data.

OCR figures show that since 2009, 166 million healthcare records have been stolen or exposed – that’s 52% of the population of the United States. It is therefore understandable that patients are worried about data security. A recent Xerox eHealth survey has revealed the extent to which patients are worried about the data held by their healthcare providers.

In January 2017, 3,000 U.S. adults over the age of 18 were surveyed by Harris Poll for the Xerox survey. The survey revealed that 44% of healthcare patients are worried about their healthcare data being stolen.

However, even with the high number of data breaches, patients are overwhelmingly in support of the transmission of electronic health data over more outdated communication methods such as faxing. 76% of survey respondents said secure electronic sharing of healthcare data was better than faxing health information. Patients also appreciate the benefits that come from the secure, electronic sharing of healthcare data. 87% of respondents said the ability of their healthcare providers to share data digitally could decrease waiting times for diagnoses and medical test results.

That said, patients are frustrated by the inability of healthcare providers to share healthcare data, as Xerox Healthcare Industry Senior Vice President Cees Van Doorn explains, “Patients are frustrated by the lack of care coordination and disjointed processes, so much so, that our Xerox survey shows 19 percent of Americans would rather wait in line at the DMV than coordinate between different doctors’ offices to ensure they have all of their records and health information.”

While the survey suggests that healthcare patients are open to secure, electronic sharing of healthcare data, not all patients are entirely comfortable with providing their details to physicians. In fact, a previous study published by Black Book suggests that patients are holding back healthcare data due to data security fears. 89% of patients said they held back medical information from their healthcare providers, with 93% of those respondents saying they held back information due to security concerns.

Another Black Book market research survey suggests that even if patients are comfortable with the secure sharing of health data, exchanging information is still problematic. A quarter of healthcare administrators said they are unable to access patient data from external sources and 70% of hospitals do not have external health data in their EHR systems’ workflow.

The post Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information appeared first on HIPAA Journal.

New York Giants Star and ESPN Agree to Settle Privacy Breach Lawsuit

A privacy breach lawsuit filed against ESPN by New York Giant’s defensive end Jason Pierre-Paul has been amicably resolved. ESPN has agreed to settle the lawsuit, although the terms of the settlement have not been announced.

On July 4, 2015, Pierre-Paul was involved in a fireworks accident and sustained serious burns to his hand. He was rushed to Jackson Memorial Hospital in Miami to receive treatment for his injuries. News soon broke that the NFL star had been taken to hospital, although it was initially unclear what injuries had been sustained.

That was until details of the injuries were leaked to Schefter. Schefter sent a tweet containing a photograph of Pierre-Paul’s medical chart which showed Pierre-Paul had sustained serious damage to his hand that required the amputation of his index finger.

The disclosure and dissemination of Pierre-Paul’s medical charts involved a violation of the Health Insurance Portability and Accountability Act (HIPAA), although not by Adam Schefter. While the HIPAA Privacy Rule prohibits the unauthorized disclosure of patients’ electronic protected health information, reporters are not HIPAA-covered entities and therefore are not required to abide by HIPAA Rules.

However, the medical charts could only have come from the hospital where Pierre-Paul had received treatment and therefore were likely supplied by a hospital employee. Neither Schefter nor ESPN disclosed the source of the medical charts; however, and investigation into the privacy breach was launched by Jackson Memorial Hospital.

That investigation revealed that two employees at the hospital had inappropriately accessed Pierre-Paul’s medical records. Both employees were terminated for the HIPAA violation.

While the lawsuit has now been settled amicably, ESPN maintains the disclosure of Pierre-Paul’s medical information was “both newsworthy and journalistically appropriate.”

Legal representatives of Pierre-Paul claim the reporter and ESPN blatantly disregarded the private and confidential nature of Pierre-Paul’s medical records by disseminating the information on social media, just to show supporting proof that a surgical procedure had been performed.

The post New York Giants Star and ESPN Agree to Settle Privacy Breach Lawsuit appeared first on HIPAA Journal.