Healthcare Data Privacy

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator.

At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected, used, and protected.

The purpose of the MPN is to improve transparency and clearly display information about an organization’s privacy practices to enable consumers to make an informed decision about whether to use a particular product.

While the ONC, in conjunction with the Federal Trade Commission (FTC), developed a Model Privacy Notice in 2011, technology has moved on considerably in the past five years. The MPN was intended to be used for personal health records, but the range of products that collect health data is now considerable, and include wearable devices and mobile applications. The current MPN is therefore somewhat dated.

ONC notes that the number of consumers that are using devices that record electronic health information has grown considerably since 2011. It is has now become increasingly important for consumers to be able to make decisions about products based on how their information will be used and stored. In particular, how their data will be protected and with whom health information will be shared. The current MPN does not make it easy for consumers to find out this information.

While many consumers are aware of the Health Insurance Portability and Accountability Act and know that HIPAA covered entities are required to implement controls to protect stored data and limit disclosures of health information, many product developers that collect and store health information are not in fact HIPAA-covered entities.

Fitness trackers for example may record data types that are classed as protected health information (PHI) when collected and stored by a HIPAA-covered entity, yet are not subject to HIPAA Rules when collected and stored by a product developer.

It is therefore essential to clarify privacy and security policies to ensure consumer are aware what will happen to their data so they can make an informed decision about whether to use a particular product.

To make it easier for developers to use the MPN and easier for consumers to understand the information provided via the MPN, the ONC has launched The Privacy Policy Snapshot Challenge.

The Challenge involves creating “an online tool that can generate a user-friendly snapshot of a product’s privacy practices.” ONC explains that submissions must include “code for an open source, web-based tool that allows health technology developers who collect digital health data to generate a customized privacy notice.”

The first prize is $20,000, the second prize $10,000, and third prize is $5,000. Entries must be submitted by April 10, 2017

Designers, developers, and health data privacy experts can find out more and sign up for the Privacy Policy Snapshot Challenge on this link.

The post ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator appeared first on HIPAA Journal.

Hospital Employee Jailed for Credit Card Theft

Posted by HIPAA Journal

An employee of Banner Boswell Hospital in Sun City, AZ has been arrested and jailed for stealing credit card details from hospital patients.

Filip Chudziak, 40, of Surprise, AZ was charged with identity theft, fraudulent schemes, and fraudulent use of credit cards by the Maricopa County Sheriff’s Office this weekend following an investigation into credit card fraud by Maricopa County detectives.

The offenses were committed over a period of three months. Potentially fraudulent transactions were reported to law enforcement by Joe Bob’s Outfitters in Kansas and also reported to the Hays City Police Department by multiple patients who had noticed fraudulent charges on their credit card statements.

Chudziak’s role at Banner Boswell Hospital involved moving patients and their possessions while they were receiving treatment at the hospital. Chudziak allegedly used access to patients’ possessions to obtain their credit cards. He then used those details to make online purchases at Joe Bob’s Outfitters.

Using his mother-in-law’s name and a number of different billing addresses, Chudziak purchased gun parts, tools, and other items from the store. Detectives were able to match the fraudulent card purchases to Chudziak using the mailing addresses supplied with the orders. The suspect was identified after contacting his mother-in-law, whose name was on the delivery address.

Detectives contacted Banner Boswell Hospital which confirmed he was a current employee. The arrest was made at the hospital.

Chudziak claimed he had always wanted an AR-15 but could not afford to buy the gun because money was tight. He said he used patients’ credit cards to purchase AR-15 parts to construct the weapon.

The post Hospital Employee Jailed for Credit Card Theft appeared first on HIPAA Journal.

Experian: Healthcare Organizations Main Targets for Hackers in 2017

Posted by HIPAA Journal

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year.

One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare organizations improve their security defenses. The primary target will continue to be the electronic protected health information of patients.

The volume of healthcare data stolen in the past two years has been extraordinary. Figures from the Department of Health and Human Services’ Office for Civil Rights show more than 113 million healthcare records were exposed or stolen in 2015. 270 breaches of PHI were reported by healthcare providers, health plans, and business associates of HIPAA-covered entities in 2015.

2016 has seen fewer records stolen or exposed, although the number of reported data security incidents has already surpassed last year’s total. With just over a month of 2016 still to go, 277 PHI breaches have been reported to OCR. Those breaches have impacted 14,562,019 individuals.

Healthcare organizations will continue to be targeted by hackers due to the high value of patient medical information. Patient data can be used to steal identifies, file fraudulent tax returns, and obtain credit, medical services and prescription drugs. The volume of healthcare data being offered for sale on the darknet has seen the price of health records fall; although cyberattacks on healthcare organizations are still highly profitable and there is likely to be a continuous demand for fresh healthcare data.

Experian predicts hackers are less likely to concentrate on attacking health plans, as was the case in 2015. Instead, they will search for new targets that have weaker security defenses such as hospital networks.

Ransomware attacks on healthcare organizations increased significantly in 2016. Experian expects ransomware to continue to be used to attack healthcare organizations in 2017. Healthcare providers must have access to electronic health records in order to perform healthcare system operations. Experian expects many will choose to pay ransom demands to prevent disruption to services.

The successful ransomware attacks of 2016 have given ransomware authors more funds to invest in developing increasingly sophisticated ransomware variants. Experian predicts healthcare organizations will have to implement a host of new defences as ransomware authors develop new variants that are better at evading detection by current cybersecurity technologies. It has also been predicted that ransomware variants will be developed that are capable of stealing data from healthcare organizations, not only preventing data from being accessed.

Not only will patients be impacted by data breaches, so will healthcare employees. Experian expects hackers to also continue to target organizations to obtain W2 data. W2 phishing attacks increased this year and Experian says the lack of action taken by the IRS to prevent tax fraud means 2017 will see similarly high levels of attacks. Experian also expects CEO fraud to increase in 2017 along with other scams that target employees.

According to the report, “Healthcare organizations of all sizes and types need to ensure they have proper, up to date security measures in place, including contingency planning for how to respond to a ransomware attack and adequate employee training about the importance of security.”

The post Experian: Healthcare Organizations Main Targets for Hackers in 2017 appeared first on HIPAA Journal.

Healthcare Data Breaches Fell in October

Posted by HIPAA Journal

There was a fall in the number of data breaches reported by healthcare organizations in the United States in October, according to the latest Breach Barometer report from Protenus. This is the second month in a row where the number of data breaches have fallen.

The number of reported breaches dropped from an annual high of 42 incidents in August to 35 breaches in October; two fewer breaches than were reported last month. However, the number of exposed records increased from 246,876 in September to 776,533 records in October. The final victim count for the month could be considerably higher as while 35 breaches were reported, the number of individuals impacted by four of those incidents is not yet known.

There were some notable IT security incidents reported last month:

Four healthcare organizations reported being attacked with ransomware in October. Three of those incidents resulted in a permanent loss of healthcare data. Two organizations attempted to recover data from backups, only for the backup recovery process to fail, while one healthcare organization reported data loss as a direct result of the infection. The extent of data loss in each of these incidents was not disclosed publicly.

Two healthcare organizations were subject to extortion attempts after data were stolen. The organizations in question were told that the stolen data would be published or sold if payment was not made to the attacker.

The hacker responsible for those attacks was The Dark Overlord, who has previously hacked a number of healthcare organizations and held their data to ransom. While The Dark Overlord claims to have been paid by some healthcare organizations, there is no evidence of any payments actually being made according to Dissent of DataBreaches.net. Some of the stolen data have been dumped online and listings have been placed on darknet marketplaces offering the stolen data for sale.

Hacking and ransomware/malware infections were the main causes of healthcare data breaches in October, accounting for 40% of all data breaches. Those breaches were the most severe and accounted for the majority (86%) of stolen/exposed records for the month. (664,549/776,533).

Hacking and ransomware attacks were closely followed by accidental and deliberate insider breaches. 37% of October healthcare data breaches were due to insiders. Those incidents impacted 79,974 individuals. Two insider breaches occurred for which the victim count is not yet known.

The majority of breaches (82.8%) involved healthcare providers, followed by business associates of covered entities (8.6%), health plans (5.7%), and health information exchanges (2.9%). For the second month running, California was the worst hit state, recording 4 healthcare data breaches.

According to Robert Lord, Co-Founder & CEO of Protenus,”A few things stand out as particularly interesting this month.  First, there were the public reports of data loss due to ransomware, which confirmed the rumors that ransomware payments aren’t always leading to recovered data.  Second, the continued consistency of insider threats demonstrates the critical necessity of thinking about how we can mitigate these types of health data breaches and HIPAA violations.”

While it is certainly good news that the downward trend in breaches is continuing, this does not necessarily mean that healthcare organizations are getting better at securing protected health information. As Lord explains, “while breach numbers aren’t as high as the catastrophic numbers of the summer, we don’t see the fundamentals of a severely-threatened health data landscape changing anytime soon.”

The Protenus Breach Barometer is a monthly report of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media or other trusted online sources.

The post Healthcare Data Breaches Fell in October appeared first on HIPAA Journal.