Healthcare Data Privacy

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics.

Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data.

The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure.

If a wearable device is provided to a patient by a HIPAA-covered entity, the data the device collects, records, and transmits must be secured at all times. If the same device is provided by a non-HIPAA-covered entity, personal data collected by the device will not necessarily be protected to the same standards. Consumers are afforded a certain level of privacy protection as the Federal Trade Commission (FTC) regulates wearable technology, although HIPAA Rules are far more stringent.

Consumers may not be aware that health data collected by wearable technology may not be protected to the standards demanded by HIPAA and that lack of knowledge may result in consumers unwittingly giving up certain privacy protections. The Department of Health and Human Services’ Office for Civil Rights has responded to the issue by issuing a report warning that wearable devices may not be covered by HIPAA Rules and consumers may be providing consent for their health data to be used by non-HIPAA covered entities without knowing exactly how their data will be collected, protected, and used.

However, more must be done to ensure consumers are informed about how their data will be collected and used and greater privacy controls must be put in place to ensure sensitive data are adequately protected regardless of which entity collects the data.

This month, researchers from the American University in Washington, D.C., and the Center for Digital Democracy published a report – Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection – on the problem. The report raises awareness of the privacy and security gaps in current federal legislation and calls for further regulation of wearable devices to ensure consumer data are adequately protected and users of the devices are informed about how their data will be used.

In the 122-page report the researchers explain that while there are current privacy and security concerns surrounding wearable technology, those issues will become more serious as new and more sophisticated devices come to market. They explain that in the not-too-distant future, “Biosensors will routinely be able to capture not only an individual’s heart rate, body temperature, and movement, but also brain activity, moods, and emotions.”

It is not only the information collected by the devices that is a cause for concern. The researchers point out that data collected by the devices “can, in turn, be combined with personal information from other sources—including health-care providers and drug companies—raising such potential harms as discriminatory profiling, manipulative marketing, and security breaches.”

As the devices become more integrated into everyday life, the researchers warn that the ability of consumers to make informed decisions about privacy and the use of their data will depend, to a large extent, on the effectiveness of government and self-regulatory policies.

However, at present there are insufficient privacy controls in place and major gaps in coverage exist due to “limited and fragmented” government privacy laws. Unless new policies are put in place to ensure the privacy of consumers is protected, Americans could be exposed to serious privacy risks by using these devices.

The report makes a number of recommendations for protecting consumers’ privacy and suggests ways the government, academic institutions, and consumer and privacy groups can join forces to develop a new and more effective strategy for protecting the health data collected by wearable devices.

The recommendations include:

  • The creation of a Public Interest Connected-Health Task Force incorporating privacy experts from a broad range of consumer, privacy, and civil liberties organizations to enhance privacy protections in the big data-era. The task force should be responsible for “analyzing new developments, developing public policy and self-regulatory proposals, conducting outreach to other key stakeholders, and engaging in constructive dialogue with industry and government officials.”
  • Classifying all data collected by wearable technology as sensitive, regardless of which organization or entity collects and uses those data. The researchers also call for an affirmative and effective consent process to be implemented before any consumer data can be collected and used.
  • Consumers should be allowed to place limits on the types of data that can be collected and used by wearable devices, while companies should clearly explain how, and under what circumstances, data will be collected, used, and shared.
  • Companies that collect data should make it clear how consumers can access those data, correct any errors, and arrange for their data to be deleted should they so wish. Any requests must be dealt with in a timely manner and at minimal cost to the consumer.
  • The use of usability testing to ensure consumer privacy policies can be easily understood by consumers, regardless of the size of screen used to access the information. Companies should also publish the results of their studies.
  • The creation of standards by self-regulatory organizations that are applied to all organizations, not only those covered by HIPAA Rules.
  • The use of fair marketing practices to ensure data collected from the users of wearable devices are not used to discriminate based on “ethnicity, gender, sexual orientation, age, community, or medical condition.”
  • The placing of limits on the sharing of heath data to prevent organizations from sharing data with third parties where advertising, marketing, or the promotion of other services are involved and the provision of data to other entities without the knowledge or consent of consumers.

The post New Report Published on Privacy Risks of Personal Health Wearable Devices appeared first on HIPAA Journal.

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website.

The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient gained access to the data on a laptop computer located in the hospital library. Patients are permitted to use the library and the computers, although access to patients’ protected health information should not have been possible.

At the time of the breach the patient was observed accessing ‘non-confidential’ hospital data by a staff member. The incident was reported to a supervisor and steps were taken to restrict access to the library computers. At the time, it was not known that sensitive data were accessed. While a supervisor was alerted to the incident, the matter was not escalated and neither the New Hampshire Hospital nor the New Hampshire Department of Health and Human Services (NH-DHHS) were informed.

However, ten months later in August 2016, a security official at the hospital alerted NH-DHHS that the former patient may have posted NH-DHHS data on a social media website. An investigation into the incident was launched and the Department of Information Technology was notified. The matter was also reported to State Police and state officials. However, according to the breach notice published by NH-DHHS on December 27, “An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.”

Three months later on November 4, 2016, hospital security notified NH-DHHS that the patient had posted some protected health information to a social media site that day. Within 24 hours of DHHS being informed of the breach, the PHI was removed from the site and a criminal investigation was launched. NH-DHHS says patients impacted by the breach had received services New Hampshire Hospital prior to November 2015, although no evidence has been uncovered to suggest any PHI has been misused.

NH-DHHS Commissioner Jeffrey A. Meyers issued a statement saying the breach was “an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack.”

He also confirmed that all state departments are investigating the incident and efforts are being made to strengthen state cybersecurity policies and procedures to better protect patient health data from attacks from hackers, as well as accidental disclosures as a result of human error.

The post Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online appeared first on HIPAA Journal.

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60.

The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices.

Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on.

The fall in the price of healthcare records has also prompted cybercriminals to change their tactics and look for new ways to make money. Many have opted for ransomware. Ransomware offers cybercriminals a quick and easy source of cash. Ransom payments are typically paid within 7 days of the malicious software being installed on healthcare networks. It is also relatively easy to bypass healthcare organizations’ defenses to install ransomware. Given the quick source of cash, the ease of attacks, and the high likelihood of payment, it is no surprise that ransomware has proven so popular.

It is difficult to calculate exactly how many healthcare organizations have been attacked with ransomware in 2016, as not all incidents are reported. However, hacking incidents affecting more than 500 individuals are.

TrapX calculated that major healthcare data breaches increased by 63% in 2016 (January 1 to December 12, 2016) compared to 2015. TrapX classed any breach of more than 500 records as ‘major’ and only included hacking incidents. In 2015, 57 major healthcare data breaches were reported to the Office for Civil Rights, whereas in 2016 there have been 90 reported breaches and the year is not over yet.

Since healthcare organizations have 60 days from the date of discovery of a breach to issue a report to OCR, the final figures for 2016 will not be known until March 1, 2017. The end of year total is certain to be considerably higher than 90 breaches.

The healthcare industry has responded to the rise in attacks by committing more funds to cybersecurity defenses. Employees are being trained on security best practices and overall awareness of security risks such as phishing has increased. Even so, many healthcare organizations are still falling victim to ransomware attacks and hacking incidents continue to rise.

TrapX, along with many security experts, predicts the use of ransomware will continue and attacks on healthcare organizations will increase in 2017. Hacking incidents are also likely to rise, with TrapX predicting attacks on medical devices will significantly increase in 2017.

2017, it would seem, is set to be yet another difficult year for the healthcare industry.

The post Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data appeared first on HIPAA Journal.

Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach

Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years.

Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those protections and could be accessed by all employees, even those who were unauthorized to view patients’ electronic information.

Following the discovery, an independent forensics expert was called in to determine the nature and scope of the problem. That individual was able to determine that the files were accessible since November 2013, and potentially longer. It was not possible to say whether the files were accessible before that date.

Attempts were made to determine whether the files had been accessed by employees during the time that they were unprotected, but access logs were not kept so it was not possible to determine whether any unauthorized individuals had viewed the information in the files.

The majority of patients impacted by the incident only had their name and a very limited amount of information exposed to unauthorized staff members. In such cases, the information that could have been accessed included admission dates and appointment scheduling information.

However, in some cases, Social Security numbers, dates of birth, addresses, telephone numbers, patient ID numbers, treatment information, medical diagnoses, and health insurance information could have been accessed.

Fairbanks hospital is in the process of informing patients of the potential privacy breach by mail and is providing them with further information on the steps that can be taken to protect against identity theft and fraud. Credit monitoring and identity theft protection services do not appear to have been offered.

Patients have been encouraged to “remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity.” They have also been told “this also includes reviewing account statements, medical bills, and health insurance statements regularly to ensure that no one has submitted fraudulent medical claims using your name and address.” However, no reports of unauthorized use or misuse of the information have been reported to date.

The incident has been reported to appropriate state and federal bodies, including the Department of Health and Human Services’ Office for Civil Rights. It is unclear at this stage exactly how many patients have potentially been impacted.

The post Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach appeared first on HIPAA Journal.

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter.

In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk.

The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted.

Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls were incorporated to ensure compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.

The advances made in secure text messaging technology led to the decision to lift the ban, which was announced in the May perspectives newsletter. Then in July 2016, the Joint Commission reversed its decision and reinstated the ban, calling for further guidance for healthcare organizations due to concerns over patient privacy.

Guidance for healthcare organizations on the use of secure text messaging platforms would be developed in collaboration with the Centers for Medicare & Medicaid Services (CMS). Those guidelines were expected to be released by September this year.

However, the Joint Commission said in its December newsletter that its position has not changed and the ban is to remain in place, although it will continue to monitor the advances in secure texting technology and may update its position in the future.

In the meantime, CMS and the Joint Commission continue to ban the use of unsecure SMS messages and secure messaging platforms for sending patient care orders, although clinicians are permitted to use HIPAA-compliant secure messaging platforms to send messages to each other.

The decision to further delay the lifting of the ban on secure text messaging for orders is due to the Joint Commission still having a number of concerns over privacy and security.

The preferred method for sending orders is a computerized provider order entry (CPOE), as this method allows providers to directly enter orders into their electronic health record system.

The Joint Commission says, “CPOE helps ensure accuracy and allows the provider to view and respond to clinical decision support (CDS) recommendations and alerts. CPOE is increasingly available through secure, encrypted applications for smartphones and tablets, which will make following this recommendation less burdensome.”

If a CPOE is not possible, orders can be communicated verbally, but not by SMS message or even a secure messaging platform. The Joint Commission said, “After extensive discussion weighing the pros and cons of using secure text messaging systems to place orders, the Joint Commission and CMS have concluded that the impact of secure text orders on patient safety remains unclear.”

The Joint Commission also believes the use of an additional method of transmitting orders may increase the burden on nurses to manually enter the orders into the EHR. It was also pointed out that transmission of verbal orders allows synchronous clarification and confirmation of orders in real time, and if alerts or a CDS recommendation is triggered during the order process, an individual manually entering the order into an EHR may need to contact the ordering practitioner to request further information.

The post Joint Commission Ban on Secure Messaging for Orders Remains in Place appeared first on HIPAA Journal.

Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk.

Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as little as $20.

The third installment in the Leaking Beeps series has just been released, further highlighting the risk of exposure of healthcare data and how cybercriminals could attack the systems to which pagers connect.

Trend Micro draws attention to two tools in particular that could be used by hackers to gain access to systems and data: SMS-to-pager gateways and email-to-pager gateways.

SMS-to-pager gateways use specific numbers to receive SMS messages and forward them to pre-configured pagers. SMS-to-pager gateways are commonly used by healthcare organizations and the data transmitted is often unencrypted. Not only can messages be intercepted, SMS-to-pager gateways may also include systems that look up caller IDs. One healthcare provider’s system was discovered to have leaked 135 patients’ names, along with dates of birth, patients’ pregnancy status, phone numbers, and information about symptoms and contracted illnesses.

Email-to-pager gateways could potentially provide attackers with a range of information that could be used in future cyberattacks. Attackers could intercept and compile lists of contacts for use in spear phishing campaigns. Email-to-pager gateways could also be used to obtain information about the routers used by an organization and any downtime experienced. Armed with this information, an attacker could search for vulnerabilities affecting those routers and use them to conduct attacks on healthcare networks.

During the research, messages were intercepted that provided details of LDAP servers where authentication and account information were stored. Trend Micro notes that an attacker who has already gained access to a company’s system could use this information to move laterally within a network.

Other data exposed via unencrypted pages, SMS-to-pager gateways, and email-to-pager gateways included WINS names, Microsoft SQL Server and Oracle Database server names, types of databases used by organizations, server error messages, and information generated by intrusion detection systems showing the types of attacks that have been experienced and the vulnerabilities that attackers have attempted to exploit. Trend Micro researchers also discovered an “astonishing” number of passwords and passcodes that were transmitted in clear text.

One of the main threats comes from attackers using information gathered from unencrypted pages for future spear phishing and social engineering attacks. Trend Micro was able to gather a wide range of information that could be used such as employees’ names, birthdays, vacation time, and appointments. It was also possible to determine interpersonal relationships between staff members.

Parcel tracking numbers were gathered which could allow attackers to determine parcel delivery schedules. This information could be used to craft convincing phishing messages.

Due to the security risks that come from using pagers and concerns over HIPAA violations from sending PHI via unencrypted pages, many healthcare organizations have now ditched the pager in favor of secure, HIPAA-compliant messaging platforms on smartphones and other portable electronic devices.

Any healthcare organization still using these legacy devices should carefully consider the risks involved and weigh these up against the benefits that they provide. Healthcare organizations should conduct a thorough risk analysis on the use of pagers to communicate sensitive information.

If there are any reasons why pagers cannot be retired, at the very least, healthcare organizations should strongly consider organization-wide encryption of pages. If encryption is chosen in favor of a modern messaging platform, the method of encryption should meet the minimum standards outlined in NIST encryption guidelines.

Until such time that a more secure system is in place, healthcare organizations should refrain from sending PHI via encrypted pages and avoid transmitting highly sensitive information such as passwords and passcodes.

The post Security Risks of Unencrypted Pages Evaluated appeared first on HIPAA Journal.

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator.

At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected, used, and protected.

The purpose of the MPN is to improve transparency and clearly display information about an organization’s privacy practices to enable consumers to make an informed decision about whether to use a particular product.

While the ONC, in conjunction with the Federal Trade Commission (FTC), developed a Model Privacy Notice in 2011, technology has moved on considerably in the past five years. The MPN was intended to be used for personal health records, but the range of products that collect health data is now considerable, and include wearable devices and mobile applications. The current MPN is therefore somewhat dated.

ONC notes that the number of consumers that are using devices that record electronic health information has grown considerably since 2011. It is has now become increasingly important for consumers to be able to make decisions about products based on how their information will be used and stored. In particular, how their data will be protected and with whom health information will be shared. The current MPN does not make it easy for consumers to find out this information.

While many consumers are aware of the Health Insurance Portability and Accountability Act and know that HIPAA covered entities are required to implement controls to protect stored data and limit disclosures of health information, many product developers that collect and store health information are not in fact HIPAA-covered entities.

Fitness trackers for example may record data types that are classed as protected health information (PHI) when collected and stored by a HIPAA-covered entity, yet are not subject to HIPAA Rules when collected and stored by a product developer.

It is therefore essential to clarify privacy and security policies to ensure consumer are aware what will happen to their data so they can make an informed decision about whether to use a particular product.

To make it easier for developers to use the MPN and easier for consumers to understand the information provided via the MPN, the ONC has launched The Privacy Policy Snapshot Challenge.

The Challenge involves creating “an online tool that can generate a user-friendly snapshot of a product’s privacy practices.” ONC explains that submissions must include “code for an open source, web-based tool that allows health technology developers who collect digital health data to generate a customized privacy notice.”

The first prize is $20,000, the second prize $10,000, and third prize is $5,000. Entries must be submitted by April 10, 2017

Designers, developers, and health data privacy experts can find out more and sign up for the Privacy Policy Snapshot Challenge on this link.

The post ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator appeared first on HIPAA Journal.

Hospital Employee Jailed for Credit Card Theft

An employee of Banner Boswell Hospital in Sun City, AZ has been arrested and jailed for stealing credit card details from hospital patients.

Filip Chudziak, 40, of Surprise, AZ was charged with identity theft, fraudulent schemes, and fraudulent use of credit cards by the Maricopa County Sheriff’s Office this weekend following an investigation into credit card fraud by Maricopa County detectives.

The offenses were committed over a period of three months. Potentially fraudulent transactions were reported to law enforcement by Joe Bob’s Outfitters in Kansas and also reported to the Hays City Police Department by multiple patients who had noticed fraudulent charges on their credit card statements.

Chudziak’s role at Banner Boswell Hospital involved moving patients and their possessions while they were receiving treatment at the hospital. Chudziak allegedly used access to patients’ possessions to obtain their credit cards. He then used those details to make online purchases at Joe Bob’s Outfitters.

Using his mother-in-law’s name and a number of different billing addresses, Chudziak purchased gun parts, tools, and other items from the store. Detectives were able to match the fraudulent card purchases to Chudziak using the mailing addresses supplied with the orders. The suspect was identified after contacting his mother-in-law, whose name was on the delivery address.

Detectives contacted Banner Boswell Hospital which confirmed he was a current employee. The arrest was made at the hospital.

Chudziak claimed he had always wanted an AR-15 but could not afford to buy the gun because money was tight. He said he used patients’ credit cards to purchase AR-15 parts to construct the weapon.

The post Hospital Employee Jailed for Credit Card Theft appeared first on HIPAA Journal.

Experian: Healthcare Organizations Main Targets for Hackers in 2017

Experian’s Data Breach Resolution team has released its annual data breach industry forecast for 2017. Experian has evaluated current cybersecurity trends and has made a number of predictions for the coming year.

One of the key predictions is hackers will continue to be laser-focused on attacking healthcare organizations. New attack methods will be used and cyberattacks are likely to become much more sophisticated as healthcare organizations improve their security defenses. The primary target will continue to be the electronic protected health information of patients.

The volume of healthcare data stolen in the past two years has been extraordinary. Figures from the Department of Health and Human Services’ Office for Civil Rights show more than 113 million healthcare records were exposed or stolen in 2015. 270 breaches of PHI were reported by healthcare providers, health plans, and business associates of HIPAA-covered entities in 2015.

2016 has seen fewer records stolen or exposed, although the number of reported data security incidents has already surpassed last year’s total. With just over a month of 2016 still to go, 277 PHI breaches have been reported to OCR. Those breaches have impacted 14,562,019 individuals.

Healthcare organizations will continue to be targeted by hackers due to the high value of patient medical information. Patient data can be used to steal identifies, file fraudulent tax returns, and obtain credit, medical services and prescription drugs. The volume of healthcare data being offered for sale on the darknet has seen the price of health records fall; although cyberattacks on healthcare organizations are still highly profitable and there is likely to be a continuous demand for fresh healthcare data.

Experian predicts hackers are less likely to concentrate on attacking health plans, as was the case in 2015. Instead, they will search for new targets that have weaker security defenses such as hospital networks.

Ransomware attacks on healthcare organizations increased significantly in 2016. Experian expects ransomware to continue to be used to attack healthcare organizations in 2017. Healthcare providers must have access to electronic health records in order to perform healthcare system operations. Experian expects many will choose to pay ransom demands to prevent disruption to services.

The successful ransomware attacks of 2016 have given ransomware authors more funds to invest in developing increasingly sophisticated ransomware variants. Experian predicts healthcare organizations will have to implement a host of new defences as ransomware authors develop new variants that are better at evading detection by current cybersecurity technologies. It has also been predicted that ransomware variants will be developed that are capable of stealing data from healthcare organizations, not only preventing data from being accessed.

Not only will patients be impacted by data breaches, so will healthcare employees. Experian expects hackers to also continue to target organizations to obtain W2 data. W2 phishing attacks increased this year and Experian says the lack of action taken by the IRS to prevent tax fraud means 2017 will see similarly high levels of attacks. Experian also expects CEO fraud to increase in 2017 along with other scams that target employees.

According to the report, “Healthcare organizations of all sizes and types need to ensure they have proper, up to date security measures in place, including contingency planning for how to respond to a ransomware attack and adequate employee training about the importance of security.”

The post Experian: Healthcare Organizations Main Targets for Hackers in 2017 appeared first on HIPAA Journal.