Healthcare Data Security

NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued new guidance on selecting and improving the security of Virtual Private Networks (VPN) solutions.

VPN solutions allow remote workers to securely connect to business networks. Data traffic is routed through an encrypted virtual tunnel to prevent the interception of sensitive data and to block external attacks. VPNs are an attractive targeted for hackers, and vulnerabilities in VPN solutions have been targeted by several Advanced Persistent Threat (APT) groups. APT actors have been observed exploiting vulnerabilities in VPN solutions to remotely gain access to business networks, harvest credentials, remotely execute code on the VPN devices, hijack encrypted traffic sessions, and obtain sensitive data from the devices.

Several common vulnerabilities and exposures (CVEs) have been weaponized to gain access to the vulnerable devices, including Pulse Connect Secure SSL VPN (CVE-2019-11510), Fortinet FortiOS SSL VPN (CVE-2018-13379), and Palo Alto Networks PAN-OS (CVE_2020-2050). In some cases, threat actors have been observed exploiting vulnerabilities in VPN solutions within 24 hours of patches being made available.

Earlier this year, the NSA and CISA issued a warning that APT groups linked to the Russian Foreign Intelligence Service (SVR) had successfully exploited vulnerabilities in Fortinet and Pulse Secure VPN solutions to gain a foothold in the networks of U.S. companies and government agencies. Chinese nation state threat actors are believed to have exploited a Pulse Connect Secure vulnerability to gain access to the networks of the U.S. Defense Industrial Base Sector. Ransomware gangs have similarly been targeting vulnerabilities in VPNs to gain an initial foothold in networks to conduct double-extortion ransomware attacks.

The guidance document is intended to help organizations select secure VPN solutions from reputable vendors that comply with industry security standards who have a proven track record of remediating known vulnerabilities quickly. The guidance recommends only using VPN products that have been tested, validated and included in the National Information Assurance Partnership (NIAP) Product Compliant List. The guidance recommends against using Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, which use non-standard features to tunnel traffic via TLS as this creates additional risk exposure.

The guidance document also details best practices for hardening security and reducing the attack surface, such as configuring strong cryptography and authentication, only activating features that are strictly necessary, protecting and monitoring access to and from the VPN, implementing multi-factor authentication, and ensuring patches and updates are implemented promptly.

The post NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security appeared first on HIPAA Journal.

Lisa J. Pino Named New Director of HHS’ Office for Civil Rights

OCR Director, Lisa J. Pino

Lisa J. Pino has been named Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) and replaces Robinsue Frohboese, who has served as acting OCR Director since President Trump-appointed Roger Severino resigned from the post in mid-January.

OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Patient Safety and Quality Improvement Act, and Patient Safety Rule, as well as as well as enforcing federal civil rights, conscience and religious freedom laws.

Pino is from New York City, a fluent Spanish speaker, and the first-generation daughter of immigrant parents. She completed a B.A., M.A., and J.D. at Arizona State University with honors, and Harvard Kennedy School leadership program as a National Hispana Leadership Institute Fellow.

Pino has served as legal aid attorney in the Southwest, fighting to protect the rights of migrant farm workers. Her civil rights activities carried on while working for the United States Department of Agriculture (USDA) where she served as USDA Deputy Administrator of the Supplemental Nutrition Assistance Program (SNAP) and USDA Deputy Assistant Secretary for Civil Rights.

While at the USDA, Pino drafted and championed USDA’s first gender identity anti-discrimination program regulation along with its first USDA limited English proficiency guidance. Pino played a key role in ensuring minority farmers had access to benefits awarded through class action settlements through her direction of USDA’s outreach and engagement activities.

Pino is a former senior executive service who was also appointed by President Barack Obama and served at the U.S. Department of Homeland Security (DHS) as Senior Counselor. There she played a key role in the mitigation of the largest federal data breach in history, the 2015 hacking of the data of 4 million federal personnel and 22 million surrogate profiles, by renegotiating 700 vendor procurements and establishing new cybersecurity regulatory protections.

Most recently, Pino served as Executive Deputy Commissioner of the New York State Department of Health, the agency’s second-highest executive position. During her time in the role, Pino spearheaded the state’s operational response to the COVID-19 pandemic and programming for Medicaid, Medicare, Nutrition Program for Women, Infants, and Children (WIC), Hospital and Alternative Care Facility, Wadsworth Laboratories, Center for Environmental Health, Center for Community Health, and AIDS Institute.

“Lisa is an exceptional public servant, and I am delighted to welcome her to the role of the Director of the Office for Civil Rights at HHS,” said HHS Secretary Xavier Becerra. “Her breadth of experience and management expertise, particularly her hand in advancing civil rights regulations and policy at the U.S. Department of Agriculture (USDA) during the Obama-Biden Administration, will help ensure that we protect the rights of every person across the country as we work to build a healthier America.”

The post Lisa J. Pino Named New Director of HHS’ Office for Civil Rights appeared first on HIPAA Journal.

Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack

While there have been no reported cases of American patients dying as a direct result of a ransomware attack, a new study suggests patient mortality does increase following a ransomware attack on a healthcare provider. According to a recent survey conducted by the Ponemon Institute, more than one fifth (22%) of healthcare organizations said patient mortality increased after a ransomware attack.

Ransomware attacks on healthcare providers often result in IT systems being taken offline, phone and voicemail systems can be disrupted, emergency patients are often redirected to other facilities, and routine appointments are commonly postponed. The recovery process can take several weeks, during which time services continue to be disrupted.

While some ransomware gangs have a policy of not attacking healthcare organizations, many ransomware operations target healthcare. For instance, the Vice Society ransomware operation has conducted around 20% of its attacks on the healthcare sector and attacks on healthcare organizations have been increasing. During the past 2 years, 43% of respondents said their organization had suffered a ransomware attack, and out of those, 67% said they had one while 33% said they had more than one.

The study, which was sponsored by Censinet, involved a survey of 597 healthcare organizations including integrated delivery networks, community hospitals, and regional health systems. The cost of ransomware attacks on the healthcare industry had been determined in a previous Ponemon Institute survey, with the data presented in the IBM Security Cost of a Data Breach Report. In 2021, costs had risen to an average of $9.23 million per incident. The Censinet study sought to determine whether these attacks had a negative impact on patient safety while also seeking to understand how COVID-19 has impacted the ability of healthcare organizations to protect patient care and patient information from ransomware attacks.

COVID-19 introduced many new risk factors, such as an increase in remote working and new IT systems to support those workers. Patient care requirements increased, and COVID-19 caused staff shortages. The survey confirmed that COVID-19 has affected the ability of healthcare organizations to defend against ransomware attacks and other increasingly virulent cyberattacks. Prior to COVID-19, 55% of healthcare organizations said they were not confident they would be able to mitigate the risks of ransomware, whereas now, 61% of healthcare organizations said they are not confident or have no confidence in their ability to mitigate the risks of ransomware.

These attacks were found to be negatively affecting patient safety. 71% of respondents said ransomware attacks resulted in an increased length of stay in hospitals and 70% said delays in testing and medical procedures due to ransomware attacks resulted in poor patient outcomes. Following an attack, 65% of respondents said there was an increase in the number of patients being redirected to alternative facilities, 36% said they had increases in complications from medical procedures, and 22% said they had an increase in mortality rate after an attack.

One of the factors that has contributed to a higher risk of a ransomware attack occurring is the increased reliance on business associates for digitizing and distributing healthcare information and providing medical devices. On average, respondents said they work with 1,950 third parties and that number is expected to increase over the next 12 months by around 30% to an average of 2,541.

Business associates of healthcare organizations are being targeted by ransomware gangs and other cybercriminal organizations. Cybersecurity at business associates is often weaker than their healthcare clients, and one attack on a business associate could provide access to the networks of multiple healthcare clients.

Even though working with third parties increases risk, 40% of respondents said they do not always complete a risk assessment of third parties prior to entering into a contract. Even when risk assessments are conducted, 38% of respondents said those risk assessments were often ignored by leaders. Once contracts have been signed, over half (53%) of respondents said they had no regular schedule of conducting further risk assessments or that they were only conducted on demand.

Censinet recommends creating an inventory of all vendors and protected health information. It is only possible to ensure systems and data are secured if accurate inventories are maintained. Workflow automation tools are useful for establishing a digital inventory of all third parties and PHI records. These tools should also be used for creating an inventory of medical devices. Medical devices can provide an easy entry point into healthcare networks, so it is essential that these devices are secured. Only 36% of respondents said their organization knew where all medical devices were located, and only 35% said they were aware when those devices would reach end-of-life and would no longer be supported.

The report recommends conducting a thorough risk assessment of a vendor prior to entering into a contract, and then conducting periodic risk assessments thereafter and ensuring action is taken to address any issues identified. Further investment in cybersecurity is required specifically to cover re-assessments of high-risk third parties, as currently, only 32% of critical and high-risk third parties are assessed annually, and just 27% are reassessed annually.

The report also strongly recommends assigning risk accountability and ownership to one role, which will help to ensure an effective enterprise-risk management strategy can be adopted and maintained.

The post Fifth of Healthcare Providers Report Increase in Patient Mortality After a Ransomware Attack appeared first on HIPAA Journal.

August 2021 Healthcare Data Breach Report

There was a 44% month-over-month decrease in the number of reported healthcare data breaches in August 2021. 38 healthcare data breaches of 500 or more records were reported by healthcare providers, health plans, and their business associates in August. August’s reported data breaches takes the total number of healthcare data breaches in the past 12 months to 707 (Sep 2020 to August 2021), with 440 of those data breaches reported in 2021.

Healthcare data breaches in the past 12 months

While there was a marked fall in the number of reported breaches, 5,120,289 healthcare records were breached across those 38 incidents, which is well above the 12-month average of 3.94 million breached records a month. The high total was largely due to two major ransomware attacks on St. Joseph’s/Candler Health System and University Medical Center Southern Nevada, which involved 2.8 million healthcare records combined.

healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in August 2021

Ransomware gangs continued to target the healthcare industry in August. The attacks can cause disruption to care and can put patient safety at risk. Some of the attacks reported in August have resulted in appointments being postponed and have seen patients redirected to alternative facilities out of safety concerns.

It is now the norm for hackers to exfiltrate sensitive data prior to the use of ransomware and then demand payment for the keys to decrypt data and to prevent stolen data from being published or sold. While some major ransomware operations such as Sodinokibi/REvil and DarkSide appear to have been shutdown, several other operations have taken their place. The Vice Society and Hive ransomware gangs have been targeting the healthcare sector, and this month the Health Sector Cybersecurity Coordination Center (HC3) issued a warning to the health and public health sector about an increased risk of BlackMatter ransomware attacks. Fortunately, this month, past victims of Sodinokibi/REvil ransomware have been given the opportunity to recover encrypted data for free. Bitdefender released a free Sodinokibi/REvil decryptor last week.

In August there were three major ransomware attacks reported by healthcare providers that involved huge amounts of patient data. DuPage Medical Group suffered a ransomware attack in which the protected health information (PHI) of 655,384 patients may have been compromised, while the attack on University Medical Center Southern Nevada affected 1.3 million patients and the St. Joseph’s/Candler Health System attack involved the PHI of 1.4 million patients. Class action lawsuits have already been filed against DuPage Medical Group and St. Joseph’s/Candler Health System on behalf of patients affected by those attacks.

Listed below are the 20 data breaches reported in August that involved the PHI of 10,000 or more individuals. The majority of these data breaches involved ransomware or data stored in compromised email accounts.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Cause
St. Joseph’s/Candler Health System, Inc. Healthcare Provider 1,400,000 Hacking/IT Incident Ransomware attack
University Medical Center Southern Nevada Healthcare Provider 1,300,000 Hacking/IT Incident Ransomware attack
DuPage Medical Group, Ltd. Healthcare Provider 655,384 Hacking/IT Incident Ransomware attack
UNM Health Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident
Denton County, Texas Healthcare Provider 326,417 Unauthorized Access/Disclosure Online exposure of COVID-19 vaccination data
Metro Infectious Disease Consultants Healthcare Provider 171,740 Hacking/IT Incident Email accounts compromised
LifeLong Medical Care Healthcare Provider 115,448 Hacking/IT Incident Ransomware attack (Netgain Technologies)
CareATC, Inc. Healthcare Provider 98,774 Hacking/IT Incident Email accounts compromised
San Andreas Regional Center Business Associate 57,244 Hacking/IT Incident Ransomware attack
CarePointe ENT Healthcare Provider 48,742 Hacking/IT Incident Ransomware attack
South Florida Community Care Network LLC d/b/a Community Care Plan Health Plan 48,344 Unauthorized Access/Disclosure PHI emailed to a personal email account
Electromed Healthcare Provider 47,200 Hacking/IT Incident Unspecified hacking incident
Queen Creek Medical Center d/b/a Desert Wells Family Medicine Healthcare Provider 35,000 Hacking/IT Incident Ransomware attack
The Wedge Medical Center Healthcare Provider 29,000 Hacking/IT Incident Unspecified hacking incident
Gregory P. Vannucci DDS Healthcare Provider 26,144 Hacking/IT Incident Unspecified hacking incident
Texoma Community Center Healthcare Provider 24,030 Hacking/IT Incident Email accounts compromised
Family Medical Center of Michigan Healthcare Provider 21,988 Hacking/IT Incident Ransomware attack
Central Utah Clinic, P.C. dba Revere Health Healthcare Provider 12,433 Hacking/IT Incident Email accounts compromised (Phishing)
Hospice of the Piedmont Healthcare Provider 10,682 Hacking/IT Incident Email accounts compromised
Long Island Jewish Forest Hills Hospital Healthcare Provider 10,333 Unauthorized Access/Disclosure Unauthorized medical record access by employee

Causes of August 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, accounting for 81.6% of the month’s data breaches and 92.3% of breached healthcare records. There were 31 security breaches classed as hacking/IT incidents involving 4,727,350 healthcare records. The mean breach size was 152,495 records and the median breach size was 12,433 records. The majority of these incidents involved ransomware, malware, or compromised email accounts.

Causes of Healthcare Data Breaches Reported in August 2021

There were 7 incidents classed as unauthorized access/disclosure incidents. Those incidents involved 392,939 healthcare records. The mean breach size was 56,134 records and the median breach size was 4,117 records. There were no reported breaches involving lost or stolen devices or paper records and no reported improper disposal incidents.

Location of breached PHI in August 2021 healthcare data breaches

Healthcare Data Breaches by State

August’s 38 healthcare data breaches were reported by entities in 24 U.S. states. Texas was the worst affected state with 4 reported breaches, followed by Arizona and Illinois with three reported breaches each.

State Number of Reported Data Breaches
Texas 4
Arizona & Illinois 3
California, Georgia, Michigan, Minnesota, New Hampshire, Oklahoma, & Virginia 2
Alabama, Delaware, Florida, Iowa, Indiana, Massachusetts, Nevada, New Mexico, New York, Pennsylvania, Tennessee, Utah, West Virginia, & Wisconsin 1

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 30 data breaches reported, 4 of which occurred at business associates but were reported by the healthcare provider. 4 data breaches were reported by health plans, and business associates self-reported 4 breaches.

August 2021 healthcare data breaches by covered entity type

HIPAA Enforcement Activity in August 2021

The HHS’ Office for Civil Rights (OCR) did not announce any new HIPAA penalties in August and there were no HIPAA enforcement actions announced by state attorneys general. So far in 2021 there have been 8 financial penalties imposed on HIPAA-covered entities and business associates by OCR, and one multi-state action by state attorneys general.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on September 20, 2021

 

The post August 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has recently released the final version of the NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders.

Public safety and first responder (PSFR) personnel require on-demand access to public safety data in order to provide proper support and emergency care. In order to access the necessary data, PSFR personnel are heavily reliant on mobile platforms. Through these platforms, PSFR personnel can access the personal and protected health information of patients and sensitive law enforcement information; however, in order to keep sensitive information secure and to prevent unauthorized access, strong authentication mechanisms are required.

Those authentication mechanisms are needed to keep data secure and to protect privacy, but they have potential to hinder PSFR personnel and get in the way of them providing emergency services. While authentication may only take a matter of seconds, any delay in providing emergency services can have grave consequences and may even be a matter of life and death.

The Cybersecurity Practice Guide was developed in collaboration with NIST’S Public Safety Communications Research lab and industry stakeholders and aims to help resolve authentication issues to ensure sensitive data remains private and confidential and PSFR personnel can rapidly gain access to the data they need via mobile devices and associated applications.

The guide includes a detailed example solution with capabilities to address risk with appropriate security controls, along with a demonstration of the approach using commercially available products. Instructions are also included for implementers and security engineers to help them integrate the solution into their organization’s enterprise and configure it in a way to achieve security goals with minimal impact on operational efficiency and expense.

“This practice guide describes a reference design for multifactor authentication and mobile single sign-on for native and web applications while improving interoperability among mobile platforms, applications, and identity providers, regardless of the application development platform used in their construction,” explained NCCoE.

The NIST Cybersecurity Practice Guide can be found on this link.

The post NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders appeared first on HIPAA Journal.

NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has recently released the final version of the NIST Cybersecurity Practice Guide SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders.

Public safety and first responder (PSFR) personnel require on-demand access to public safety data in order to provide proper support and emergency care. In order to access the necessary data, PSFR personnel are heavily reliant on mobile platforms. Through these platforms, PSFR personnel can access the personal and protected health information of patients and sensitive law enforcement information; however, in order to keep sensitive information secure and to prevent unauthorized access, strong authentication mechanisms are required.

Those authentication mechanisms are needed to keep data secure and to protect privacy, but they have potential to hinder PSFR personnel and get in the way of them providing emergency services. While authentication may only take a matter of seconds, any delay in providing emergency services can have grave consequences and may even be a matter of life and death.

The Cybersecurity Practice Guide was developed in collaboration with NIST’S Public Safety Communications Research lab and industry stakeholders and aims to help resolve authentication issues to ensure sensitive data remains private and confidential and PSFR personnel can rapidly gain access to the data they need via mobile devices and associated applications.

The guide includes a detailed example solution with capabilities to address risk with appropriate security controls, along with a demonstration of the approach using commercially available products. Instructions are also included for implementers and security engineers to help them integrate the solution into their organization’s enterprise and configure it in a way to achieve security goals with minimal impact on operational efficiency and expense.

“This practice guide describes a reference design for multifactor authentication and mobile single sign-on for native and web applications while improving interoperability among mobile platforms, applications, and identity providers, regardless of the application development platform used in their construction,” explained NCCoE.

The NIST Cybersecurity Practice Guide can be found on this link.

The post NCCoE Releases Final Cybersecurity Practice Guide on Mobile Application Single Sign-On for First Responders appeared first on HIPAA Journal.

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

Healthcare data Breaches Past 12 months (Aug 20-July21)

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Healthcare records breached Aug20 to July 21

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Present
Forefront Dermatology, S.C. Healthcare Provider 2,413,553 Hacking/IT Incident Unspecified hacking incident Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp Business Associate 1,210,688 Hacking/IT Incident Ransomware attack Yes
UF Health Central Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware attack No
Orlando Family Physicians, LLC Healthcare Provider 447,426 Hacking/IT Incident Phishing attack No
HealthReach Community Health Centers Healthcare Provider 122,340 Improper Disposal Improper disposal of electronic medical records No
Guidehouse Business Associate 84,220 Hacking/IT Incident Ransomware attack (Accellion FTA) Yes
Advocate Aurora Health Healthcare Provider 68,707 Hacking/IT Incident Ransomware attack (Elekta) Yes
McLaren Health Care Corporation Healthcare Provider 64,600 Hacking/IT Incident Ransomware attack (Elekta) Yes
Coastal Family Health Center, Inc Healthcare Provider 62,342 Hacking/IT Incident Ransomware attack No
Florida Heart Associates Healthcare Provider 45,148 Hacking/IT Incident Ransomware attack No
A2Z Diagnostics, LLC Healthcare Provider 35,587 Hacking/IT Incident Phishing attack No
University of Maryland, Baltimore Business Associate 30,468 Hacking/IT Incident Unspecified hacking incident Yes
Florida Blue Health Plan 30,063 Hacking/IT Incident Brute force attack (Member portal) No
Intermountain Healthcare Healthcare Provider 28,628 Hacking/IT Incident Ransomware attack (Elekta) Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Causes of July 2021 Healthcare Data Breaches

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Location of breached protected health information (July 2021)

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 healthcare data breaches by covered entity type

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State Number of Reported Healthcare Data Breaches
Florida 6
California, New York & Texas 5
Illinois & North Carolina 4
Connecticut, Minnesota, Nebraska & New Jersey 3
Mississippi, Oklahoma, Washington & Wisconsin 2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA?

It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today.

It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially initially due to the considerable administrative burden it placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives.

The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes that have helped to reduce waste and healthcare fraud. The improvements have generally been made for relatively little cost.

HIPAA certainly has its strengths, but there are also limitations that have become increasingly apparent in recent years and even now, 25 years after the legislation was first introduced, there is still confusion about what compliance entails.

In this article we will explore the strengths and limitations of HIPAA, assess how effective HIPAA has been, and will explore the future of HIPAA and what can be expected in terms of updates to the legislation. First, however, it is useful to provide a brief recap of the history of HIPAA and how the legislation has evolved over the years.

A Brief History of HIPAA

HIPAA was initially introduced to improve the portability of health insurance coverage for employees between jobs, to combat waste, fraud and abuse in health insurance and healthcare delivery, to promote the use of medical savings accounts by introducing tax breaks, and to simplify the administration of health insurance. The legislation was later augmented with new Rules covering the privacy and security of healthcare data.

Initially, HIPAA only applied to a limited number of entities in the healthcare industry – healthcare providers, health plans, and healthcare clearinghouses, and only those that transmit healthcare data in electronic form for certain transactions for which the HHS maintains standards. The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the scope of HIPAA to cover business associates of HIPAA covered entities – third-party firms that require access to protected health information (PHI) to provide services or products to covered entities.

Important updates to HIPAA are detailed below:

  • HIPAA Signed into Law by President Bill Clinton – August 1996
  • Effective Date of the HIPAA Privacy Rule – April 2003
  • Effective Date of the HIPAA Security Rule – April 2005
  • Effective Date of the HIPAA Enforcement Rule – March 2006
  • Effective date of HITECH and the Breach Notification Rule – September 2009
  • Effective Date of the Final Omnibus Rule – March 2013

HIPAA’s Strengths and Weaknesses

There are many positives that have come from HIPAA, the best known of which are improving privacy protections for patients and improving the security of healthcare data. HIPAA limits the uses and disclosures of patient data to those related to treatment, payment, or healthcare operations and all covered entities and business associates must implement appropriate administrative, physical, and technical safeguards to ensure patient data are appropriately protected from internal and external threats.

Importantly, HIPAA gave individuals new rights with respect to their healthcare data. Prior to the introduction of the HIPAA Privacy Rule, patients were not even permitted to see their medical files. HIPAA gave individuals the right to obtain and inspect a copy of their healthcare data and request errors be corrected. HIPAA made sure patients are informed about how their healthcare data will be used and disclosed, gave patients the right to further limit disclosures of their health data, and also allowed them to view an “accounting of disclosures” to see who has been provided with their healthcare data.

HIPAA has improved the portability of health insurance for employees between jobs and has helped to prevent discrimination against people with pre-existing conditions when receiving health insurance coverage. Efficiency in healthcare has been improved by standardizing transactions through the use of standard code sets and has helped to significantly reduce waste and fraud in healthcare.

However, it has not all been plain sailing. One of the initial requirements of HIPAA was to create a national patient identifier system, but 25 years on and that requirement has still failed to be implemented. Without a national patient identifier system, it can be difficult identifying patients which can result in medical record mismatching. One ONC study in 2014 suggested between 50% and 60% of records are mismatched when shared between different healthcare providers.

Another weakness of HIPAA is its coverage of healthcare data, which is limited to healthcare data collected, held, processed, stored, or transmitted by HIPAA-covered entities and business associates. If a non-HIPAA-covered entity or non-business associate collects the exact same data, HIPAA protections do not apply.

The HIPAA Rules are not clear in places due to the flexibility built into the legislation, so there is potential for misinterpretation of the requirements and there is still confusion among some HIPAA covered entities and business associates when it comes to compliance.

One criticism often made by patients is the lack of a private cause of action. It is not possible to sue for a HIPAA violation, even if the HIPAA Rules have clearly been violated and harm has been suffered. Legal action can only be taken under state laws.

Has HIPAA Been Effective?

In the early years following the introduction of the HIPAA Privacy and Security Rules, questions were asked about how effective the legislation has been. HIPAA certainly looked good on paper but was less effective in practice and noncompliance was widespread. Even the introduction of the HIPAA Enforcement Rule in 2006, which gave the HHS’ Office for Civil Rights the authority to impose financial penalties and sanctions for noncompliance, failed to have a major effect at spurring covered entities into compliance. Enforcement was also very slow at first. It took until 2008 for the first enforcement action to result in a financial penalty, then there was only one financial penalty in 2009 and just two in 2010.

The first phase of HIPAA compliance audits conducted in 2011/2012 highlighted just how many covered entities had ineffective HIPAA compliance programs. The audits uncovered many violations of both the HIPAA Privacy and Security Rules. Even those violations, some of which were serious, did not result in any financial penalties. Some of the fiercest criticism of HIPAA in the early years was it was all bark and no bite.

The introduction of the HITECH Act was a major turning point in the history of HIPAA. Prior to the HITECH Act, business associates were not covered to a large extent by HIPAA, even though they were frequently provided with PHI. The HITECH Act made the HIPAA Rules directly applicable to business associates, which could then be fined directly if they did not also comply with the HIPAA Rules. Business associates include a huge range of third-party companies such as accountants, attorneys, billing companies, collection agencies, consultants, data analysts, and IT firms, so the HITECH Act, and subsequent Omnibus Rule, addressed that major gap.

The introduction of the HITECH Act also saw the penalties for noncompliance significantly increased and OCR also increased its HIPAA enforcement activities. With major fines issued for HIPAA violations, HIPAA compliance became a major focus for HIPAA-covered entities and business associates.

Enforcement of compliance has been critical to the success of HIPAA and while there are still many cases each year of noncompliance, on the whole the requirements of HIPAA have been largely implemented and the benefits of HIPAA are being realized.

Issues with Patient Access to PHI

Since the 2000 HIPAA Privacy Rule was introduced, patients have been given the right to obtain a copy of their own healthcare data, or to have that data sent to their nominated representative. The HITECH Act updated that right and helped individuals obtain a copy of their health data in electronic form, due to the increasing use of electronic health record systems.

While healthcare organizations have implemented policies that allow patients to exercise their access rights, many patients have experienced problems obtaining a copy of their healthcare data. They have either been refused access, requests have been delayed, and patients have been charged excessive fees for exercising their access rights – HIPAA only permits covered entities to charge a reasonable, cost-based fee for providing records.

One of the requirements of the 21st Century Cures Act, introduced in 2016, was to call on the Government Accountability Office to report on the barriers to patient medical record access and following assessments the HHS’ Office for Civil Rights launched a new HIPAA enforcement initiative targeting violations of the HIPAA Right of Access of the HIPAA Privacy Rule in the fall of 2019. That enforcement initiative is still active and, up until the end of July 2021, OCR has imposed 19 financial penalties on healthcare providers found to have been in violation of the HIPAA Right of Access.

Prior to the OCR enforcement initiative, only one financial penalty had been imposed for violations of this important right and that was the $4,300,000 financial penalty imposed on Cignet Health of Prince George’s County in 2011 for denying 741 patients access to their medical records.

HIPAA has Improved Healthcare Data Security

Prior to the introduction of the HIPAA Security Rule, healthcare organizations only had to comply with state laws covering data security. The Security Rule set new minimum standards for data security to ensure the confidentiality, integrity, and availability of electronic PHI. The Security Rule requires risk analyses to be conducted and risks reduced to a reasonable and acceptable level. Access controls are required to prevent unauthorized access to healthcare data, logs must be maintained and checked to identify unauthorized access, backups of data must be made, measures must be implemented to protect against reasonably anticipated, impermissible uses or disclosures, and staff must be provided with security awareness training.

Data security has improved, but data breaches are now occurring at records levels. For the past 5 months, data breaches have been reported by healthcare organizations and business associates at a rate of over 2 per day, but without the Security Rule requirements, far more breaches would be likely to occur.

The HIPAA Security Rule does have weaknesses. To remain relevant the HIPAA Security Rule had to be technology agnostic, so specific measures for security are generally not stipulated. It is left to the discretion of each entity to determine what constitutes “reasonable” protections. If the Security Rule was more specific with regard to required security protections, many more data breaches could be prevented.

The Security Rule also only applies to HIPAA covered entities and business associates, not to any other entity. It therefore has limited reach, and does not cover health data collected by health apps, or the huge volumes of data collected and sold by data brokers. There is therefore considerable scope for improvement to better protect all health data.

The HIPAA Security Rule also calls for security awareness training for staff but does not stipulate how frequently it should be provided. With the threat landscape constantly changing, regular training must be provided to the workforce to ensure employees are kept aware of the latest threats and are taught how to avoid them. Many covered entities and business associates are compliant with this requirement yet fail to provide training regularly enough to prevent cyberattacks and the associated privacy violations.

How Has HIPAA Fared with Changing Technology?

No legislative act will be able to maintain pace with the pace at which technology has evolved, especially one covering the healthcare industry. This is why HIPAA provided a framework rather than specifics and incorporated flexibility to accommodate for changes to healthcare technology and evolving privacy and security best practices.

Updates have been made over the years which have amended HIPAA to maintain relevance, such as the 2008 Genetic Information Non-discrimination Act (GINA) which restricts the use of individuals’ genetic data by health insurers and employers and the American Recovery and Reinvestment Act, of which the HITECH Act was part, which strengthened HIPAA in relation to the adoption of EHRs.

However, many new technologies have emerged over the years that are not covered by HIPAA. Personal electronic devices are extensively used which can collect huge amounts of personal and health data, such as fitness trackers and other wearable devices and smartphones have made it much easier for individuals to obtain, use, and share healthcare data.

Many of these devices collect data that would fall under the category of PHI if created or collected by a HIPAA-covered entity but are not within the scope of HIPAA, even though the same data are often collected by those devices. The extent to which these devices are now being used, and the sheer volume of digital health and wellness data being generated outside the healthcare system by individuals, is a growing cause of concern. Without the protections of HIPAA, healthcare data may not be properly protected and could be shared extensively or sold on with ease.

The HIPAA Privacy Rule does not adequately cover the collection of healthcare data, as it only covers uses and disclosures by certain entities. It does not apply to health data itself, and this could be argued is one of the biggest failures of HIPAA. The same is true of the HIPAA Security Rule, which also has a restrictive scope and only calls for administrative, physical, and technical safeguards for the healthcare data held, received, or transmitted by HIPAA-covered entities and their business associates.

Healthcare data is extremely valuable, and not only to bad actors such as cybercriminals. Cybercriminals can use healthcare data for fraud and identity theft, but it also has tremendous value to a wide range of businesses. Healthcare and wellness data can be used by insurers to gauge risk – which can affect insurance premiums. Employers can use health data to make decisions about potential new hires, and all manner of other businesses can use the data to make decisions about individuals that could have significant consequences for the data subjects.

The question about whether HIPAA should be updated to cover all healthcare data has yet to be fully answered. Many attempts have been made to introduce legislation to cover all healthcare data, but each has failed to make it through the Senate.

The scope of HIPAA could be expanded to include individually identifiable health information collected, used, transmitted, or maintained by non-HIPAA covered entities and non-business associates. Alternatively, new separate legislation is required to cover healthcare data not currently regulated by HIPAA. The solution could well be to leave HIPAA as it is and to instead introduce a national privacy law akin to the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

HIPAA Training and Education Need to Improve

HIPAA is not perfect and there are still significant gaps in the legislation, something that the coronavirus pandemic has highlighted. HIPAA doesn’t extend to the army of contact tracers and the data they collect, nor does it adequately cover exposure notification apps and may disclosures of COVID-19 related data. This is an area, like personal health apps, that needs to be addressed as there is considerable potential for privacy violations.

Vaccination programs have highlighted several areas where education needs to be improved. There have been many cases of HIPAA being cited as a reason not to disclose or share vaccination data, when HIPAA does not place restrictions on disclosures of vaccination information by individuals to employers or others.

Training remains a key issue with HIPAA and is often a much bigger weakness than technology or the HIPAA text itself. It is often uninformed people, and not healthcare technology and privacy and security controls, that are the reason for security breaches and privacy violations. While updates to HIPAA are needed, improvements need to be made to training programs to ensure all individuals with access to PHI or systems containing PHI are aware of their responsibilities and are trained how to be HIPAA-compliant employees.

Training needs to be appropriate to the role of each individual and training needs to be reinforced. Regular training sessions need to be provided to the workforce to make sure that the requirements of HIPAA are fully understood and are not forgotten over time. At many covered entities and business associates, employee training on HIPAA is not provided frequently enough.

Proposed Updates to the HIPAA Privacy Rule

Ahead of the 25-year anniversary of the HIPAA Privacy Rule, a significant update was proposed by the HHS. The proposed update published by the HHS in 2020 is intended to address several aspects of the Privacy Rule that are hampering care coordination and adding an unnecessary administrative burden on healthcare providers.

One of the main reasons for the update, according to then HHS Secretary Alex Azar, was to “break down barriers that have stood in the way of common sense care coordination and value-based arrangements for far too long.” The proposed update will improve care coordination and case management for patients, allow families and caregivers to become more involved in the provision of care to individuals, improve patients’ access to their health data, and will introduce new flexibilities covering disclosures of PHI in emergency and threatening situations, while also reducing the administrative burden on healthcare organizations. These updates have been long overdue but there has been criticism that the updates do not go far enough, and that some of the suggested updates are ill-advised.

One of the aspects addressed in the update will make it easier for patients to obtain a copy of their electronic healthcare data, but there are potential privacy and security risks with the change. Patients will be given the “right to direct the transmission of certain protected health information in an electronic format to a third party.” This right will help patients share their healthcare data with research organizations, but there are concerns that this change could have a negative impact on patients. Patients could request their health data be sent to anyone they choose, when the transmission of data to an entity not covered by the protections of HIPAA carries a security risk. The new right will certainly give patients much greater access and control over their personal data, but potentially it increases the risks that PHI may fall into the hands of bad actors.

The Future of HIPAA

HIPAA has been a great success, but it is far from perfect. There are still areas that require tweaking to improve usability and remove some of the administrative burden placed on HIPAA-covered entities. Proposed updates to the HIPAA Privacy Rule go some way to addressing some of the issues, but for many, the new HIPAA regulations that have been proposed do not go nearly far enough and some of the proposed changes have potential to cause privacy issues.

Overall, for legislation that is 25 years old, HIPAA has, with its various amendments, survived the test of time and is even more relevant and useful now than it was when it was first signed into law in 1996. HIPAA should be viewed as a work in progress though, and as far as the Future of HIPAA is concerned, there are likely to need to be further updates to ensure it remains relevant and effective.

Future of HIPAA FAQs

Does HIPAA cover all healthcare data?

HIPAA covers identifiable healthcare data, which is any healthcare data created, collected, transmitted, or maintained by a HIPAA-covered entity or business associate for treatment, payment for healthcare, or healthcare operations relating to the past, present, or future health status of an individual. Health data is not covered by HIPAA if it is created, stored, or transmitted by a non-HIPAA-covered entity or non-business associate.

Who does HIPAA apply to?

HIPAA applies to HIPAA-covered entities and their business associates. HIPAA-covered entities are healthcare providers, health plans, and healthcare clearinghouses that conduct electronic transactions involving PHI for which the HHS has developed standards. Business associates are vendors that provide products or services to HIPAA-covered entities that requires contact with PHI. HIPAA does not apply to other entities such as reporters, senators, individuals, and most employers.

Are there privacy risks associated with health apps?

Health apps, fitness trackers, and other wearable devices are not generally covered by HIPAA, nor are the data they collect or transmit. Without the protection of HIPAA, health app developers may use, disclose, or sell health data collected through the apps, and the security measures implemented may not meet HIPAA standards. There may be privacy and security risks associated with the use of these apps and devices.

Does HIPAA prevent disclosures of COVID-19 vaccination information?

Many people hide behind HIPAA and use the regulation as an excuse not to answer questions. One of the most notable recent examples, of which there are many, came from Marjorie Taylor Greene when asked about her vaccination status and cited HIPAA as the reason she could not disclose the information. HIPAA does not prevent such discloses. It only places restrictions on uses and disclosures by healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities.

How often does HIPAA training need to be provided?

HIPAA training must be provided to all healthcare employees within a reasonable period of time after the person joins the covered entity’s workforce, as well as when functions are affected by a material change in policies or procedures and following any updates to the HIPAA Rules. HIPAA refresher training should also be provided at least annually, and no later than every two years. Annual training is the best practice.

The post Future of HIPAA: Reflections at the 25th Anniversary of HIPAA appeared first on HIPAA Journal.

Scripps Health Ransomware Attack Expected to Cost $106.8 Million

Ransomware attacks on hospitals can cause huge financial losses, as the Ryuk ransomware attack on Universal Health Services showed. UHS is one of the largest healthcare providers in the United States, and operates 26 acute care hospitals, 330 behavioral health facilities, and 41 outpatient facilities. UHS said in March 2021 that the September 2020 ransomware attack resulted in $67 million in pre-tax losses due the cost of remediation, loss of acute care services, and other expenses incurred due to the attack.

While the losses suffered by UHS were significant, the ransomware attack on Scripps Health has proven to be far more expensive. Scripps Health is a California-based nonprofit operator of 5 hospitals and 19 outpatient facilities in the state. In the May 2021 ransomware attack, Scripps Health lost access to information systems at two of its hospitals, staff couldn’t access the electronic medical record system, and its offsite backup servers were also affected.

Without access to critical IT systems, Scripps Health was forced to re-route stroke and heart attack patients from four of its main hospitals in Encinitas, La Jolla, San Diego and Chula Vista, and trauma patients could not be accepted at Scripps Mercy Hospital San Diego in Hillcrest and Scripps Memorial Hospital La Jolla. Scripps Health said it took 4 weeks to recover from the attack.

Losses sustained as a result of the attack are expected to reach $106.8 million, with the majority of that figure – $91.6 million – due to lost revenue during the 4-week recovery period. $21.1 million had to be spent on response and recovery, and Scripps Health was only able to recover $5.9 million from its cyber insurance policy.

The costs are likely to increase further still. The protected health information of 147,267 patients was compromised in the attack, and several class action lawsuits have been filed against Scripps Health over the theft of patient data. The expected losses do not include litigation costs.

The post Scripps Health Ransomware Attack Expected to Cost $106.8 Million appeared first on HIPAA Journal.