Healthcare Data Security

Microsoft and NCCoE Start Working on Guidelines for Implementing an Effective Enterprise Patch Management Strategy

A new project has been launched by Microsoft and the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) to develop guidance on developing and implementing an effective patch management strategy.

Following the (Not)Petya wiper attacks in 2017, Microsoft embarked on a voyage of discovery into why companies had failed to exercise basic cybersecurity hygiene and had not patched their systems, even though patches had been released months previously and could have protected against the attacks.

Over the past 12 months, feedback has been sought from the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and the Center for Internet Security on the risk of exploitation and patch management strategies. Microsoft has also sat down with customers to find out more about the challenges they face applying patches and to discover exactly why patching is often delayed and why in some cases patches are not applied.

These meetings revealed many companies were unsure about what they should be doing in terms of patch testing. In some cases, patch testing appeared to consist only of asking questions on online forums to see if anyone had experienced any problems with recently released patches. Many customers were unsure about how fast patches needed to be applied.

The meetings prompted Microsoft to form a partnership with NCCoE to develop an enterprise patch management strategy to help companies plan and implement an effective patching strategy. The aim of the initiative is to devise industry guidance and standards to help companies improve their patch management processes.

The project is just about to commence and will involve developing common patch management architectures and processes. Appropriate vendors will assist by building and validating implementation instructions in the NCCoE lab and the project will ultimately result in a new NIST Special Publication 1800 practice guide on patch management.

An invitation has now been extended to vendors with technology offerings that can help with patch management, such as scanning, reporting, deployment, and risk measurement. Individuals and organizations willing to share patch management tips and tactics, and the lessons they have learned are also welcome to participate.

Any vendor, organization, or individual that wishes to participate should contact the project team on at cyberhygiene@nist.gov

The post Microsoft and NCCoE Start Working on Guidelines for Implementing an Effective Enterprise Patch Management Strategy appeared first on HIPAA Journal.

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C.

Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost.

Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation.

More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that Bayfront Health’s financial penalty was the first in a series of penalties for covered entities that are not providing patients with access to their health data within 30 days of the request being received.

OCR has issued guidance to help covered entities comply with this aspect of HIPAA, but now the time has come “for serious enforcement,” explained Severino.

Severino also explained that patients must be allowed to have their health data sent to health apps. The requests should only be denied if the app poses a security risk to the covered entity. Severino confirmed a covered entity is not liable for what happens to PHI after a disclosure to a health app at the patient’s request.

In many cases, patients are not being denied access to their medical records and requests for copies of medical records are being honored, but patients are being charged excessive amounts. In 2016, OCR issued guidance on the amounts that healthcare organizations can charge for providing copies of medical records and further clarification was also issued on the fee structures that can be adopted. Financial penalties for overcharging for copies of medical records can be expected.

The crackdown on patient access issues is part of the HHS Regulatory Sprint to Coordinated Care initiative and fits in with the Trump Administration’s drive to improve transparency of healthcare costs and the reduction of the cost of healthcare in the United States.

A prop is always useful for getting a point across. In this case Severino used a medical boot that he purchased to aid recovery from a torn Achilles tendon. Severino said he was advised by his doctor to purchase the boot and paid his doctor $430 for the treatment aid. He explained that he later looked online and found the exact same boot for sale on Amazon for $70, saying “This boot represents what’s wrong with price transparency.”

OCR is looking at how HIPAA can be updated to address this problem, such as requiring healthcare providers and health plans to provide information about the expected out-of-pocket costs for medical services or equipment before those items or services are provided to patients.

Contractors provide quotes for work in advance and banks provide customers with information on the costs of mortgages before providing the funds, but that doesn’t always happen in healthcare. That is something that needs to change.

Severino also touched on the issue of cybersecurity. Phishing and ransomware attacks cause a high percentage of healthcare data breaches and in many cases the attacks can be prevented by practicing good cybersecurity hygiene.

Ransomware is often installed through the exploitation of vulnerabilities in Remote Desktop Protocol. The failure to address those RDP vulnerabilities has led to several major healthcare ransomware attacks and data breaches.

Phishing attacks have been a major cause of healthcare data breaches for several years. It is not possible to prevent all attacks, but by complying with HIPAA, risk can be significantly reduced. HIPAA calls for covered entities to provide employees with training to help them identify and avoid phishing threats. Severino explained that training is critical, as is conducting phishing simulation exercises to find out how susceptible employees are to phishing.

Other cybersecurity failures that could prevent data breaches include the lack of multi-factor authentication, poor access controls, and the failure to promptly terminate access to systems when employees leave the company.

2019 may have only seen four OCR financial penalties issued to date to resolve HIPAA violations but the year is far from over. Further penalties will be announced this year, including one $2.1 million civil monetary penalty.

Severino did not confirm the reason for the penalty or provide any details, other than saying a final determination has been reached and the penalty will be announced by the department soon.

The post Roger Severino Gives Update on OCR HIPAA Enforcement Priorities appeared first on HIPAA Journal.

MITA Publishes New Medical Device Security Standard

The Medical Imaging & Technology Alliance (MITA) has released a new medical device security standard which provides healthcare delivery organizations (HDOs) with important information about risk management and medical device security controls to harden the devices against unauthorized access and cyberattacks.

The new voluntary standard – Manufacturer Disclosure Statement for Medical Device Security (MDS2) (NEMA/MITA HN 1-2019) – was developed in conjunction with a diverse range of industry stakeholders and aligns with the 2018 U.S. Food and Drug Administration (FDA) Medical Device Cybersecurity Playbook, issued in October 2018.

The guidance explains that cybersecurity of medical devices is a shared responsibility. HDOs must collaborate with medical device manufacturers to ensure best practices are adopted. Device manufacturers, HDOs, government entities, and cybersecurity researchers need to work together to ensure threats to medical devices are managed and reduced to reasonable and appropriate levels.

The new standard is intended to help streamline communications between device manufacturers and HDOs, increase transparency of information, and clarify the roles of each with respect to the security of medical devices.

“Transparent information and speed of getting that information from manufacturers to health delivery organizations are crucial, and this Standard helps foster both,” said Tim Walsh, Principal Information Security Analyst – CIS Operations, Mayo Clinic, and member of the MDS2 Canvass Group.

The guidance includes information on the standard security controls incorporated into medical devices to ensure they meet industry standards and can be used safely and securely; however, it is the responsibility of HDOs to ensure that the devices are configured correctly. HDOs need to assess medical device security controls and determine whether they are appropriate, work within their own environments, and allow risk to be effectively controlled and managed.

Worksheets have been created for assessing the features and security capabilities of each medical device, including the specifications, the management of personally identifiable information, audit controls, authorization controls, data backup and disaster recovery functions, data integrity controls, anti-malware protections, connectivity, node authentication, security guidance, how cybersecurity upgrades will be performed throughout the lifecycle of devices, and other key information for HDOs.

Medical device manufacturers should complete the worksheets to provide HDOs with the technical information they will need to conduct their own security risk assessments and build their security risk management programs.

While the MDS2 form contains important technical information on medical devices, MITA warns that it is not intended to be used as the sole basis for medical device procurement, as writing medical device procurement specifications requires more extensive knowledge of an HDO’s security environment and healthcare mission.

The information on the MDS2 form must be combined with detailed information collected about the care delivery environment in which the devices will be used. Tools such as ECRI’s Guide for Information Security for Biomedical Technology are useful in this regard.

The post MITA Publishes New Medical Device Security Standard appeared first on HIPAA Journal.

HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations

The U.S. Department of Health and Human Services (HHS) has proposed changes to physician self-referral and federal anti-kickback regulations which will see the creation of a new safe harbor covering hospital donations of cybersecurity software and associated services to physicians.

The proposed law change is detailed in two new rules issued by the HHS’ Office of Inspector General (OIG) and the Centers for Medicaid and Medicare Services (CMS) which aim to modernize and clarify regulations that interpret the Federal Anti-Kickback Statute and Physician Self-Referral law known as Stark Law.

The proposed rules are part of the HHS’s Regulatory Sprint to Coordinated Care which promotes value-based care by eliminating federal regulatory barriers that are impeding efforts to improve the coordination of care between providers.

“The digitization of the healthcare delivery system and related rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks,” explained OIG. “The healthcare industry and the technology used to deliver healthcare have been described as an interconnected ‘ecosystem’ where the ‘weakest link’ in the system can compromise the entire system.”

Physician practices are a possible weak link that could be exploited by threat actors to compromise the whole system. Many small healthcare providers lack the necessary resources to improve their security posture and ensure that their systems, networks, and patient data are adequately protected.

The proposed updates are intended to provide greater clarity for healthcare providers participating in value-based arrangements and are providing coordinated care for patients. They are intended to ease the compliance burden for healthcare providers while ensuring strong safeguards are maintained to protect patients and programs from fraud and abuse.

There is already an exception to Stark Law which permits healthcare providers to make EHR-related donations to physicians as well as donations of cybersecurity software and services. The proposed rule seeks to provide greater certainty for healthcare providers that such donations do not violate Stark Law.

The new safe harbor will remove real or perceived barriers that prevent parties from using cybersecurity technologies to improve security. The safe harbor was recommended by the HHS Healthcare Industry Cybersecurity Task Force in 2017 and will cover certain cybersecurity technologies and associated services that are essential for protecting against cyberattacks on the healthcare industry. Those attacks increase the costs of healthcare delivery and often prevent healthcare providers from accessing health records and other information essential for healthcare delivery.

In the context of the proposed rule changes, OIG defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to cyberattacks.” Covered cybersecurity technology includes software or information technology that improves cybersecurity, but there are limitations on what can be donated. The rule includes software, cybersecurity training services, business continuity and data recovery services, services associated with security risk assessments, threat sharing services, and cybersecurity-as-a-service offerings.

The OIG rule does not permit donations of hardware as it could have uses outside of cybersecurity and would increase the risk of donations being made to influence referrals. OIG says it may consider updating its proposed rule to include certain types of stand-alone hardware that can only be used for cybersecurity purposes, such as multi-factor authentication dongles.

The proposed rules will help to reduce the cost of healthcare by helping smaller healthcare providers avoid the costs of improving their security posture and reduce the potential for costly cyberattacks. By receiving donations of necessary software and cybersecurity services, they will be able to direct funds to other items and services not covered by the proposed safe harbor.

“Administrative costs are driving up the cost of healthcare in America – to the tune of hundreds of billions of dollars. The Stark proposed rule is an important next step in President Trump’s healthcare agenda for Americans. We are updating our antiquated regulations to decrease burden for providers and helping bring down these increasingly escalating costs,” said CMS administrator Seema Verma.

“Regulatory reform has been a key piece of President Trump’s agenda not just for faster innovation and economic growth, but also better, higher-value healthcare. Our proposed rules would be an unprecedented opportunity for providers to work together to deliver the kind of high-value, coordinated care that patients deserve,” said HHS Secretary, Alex Azar.

The post HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations appeared first on HIPAA Journal.

Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors

Vulnerabilities in popular VPN products from Pulse Secure, FortiGuard, and Palo Alto are being actively exploited by advanced persistent threat (APT) actors to gain access to vulnerable VPNs and internal networks.

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies issued security advisories about multiple vulnerabilities in VPN products over the summer of 2019; however, many organizations have been slow to take action. Weaponized exploits for the vulnerabilities have now been developed and are being used by APT actors and exploit code is freely available online on GitHub and the Metasploit framework.

On October 1, 2019, the UK’s National Cyber Security Centre issued a warning about the vulnerabilities following several attacks on government agencies, the military, businesses, and the education and healthcare sectors. The National Security Agency (NSA) also issued a security advisory about the vulnerabilities along with mitigations on October 7.

The vulnerabilities are present in outdated versions of the Pulse Secure VPN (CVE-2019-11508 and CVE-2019-11538), the Palo Alto GlobalProtect VPN (CVE-2019-1579), and the Fortinet Fortigate VPN (CVE 2018-13379, CVE-2018-13382, CVE-2018-13383).

No mention was made about the APT actors responsible for the attacks, although there have been reports that the Chinese APT group APT5 has been conducting attacks on Pulse Secure and Fortinet VPNs.

The weaponized exploits allow APT actors to retrieve arbitrary files, including those containing authentication credentials. Those credentials can then be used to gain access to vulnerable VPNs, change configurations, remotely execute code, hijack encrypted traffic sessions, and connect to other network infrastructure.

The flaws are serious and require immediate action to prevent exploitation. The NSA security advisory urges all organizations using any of the above products to check to make sure they are running the latest versions of VPN operating systems and to upgrade immediately if they are not.

The NSA advisory also provides information on actions to take to check whether the flaws have already been exploited and steps to take if an attack is discovered. If a threat actor has already exploited one of the vulnerabilities and has obtained credentials, upgrading to the latest version of the OS will not prevent those credentials from being used.

The NSA therefore advises all entities running vulnerable VPN versions to reset credentials after the upgrade and before reconnection to the external network as a precaution, since it may be difficult to identify an historic attack from log files.

User, administrator, and service account credentials should be reset, and VPN server keys and certificates should be immediately revoked and regenerated. If a compromise is suspected, accounts should be reviewed to determine whether the attacker has created any new accounts.

The NSA has also provided recommendations for public-facing VPN deployment and long-term hardening controls.

The post Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors appeared first on HIPAA Journal.

URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning

Security researchers at Armis have identified 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, a third-party software component used in hospital networks and certain medical devices.

The vulnerabilities were reported to the DHS Cybersecurity and Infrastructure Security Agency (CISA) prompting an ICE medical advisory and a Food and Drug Administration (FDA) Safety Communication warning patients, healthcare providers, facility staff and manufacturers about the flaws.

The FDA alert – named URGENT/11 – explains that the vulnerabilities could be remotely exploited by a threat actor allowing full control to be taken of a vulnerable medical device. An attacker could change the functions of the device, access sensitive information, cause logical flaws or denial of service attack that could stop the device from working.

While there have been no reports of the flaws being exploited in the wild, the FDA warns that the software required to exploit the flaws is publicly available.

Interpeak IPnet TCP/IP Stack supports network communications between computers, and while it is no longer supported by the original developer, some device manufactures are licensed to use the component in their software applications, systems, and equipment without support.

The FDA warns that the vulnerable component is in use in some versions of the following operating systems:

  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by Green Hills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON Forum)
  • ZebOS (by IP Infusion)

Certain Beckton Dickinson (BD), Drager, GE Healthcare, Philips Healthcare, and Spacelabs products are also affected by the flaws. Each of those companies has released security advisories about the affected products.

WindRiver holds the license for IPnet and has released patches to mitigate the vulnerabilities. If it is not possible to upgrade to the latest version of the OSE, other mitigating controls can be implemented to reduce the risk of exploitation. WindRiver should be contacted for details of possible compensating controls.

The flaws are detailed in the ICS-CERT Medical Advisory (ICSMA-19-274-01). The FDA has released recommendations for device manufacturers, healthcare providers, healthcare facility staff, patients and caregivers, which can be viewed on this link.

Healthcare providers have been advised to work with their device manufacturers to determine which devices are vulnerable and find out about the steps that need to be taken to secure the devices. They have also been advised to inform patients using vulnerable devices to immediately report any suspected operational or functional changes to their medical devices.

9 of the vulnerabilities are classed as high severity with a CVSS v3 score of between 7.0 and 10, three of which have a score of 9.8. In order of severity, the CVE numbers are: CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12257, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, and CVE-2019-12265.

The post URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning appeared first on HIPAA Journal.

Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS

Sen. Mark Warner (D-Virginia) has written to TridentUSA demanding answers about a breach of sensitive medical images at one of its affiliates, MobileXUSA.

Sen. Warner is the co-founder of the Senate Cybersecurity Caucus, which was set up as bipartisan educational resource to help the Senate engage more effectively on cybersecurity policy issues. As part of the SCC’s efforts to improve cybersecurity in healthcare, in June Sen. Warner asked NIST to develop a secure file sharing framework and wrote to healthcare stakeholder groups in February requesting they share best practices and the methods they used to reduce cybersecurity risk and improve healthcare data security.

The latest letter was sent a few days after ProPublica published a report of an investigation into unsecured Picture Archiving and Communications Systems (PACS). PACS are used by hospitals and other healthcare organizations for viewing, storing, processing, and transmitting medical images such as MRIs, CT scans, and X-Rays. The report revealed more than 303 medical images of approximately 5 million Americans had been left exposed on the Internet due to PACS security failures. Those medical images were stored on 187 U.S. servers, including those used by MobileXUSA.

In the letter, Sen. Warner said “It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices – no software vulnerabilities were involved, and no explicit hacking was required [to access the images].”

Sen. Warner said HIPAA requires security controls to be applied to keep sensitive data protected, including medial images stored in PACS, and that both TridentUSA and MobileXUSA have a duty under HIPAA to ensure their PACS are not publicly accessible and that proper controls are applied to prevent unauthorized access and data theft.

By October 9, 2019, Sen. Warner requires answers to questions about the cybersecurity practices at both companies to determine how medical images in the PACS were exposed and why the lack of security protections was not detected internally.

Specifically, Sen Warner wants to know about the audit and monitoring tools employed to analyze its HIPAA-mandated audit trails, whether systems that access the PACS and DICOM images comply with current standards and use access management controls, what identify and access management controls are applied for IP-addresses and port filters, if a VPN or SSL is required to communicate with the PACS, the frequency of vulnerability scans and internal HIPAA compliance audits, what server encryption processes are in use, and whether the companies have an internal security team or if security is outsourced.

PACS and the DICOM image format have been designed to facilitate the sharing of medical images within an organization and with authorized third parties, but it is the responsibility of each organization to ensure that those systems are secured to protect patient privacy.

Healthcare organizations can face many challenges securing their PACS without negatively impacting workflows. To help healthcare organizations secure their systems, NCCoE has recently released new NIST guidance for healthcare providers to help them secure the PACS ecosystem.

The post Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS appeared first on HIPAA Journal.

IT Departments Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company

A recent survey of IT professionals, conducted by IT firm Ivanti, has revealed access rights to digital resources are not always terminated promptly when employees change roles or leave the company. The latter is especially concerning as there is a high risk of data theft and sabotage of company systems by former employees. There have been many reported cases of former employees taking sensitive data to new employers and conducting malicious acts in cases of termination.

The survey was conducted online in the summer of 2019 on 400 individuals, 70% of whom were IT professionals. Questions were asked about setting up permissions for new employees, modifying access rights when roles change, and terminating access rights to company resources when employees are terminated, contracts end, or employees find alternative employment.

The respondents came from a broad range of industries including healthcare. 27% of respondents said they were required to comply with the Health Insurance Portability and Accountability Act (HIPAA), 25% were required to comply with the EU’s General Data Protection Regulation (GDPR), and 23% had to comply with the Sarbanes-Oxley Act (SOX)

While policies and procedures have been established to cover the entire process, the survey revealed issues onboarding new employees, modifying permissions, and terminating access rights.

85% of employees said they did not have access to all the resources they needed to complete their job duties when they first joined the company. Surveyed IT professionals confirmed that to be the case, with 38% saying it takes an average of 2-4 days to fully onboard new starters and 27% said it takes more than a week.

From a security and compliance perspective, modifying access rights to resources is of far greater importance but even though legislation such as HIPAA calls for prompt changes to be made to prevent unauthorized data access, access right changes are slow to be applied, if they are applied at all.

Only 55% of respondents were confident that access to unnecessary resources was removed when an employee’s role in the organization changed. 26% of IT professionals said it typically takes over a week to fully deprovision employees when they leave the company and only half of surveyed IT professionals were confident that access to critical systems and data had been blocked for the most recent employee to leave the company. When asked if they knew someone who still had access to a former employer’s systems or data, 52% said yes.

The biggest perceived risks of failing to fully deprovision a former employee were sensitive data leakage (38%), cyberattacks through an unmanaged account (26%), and malicious data theft (24%).

When asked about the reasons for the onboarding, amending, and offboarding issues, the main issue was poorly defined processes, cited as a problem by 24% of surveyed IT professionals. 23% said there were issues with automation and 10% said it was due to a lack of resources. More than half of IT professionals (54%) had to make changes manually, 37% used some automation, and just 9% said processes were fully automated and were applied as soon as HR makes a change.

Unless job roles and permissions are well defined and procedures properly documented, issues will occur and without a high degree of automation, there are bound to be delays offboarding employees, even though the delays expose companies to considerable risk and potential fines for noncompliance.

The post IT Departments Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company appeared first on HIPAA Journal.

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches.

The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act.

The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches.

“When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected,” explained John (Xuefeng) Jiang, MSU professor of accounting and information systems at MSU and lead author of the study. “We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach.”

Types of Data Exposed in Healthcare Data Breaches

For the study, the researchers categorized healthcare data into three main groups: Demographic information (Names, email addresses, personal identifiers etc.); service and financial information (Payments, payment dates, billing amounts etc.); and Medical information (Diagnosis, treatments, medications etc.)

Social Security numbers, drivers license numbers, payment card information, bank account information, insurance information, and birth dates added to a subcategory of sensitive demographic information. This information could be used by criminals for identity theft, medical identity theft, tax and financial fraud. A subcategory of medical information was also used for particularly sensitive health data such as substance abuse records, HIV status, sexually transmitted diseases, mental health information, and cancer diagnoses, due to the potential implications for patients should that information be exposed or compromised.

Key Findings of the Study

  • 71% of breaches involved either sensitive demographic information or sensitive financial information, which placed 159 million individuals at risk of identity theft or financial fraud
  • 66% of breaches involved sensitive demographic information such as Social Security numbers
  • 65% of the breaches exposed general medical or clinical information
  • 35% of breaches compromised service or financial information
  • 16% of breaches only exposed medical or clinical information without exposing sensitive demographic or financial information
  • 76% of breaches included sensitive service and financial information such as credit card numbers – Those breaches affected 49 million individuals
  • 2% of breaches compromised sensitive health information – Those breaches affected 2.4 million individuals

Jiang believes hackers are not targeting healthcare organizations to gain access to patients’ sensitive medical information, instead healthcare organizations are attacked, and hackers take whatever data they can find in the hope that the information can be monetized. Jiang suggests hospitals and research institutions should store medical information separately from demographic information. Medical information could then be shared between healthcare providers and researchers without greatly increasing risks for patients. A separate system could be used for demographic, financial and billing information, which is needed by hospital administration staff.

The researchers advocate greater focus on the types of information exposed or compromised in healthcare data breaches to help breach victims manage risk more effectively. They suggest the Department of Health and Human Services should formally collect and publish information about the types of data that have been exposed in data breaches to help the public assess the potential for harm. The researchers plan to work closely with lawmakers and the healthcare industry to provide practical guidance and advice based on the results of their academic studies.

Data Breach Notifications Under HIPAA

The HIPAA Breach Notification Rule requires all patients affected by a reportable healthcare data breach to be notified within 60 days of discovery of the breach. Affected individuals must be told what types of information have been exposed or compromised as that information allows breach victims to make a determination about the risk they face so they can make a decision about any actions they need to take to reduce the risk of harm.

OCR explains in its online guidance on breach notification requirements of HIPAA, “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

Publicly Available HIPAA Breach Information

The HHS’ Office for Civil Rights, as required by the HITECH Act, has been publishing summaries of data breaches of 500 or more healthcare records on the HHS website since October 2009. The breach portal, which can be accessed by the public, contains basic information about the breaches.

The breach portal details the name of the breached entity, state, type of covered entity, individuals affected, breach submission date, type of breach, location of breached information, and whether there was business associate involvement. This information can also be downloaded for breaches that are under investigation by OCR and for incidents that have been archived following the closure of the OCR investigation.

When a data breach is archived, further information is added to the breach summary in a “web description” field. The web summary is not available for breaches still under investigation, but the information is included for archived breaches. The web summary is only viewable in the downloaded breach reports.

In many cases, the web description includes details of the types of information that were exposed in the breach, but not in all cases. Formalizing this requirement would ensure that all breaches detailed on the portal would have that information included. The web description field also includes information on any actions taken by OCR in response to the breach that led to the resolution and closure of the investigation.

The post Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches appeared first on HIPAA Journal.