Healthcare Data Security

Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches

Posted by HIPAA Journal

Cybercriminals are managing to find and exploit vulnerabilities to gain access to healthcare networks and patient data with increasing regularity. The past two months have been the worst and second worst ever months for healthcare data breaches in terms of the number of breaches reported.

Phishing attacks on healthcare organizations have increased and email is now the most common location of breached protected health information. However, a recent analysis of the data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the past 12 months has revealed servers to be the biggest risk. Servers were found to be involved in more than half of all healthcare data breaches.

Clearwater Cyberintelligence Institute (CCI) analyzed the 90 healthcare data breaches reported to OCR in the past 12 months. Those breaches resulted in the exposure, impermissible disclosure, or theft of the records of more than 9 million individuals.

The CCI analysis revealed 54% of all reported breaches of 500 or more healthcare records were in some way related to servers.

Servers house essential programs that are used across the healthcare organization. As a central repository of programs and data, they are an attractive target for hackers. Once access has been gained, data can be viewed, copied, altered, or deleted, systems can be sabotaged, and healthcare organizations can be subjected to extortion using ransomware.

CCI performed a risk analysis to determine high and critical risks facing health systems and hospitals. CCI determined 63% of all identified risks were related to the failure to adequately address vulnerabilities in servers.

The high number of server-related data breaches clearly shows that those flaws are being exploited by hackers to gain access to healthcare networks.

According to CCI, one of the most common server vulnerabilities is the failure to keep on top of user account management. When employees leave the company their accounts must be deleted. Dormant accounts are a major risk and are often used by malicious actors to access systems and mask their activities. CCI notes the risk increases with the number of accounts that are left dormant. The longer those accounts are left open, the greater the likelihood that at least one will be used for illicit or malicious purposes.

To address this risk, security controls should be implemented that automatically disable or delete accounts when the HR department changes the status of an employee. If that is not possible, CCI recommends conducting frequent, periodic reviews to ensure all unused accounts are disabled.

In an ideal world, an account would be disabled instantly. In practice, CCI recommends having the systems, policies, and procedures in place to ensure no account remains open for more than 48 hours after it is no longer required.

Reviews of system activity logs should also be conducted to determine whether dormant accounts have been used inappropriately or if any actively used accounts have been compromised or are being misused.

Excessive permissions on user accounts is another serious server vulnerability. Excessive permissions can result in accidental or deliberate access, alteration, or deletion of data. The failure to restrict access rights is also a violation of the HIPAA principle of least privilege.

CCI reports that the risk of excessive user permissions is highest in organizations that do not regularly review user permissions (43.6%), perform user activity reviews (43.6%), or when there is a lack of proper user account management (43.1%).

Regular reviews of user activity will help healthcare organizations to quickly identify anomalies in user data that could be indicative of account misuse or a cyberattack. The frequency of those reviews should be dictated by several factors, including staff turnover and the number of users. CCI suggests user permission and user activity log reviews at least every quarter for an organization with 100 or more users.

The post Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Posted by HIPAA Journal

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts.

The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program.

One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs.

In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act.

Both alleged Coffey Health System had falsely claimed it had conducted risk analyses in order to receive incentive payments and was aware that those claims were false when they were submitted. As a result of the false claims, Coffey Health System received payments of $3 million under the Meaningful Use program which it did not qualify for.

Awad found no documentation that demonstrated risk analyses had been performed and had personally conducted some basic tests on network security and made an alarming discovery: The health system shared a firewall with Coffey County municipalities. That security failure allowed anyone to login to its system and see patient records from locations protected by the same firewall, including schools and libraries, by using its IP address and logging in. Any attempt to do so required no username or password – A major security failure and violation of the HIPAA Security Rule.

In 2014, Awad arranged for a third-party firm to conduct a risk analysis for the 2014 attestation. The risk analysis revealed several security issues including 5 critical vulnerabilities that had been allowed to persist unchecked. While some attempts were made to correct the issues identified in the risk analysis, Awad was not provided with sufficient resources to ensure those vulnerabilities were properly addressed. He claimed that few of the identified vulnerabilities had been corrected.

When the time came to submit the 2014 attestation, Awad refused to do so as several vulnerabilities had not been addressed. As a result of the failure to support the attestation, Awad was terminated. Awad and McKerrigan then sued Coffey Health System.

Under the whistleblower provisions of the False Claims Act, individuals can sue organizations on behalf of the government and receive a share of any settlement. Awad and McKerrigan will share $50,000 of the $250,000 settlement.

Coffey Health System settled the case with no admission of liability.

The post Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts appeared first on HIPAA Journal.

40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months

Posted by HIPAA Journal

Healthcare organizations have been slow to correct the flaw in Remote Desktop Services that was patched by Microsoft on May 14, 2019, but a new report from cybersecurity firm Armis has revealed many healthcare organizations have still not patched the Windows Server Message Block (SMB) flaw that was exploited in the WannaCry ransomware and NotPetya wiper attacks in May and June 2017.

The WannaCry attacks served as a clear reminder of the importance of prompt patching. Microsoft released patches for the vulnerability on March 2017. On May 12, 2017, the WannaCry ransomware attacks started. In the space of just a few days, more than 200,000 devices were infected in 150 countries.

The hackers behind the attack used the NSA exploits EternalBlue and DoublePulsar to spread the malware across entire networks. The National Health Service (NHS) in the UK was hit particularly badly due to the extensive use of legacy systems and the failure to apply patches promptly. Around one third of NHS Trusts in the UK were affected, 19,000 appointments had to be cancelled at a cost of around £20 million, and the cleanup cost was around £72 million.

Globally, the attacks are estimated to have cost $4 billion, with $325 million of that amount paid in ransoms to recover files that were encrypted by the ransomware.

WannaCry is still active and is being used in attacks around the globe, even though the attacks could be prevented by applying Microsoft’s MS17-010 patch.

According to the Armis report, around 40% of healthcare delivery organizations have experienced at least one WannaCry ransomware attack in the past 6 months. It is a similar story in manufacturing, where 60% of companies in the sector have experienced at least one attack in the past 6 months.

The problem is the continued reliance on legacy software. “In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling,” said Armis VP of research, Ben Seri.

Searches on the Shodan search engine showed around 1.7 million devices are still vulnerable to attack, even though patches were released by Microsoft more than 2 years ago. Those devices are being attacked at an alarming rate.

According to Armis, attacks are taking place in 103 countries at a rate of around 3,500 devices per hour. Seri determined that around 145,000 devices are currently compromised.

Thanks to the identification and activation of a kill switch in May 2017, it was possible to prevent encryption, even on devices that had been compromised. While that prevented many organizations from having to pay the ransom, it did not mean the threat had been neutralized entirely. Several variants of the ransomware are now in use, some of which lack the kill switch.

In Q3, 2018, 30% of all ransomware attacks involved WannaCry and the United States has the highest number of attacks. In the United States there are around 130,000 new attacks conducted every week.

All it takes is for one device to be infected with WannaCry. That device can then be used to move laterally and infect many other vulnerable devices on the network through the use of the DoublePulsar exploit.

The failure to apply patches due to having to rebuild systems is not the only problem. Seri explained that healthcare organizations often have a large number of unmanaged devices. Security agents have been turned off or uninstalled out of frustration, unsanctioned devices are connected to the network, and many IoT devices are allowed to connect to the network, even though they cannot have security agents installed. This creates a major blind spot for IT teams who are unable to monitor those devices and, in many cases, they have zero visibility into their existence.

Preventing attacks is straightforward in theory, but time consuming and complicated in practice. Patches must be applied, even though that process is difficult and time consuming. It is essential for IT teams to maintain an asset inventory of all devices that connect to the network and to monitor those devices and monitor networks for other unknown, suspicious, or misplaced devices.

Solutions also need to be implemented that monitor and protect unmanaged devices that lack security controls. “Healthcare and manufacturing environments are rampant with such devices from MRIs to infusion pumps to ventilators to industrial control devices, robotic arms, HMIs, PLCs, etc. Without such solutions, these devices, and consequently your entire network, are sitting ducks for any hacker,” explained Seri.

According to Seri, 70% of devices in healthcare are running old operating systems such as Windows 7. Seri points out that Windows 7 will reach end of life in 2020 and will no longer be supported, which will leave the healthcare industry even more vulnerable to attack.

The latest patch for the flaw in RDS is also not being applied, even though the flaw can be exploited remotely with no user interaction required in a WannaCry-style attack. As Seri explained, many organizations will not consider patching until an exploit is developed and attacks commence. Of course, by then, it may be too late.

The post 40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months appeared first on HIPAA Journal.

Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw

Posted by HIPAA Journal

More than two weeks after Microsoft issued a patch for a critical, wormable flaw in Remote Desktop Services, nearly 1 million devices have yet to have the patch applied and remain vulnerable. Those devices have also not had the recommended mitigations implemented to reduce the potential for exploitation of the flaw.

The vulnerability – CVE-2019-0708 – can be exploited remotely with no user interaction required and could allow a threat actor to execute arbitrary code on a vulnerable device, view, change, or delete data, install programs, create admin accounts, and take full control of the device. It would also be possible to then move laterally and compromise other devices on the network. Microsoft has warned that the vulnerability could be exploited via RDP and could potentially be used in another WannaCry-style attack.

Microsoft released patches for the vulnerability on May 14 and, due to the seriousness of the flaw, the decision was taken to also release patches for unsupported Windows versions. The flaw affects Windows XP, Windows 7, Windows 2003, Windows Server 2008, and Windows Server 2008 R2. Patches are available for all vulnerable systems.

Microsoft also detailed mitigations that could be implemented if the patch could not be promptly applied.

  • Disable RDP from outside the organization and limit its use internally
  • Block TCP port 3389 at the firewall
  • Implement Network Level Authentication (NLA)

Due to the seriousness of the flaw, Robert Graham of Errata Security conducted a scan to determine how many devices had not yet been patched. Graham used a masscan port scanner and an additional scanning tool to scan the internet to identify systems that were still vulnerable to the BlueKeep vulnerability. 7 million systems were identified that had port 3389 open and 950,000 of those systems had not had the patch applied. All of those systems are vulnerable to attack and if a worm-like exploit is developed, every one could be compromised.

While an exploit for the vulnerability does not appear to be in use in the wild as of yet, it is only a matter of time before one is developed and used to attack vulnerable devices. Several security firms claim to have already developed a workable exploit for the vulnerability, although they have not released that exploit publicly.

Graham has predicted an exploit will be developed by a threat actor and used in real world attacks in the next couple of months, although attacks could take place much sooner. Some evidence has already been found which suggests hackers are already searching for vulnerable devices. GreyNoise Intelligence identified several dozen hosts that are being used to scan the internet for unpatched devices.

All it takes is for one device to remain vulnerable to give an attacker a foothold in the network, after which many more devices could be compromised even if they are not vulnerable to BlueKeep.

Any healthcare organization that has yet to apply the patch or implement the recommended mitigations should do so as soon as possible to prevent the vulnerability being exploited.

Opatch has also released a micropatch that can be applied to always-on servers which means they can be protected without having to reboot the servers.

The post Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw appeared first on HIPAA Journal.

Siemens Healthineers Products Vulnerable to Microsoft BlueKeep Wormable Flaw

Posted by HIPAA Journal

Six security advisories have been issued covering Siemens Healthineers products. The flaws have been assigned a CVSS v3 score of 9.8 and concern the recently announced Microsoft BlueKeep RDS flaw – CVE-2019-0708.

CVE-2019-0708 is a remotely exploitable flaw that requires no user interaction to exploit. An attacker could exploit the flaw and gain full control of a vulnerable device by sending specially crafted requests to Remote Desktop Services on a vulnerable device via RDP.

The flaw is wormable and can be exploited to spread malware to all vulnerable devices on a network in a similar fashion to the WannaCry attacks of 2017. The severity of the vulnerability prompted Microsoft to issue patches for all vulnerable operating systems, including unsupported Windows versions which are still used in many healthcare and industrial facilities.

The flaw affects Windows 2003, Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2. If the patch cannot be applied, RDP should be disabled, port 3389 should be blocked at the firewall, and Network Level Authentication (NLA) should be enabled.

Following Microsoft’s announcement about the RDS flaw and the release of the patches, Siemens conducted an investigation to determine which Siemens Healthineers products were affected. 6 classes of product were found to be vulnerable.

The exploitability of the vulnerability on these products will depend on the specific configuration and deployment environment. The vulnerabilities can generally be addressed by applying the Microsoft patch, although compatibility of the patch with any devices beyond end-of-life cannot be guaranteed.

Customers with vulnerable devices can obtain patch and remediation advice from their local Siemens Healthineers customer service engineer, portal, or Regional Support Center.

Siemens Healthineers Software Products

MagicLinkA, MagicView (100W and 300), Medicalis (Clinical Decision Support, Intelligo, Referral Management, and Workflow Orchestrator), Screening Navigator, Syngo (Dynamics, Imaging, Plaza, Workflow MLR, Worlflow SLR, via, via View&Go, and via WebViewer), and Teamplay.

Users should install the Microsoft patch. Risk can be reduced by ensuring a secure deployment in accordance with Siemens recommendations and ensuring AV software is in use and is regularly updated.

Siemens Healthineers Advanced Therapy Products

System Acom, Sensis and VM SIS Virtual Server

Siemens recommends disabling RDP on Acom systems and following Microsoft’s workarounds and mitigations on Sensis and VM SIS Virtual Server until a patch is made available.

Siemens Healthineers Radiation Oncology Products

All versions of Lantis

Siemens recommends disabling RDP and closing TCP port 3389

Siemens Healthineers Laboratory Diagnostics Products

Most Laboratory Diagnostics products are unaffected by the vulnerability.

Vulnerable products are:

Atellica Solution, Apto by Siemens, Aptio by Inpeco, Streamlab, CentraLink, Syngo Lab Process Manager, Viva E, and Viva Twin. Siemens Healthineers will provide customers with further information on the plan and details of activities to improve security.

For the following products, customers should use Microsoft’s workarounds and mitigations until Siemens makes a patch available on June 3, 2019.

Atellica COAG 360 (Windows 7), Atellica NEPH 630 (Windows 7), BCS XP (XP and Windows 7), BN ProSpec (XP and Windows 7),

The patch is currently under investigation for the following products. Microsoft’s workarounds and mitigations should be used in the interim.

CS 2000 (XP and Windows 7), CS 2100 (XP and Windows 7), CS 2500 (Windows 7), and CS 5100 (XP and Windows 7).

Siemens Healthineers Radiography and Mobile X-Ray Products

All versions of the following products with the Canon detector are vulnerable. Customers should contact their Siemens Regional Support Center for advice and, if possible, should block TCP port 3389.

Axiom (Multix M, Vertic MD Trauma, and Solitaire M), MobileTT XP Digital, Multix (Pro ACSS P, Pro P, PRO/PRO ACSS/PRO Navy, Swing, TOP, Top ACSS, and TOP P/TOP ACSS P), and Vertix Solitaire.

Siemens Healthineers Point of Care Diagnostics Products

AUWi, AUWi Pro, Rapid Point 500 (v2.2, 2.2.1, 2.2.2, 2.3, 2.3.1, and 2.3.2)

No immediate action is required as a patch will be made available in June 2019. In the meantime, Microsoft’s workaround and mitigations can be used for interim countermeasures.

The post Siemens Healthineers Products Vulnerable to Microsoft BlueKeep Wormable Flaw appeared first on HIPAA Journal.

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Posted by HIPAA Journal

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000.

MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules.

Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen.

A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed hackers had exploited several vulnerabilities, MIE had poor password policies in place, and security management protocols had not been followed.

Under the terms of the consent judgement, in addition to the financial penalty, MIE must implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyberattacks.

Data loss prevention technology must be deployed to prevent the unauthorized exfiltration of data, controls must be implemented to prevent SQL injection attacks, and activity logs must be maintained and regularly reviewed.

Password policies must be implemented that require the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

Additional controls need to be implemented covering the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts with respect to the collection, maintenance, and safeguarding of consumers’ protected health information. Reasonable security policies and procedures must be implemented and maintained to protect that information. MIE must also provide appropriate training to all employees regarding its information security policies and procedures at least annually.

In addition, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually thereafter.

The consent judgement has been agreed by all parties and resolves the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General – PDF.

The post Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering appeared first on HIPAA Journal.

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Posted by HIPAA Journal

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules.

On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate.

Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.

 

You can download the HHS Fact Sheet on direct liability of business associates on this link.

business associate liability for HIPAA violations

Penalties for HIPAA Violations by Business Associates

The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the HHS determined that the language of the HITECH Act called for a maximum financial penalty of $1.5 million for violations of an identical provision in a single year. That maximum penalty amount was applied across the four penalty tiers, regardless of the level of culpability.

A re-examination of the text of the HITECH Act in 2019 saw the HHS interpret the penalty requirements differently. The $1.5 million maximum penalty was kept for the highest penalty tier, but each of the other penalty tiers had the maximum possible fine reduced to reflect the level of culpability.

Subject to further rulemaking, the HHS will be using the penalty structure detailed in the infographic below.

 

The post HHS Confirms When HIPAA Fines Can be Issued to Business Associates appeared first on HIPAA Journal.

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Posted by HIPAA Journal

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000.

MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary.

Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach.

OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules.

OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A).

As a result of that failure, there was an impermissible disclosure of 3.5 million individual’s PHI, in violation of 45 C.F.R. § 164.502(a).

MIE chose to settle the case with OCR with no admission of liability. In addition to paying a financial penalty, MIE has agreed to adopt a corrective action plan that requires a comprehensive, organization-wide risk analysis to be conducted and a risk management plan to be developed to address all identified risks and reduce them to a reasonable and acceptable level.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

While the settlement releases MIE from further actions by OCR over the above violations of HIPAA Rules, MIE is not out of the woods yet. In December 2018, a multi-state lawsuit was filed against MIE by 12 state attorneys general over the breach.

The lawsuit alleged there was a failure to implement adequate security controls, that known vulnerabilities had not been corrected, encryption had not been used, security awareness training had not been provided to staff, and there were post-breach failures at MIE. That lawsuit has yet to be resolved. It could well result in a further financial penalty for MIE.

This is OCR’s second financial penalty of 2019. Earlier this month, a $3,000,000 settlement was agreed with Touchstone Medical Imaging to resolve multiple HIPAA violations, several of which were related to the delayed response to a data breach.

The post Medical Informatics Engineering Settles HIPAA Breach Case for $100,000 appeared first on HIPAA Journal.