Healthcare Data Security

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

Posted by HIPAA Journal

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC).

In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients.

The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented.

The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain access to their health data, including claims information, lab test results, medications, and clinical notes. Easy access to that information will help with care coordination and will improve patients’ understanding of their conditions and treatments. However, there are potential problems.

“Consistent policies are needed across the board to incentivize and facilitate the exchange of data across systems,” wrote AAN President Ralph L. Sacco. “Many EHRs do not support the robust use of application program interfaces (APIs) for data exchange or are hindered by APIs that are implemented in proprietary ways that inhibit data exchange.” The AAN has also voiced concerns about privacy and security.

While the AAN understands that once PHI has been shared through an API it is no longer the responsibility of the provider to protect that information, but the AAN believes a security framework is required for third-party applications to prevent unauthorized disclosures once PHI has been transmitted by providers.

There is currently no federal regulatory framework to address unauthorized disclosures of PHI onside of enforcement by the FTC. Without a regulatory framework, a burden is placed on providers to ensure that they inform patients of the potential risks, when it should be the responsibility of app developers to ensure that all necessary precautions are taken to ensure PHI is protected. The AAN is seeking clarification on the responsibilities of third-party applications to ensure patient information is protected.

Unauthorized disclosures after PHI has been transferred do not constitute HIPAA violations, but they do have potential to negatively impact a provider’s reputation. Further, explaining the risks to patients may result in patients declining to share their information, which would work counter to CMS’s goal of promoting exchange of data and could detrimentally impact providers’ relationships with their patients.

“Given the sensitive nature of PHI and the paramount importance of trust between patients and providers, the AAN implores CMS and the FTC to ensure that there are clear security guidelines for third-party APIs and that there is robust enforcement to ensure that third-party applications are responsible stewards of patient data,” wrote Sacco.

Concern has also been raised about the sharing of certain types of particularly sensitive information, such as high-risk genetic testing data. If a patient has a genetic test that indicates there is a high probability that the patient will develop an incurable degenerative disease such as Huntington’s disease, prior to that information being shared with patients and their families it is necessary to make sure appropriate counselling is provided. The AAN suggests that that type of information should not be shared through APIs.

The AAN also believes the proposed six-month implementation time scale for many of the proposed changes is much too short. Complying with the new requirements in such a short time frame will place a significant burden on providers. More time has been requested for implementing the proposed system-wide changes.

The College of Healthcare Information Management Executives (CHIME) is also urging the CMS and ONC to extend the timescale for complying with the proposed changes and has suggested an interim rule is required and the time frame for complying should be extended from six months to three years.

The post AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan appeared first on HIPAA Journal.

April 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

April was the worst ever month for healthcare data breaches. More data breaches reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years.

While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks.

Largest Healthcare Data Breaches in April 2019

Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients.

The ransomware was deployed 7 months after the attacker had first gained access to its systems. The initial access was gained via Remote Desktop Protocol (RDP) on a workstation.

The second largest data breach was reported by the healthcare provider Centrelake Medical Group. The breach resulted in the exposure of 197,661 patients’ PHI and was also a ransomware attack that prevented patient information from being accessed. While the delay between access to the servers being gained and the ransomware being deployed was not as long, it also appeared that the attacker had been exploring the network prior to deploying the malicious software. Access to the server was gained 6 weeks prior to the ransomware being deployed. Ransomware was also used in the attack on ActivYouth Orthopaedics.

Covered Entity Entity Type Records Exposed Breach Type Location of Breached PHI
Doctors Management Services, Inc. Business Associate 206695 Hacking/IT Incident Network Server
Centrelake Medical Group, Inc. Healthcare Provider 197661 Hacking/IT Incident Network Server
Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute Healthcare Provider 35000 Unauthorized Access/Disclosure Electronic Medical Record
EmCare, Inc. Healthcare Provider 31236 Hacking/IT Incident Email
Kim P. Kornegay, DMD Healthcare Provider 27000 Theft Desktop Computer, Electronic Medical Record, Paper/Films
Pediatric Orthopedic Specialties, PA, dba ActivYouth Orthopaedics Healthcare Provider 24176 Hacking/IT Incident Network Server
Health Recovery Services, Inc. Healthcare Provider 20485 Unauthorized Access/Disclosure Network Server
Baystate Health Healthcare Provider 11658 Hacking/IT Incident Email
Riverplace Counseling Center, Inc. Healthcare Provider 11639 Hacking/IT Incident Network Server
Minnesota Department of Human Services Healthcare Provider 10263 Hacking/IT Incident Email

Causes of April 2019 Healthcare Data Breaches

Hacking/IT incidents outnumbered unauthorized access/disclosure incidents by 2 to 1 in April. 28 of the reported breaches of 500 or more records were due to hacking/IT incidents. There were 14 unauthorized access/disclosure incidents, two cases of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.

While 2018 saw a decline in the number of ransomware attacks across all industry sectors, the number of ransomware attacks is increasing once again, and healthcare is the most attacked industry. Remote Desktop Protocol often exploited to gain access to servers and workstations to deploy ransomware.

In May, a Forescout study revealed that the use of vulnerable protocols is common in the healthcare industry. Risk can be reduced by disabling these protocols, and if RDP must be used, to only use RDP with a VPN.

Phishing attacks also increased considerably in April, which highlights just how vulnerable healthcare organizations are to this type of attack. Advanced anti-phishing and anti-spam solutions can reduce the volume of malicious emails that reach inboxes and combined with regular security awareness training, risk can be reduced.

The use of multi-factor authentication is also important. In the event of credentials being compromised, MFA will prevent those credentials from being used to gain access to PHI. MFA is not infallible, but it can ensure risk is reduced to a reasonable and acceptable level. According to Verizon, most credential theft incidents would not have resulted in a data breach if MFA been implemented.

Hacking/IT incidents resulted in the highest number of compromised records in April 2019 – 384,219 records or 55% of all compromised records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.

Unauthorized access/disclosure incidents resulted in the exposure of 264,016 records or 38% of the month’s total. While hacking incidents usually result in more records being compromised, these incidents were more severe and had a mean breach size of 18,858 records. The median breach size was 3,193 records.

31,810 records were exposed to loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.

April 2019 healthcare data breaches - breach cause

Location of Breached Protected Health Information

Email was the most common location of breached PHI in April. Email was involved in 22 data breaches – 47.8% of all breaches in April 2019. While this category includes misdirected emails, the majority of email breaches were due to phishing attacks.

Network servers were involved in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.

Physical records such as paperwork, charts, and films were involved in 6 breaches – 13% of the month’s total.

April 2019 healthcare data breaches - location of PHI

April Breaches by Covered Entity Type

April was a relatively good month for business associates of covered entities with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the largest breach of the month.

6 health plans reported breaches in April and the remaining 38 breaches were reported by healthcare providers.

April 2019 healthcare data breaches by covered entity type

April 2019 Healthcare Data Breaches by State

Data breaches were reported by entities based in 21 states in April. California and Texas were the worst affected, with each state having 5 breaches. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by entities in Illinois.

Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had 2 breaches and one breach was reported in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.

HIPAA Enforcement Activity in April 2019

There were no financial penalties issued by the HHS’ Office for Civil Rights or state Attorneys General in 2019. The first OCR financial penalty of 2019 was issued in May – A $3,000,000 penalty for Touchstone Medical Imaging for the delayed response to a data breach in which the records of 307,839 patients were exposed.

In addition to the delayed response, there was a failure to issue breach notifications in a reasonable time frame, a failure to notify the media about the breach, two BAAs failures, insufficient access rights, and a risk analysis failure.

The post April 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Report Uncovers Serious Holes in Healthcare Cybersecurity

Posted by HIPAA Journal

The sorry state of healthcare cybersecurity has been highlighted by a recent Forescout study. The study revealed the healthcare industry is overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured.

75 global healthcare deployments were analyzed for the study, which comprised more than 1.5 million devices operating on 10,000 virtual local area networks (VLANs).

The majority of those devices were running on legacy systems. While just 1% of devices used unsupported operating systems such as Windows XP, 71% had operating systems that are rapidly approaching end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft.

The analysis revealed 85% of Windows devices had SMB running. It was a flaw in SMB that was behind the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is commonly used. 35% of devices did not have RDP disabled. The use of File Transfer Protocol (FTP) was also highly prevalent.

There has been a rapid deployment of a diverse range of connected medical devices such as infusion pumps, patient monitors, tracking and identification tools, and imaging systems. The number and variety of devices that connecting to healthcare networks has greatly increased the attack surface. Those devices have introduced considerable security risks which, in many cases, have not been effectively mitigated.

The sheer number of devices and different operating systems is causing major headaches for IT security teams. The study revealed 40% of deployments used more than 20 different operating systems. 41% of VLAN platforms used a variety of mobile, network, and embedded infrastructure and 34% of healthcare deployments had more than 100 vendors connecting to the network. Many vendors are responsible for patching their systems and healthcare IT teams are unaware if those patches have been correctly applied.

While it is important to ensure that all devices are secured, first IT teams must identify all devices that connect to the network, which is a major challenge especially following mergers and acquisitions. There have been many cases of devices being used without the knowledge or oversight of the IT department.

The complexity of healthcare networks makes security difficult to manage and the variety of devices and operating systems makes patching a gargantuan task. It is often not possible to keep on top of patching and software updates. In some cases, medical devices cannot be patched to correct known vulnerabilities and legacy apps may not work on newer operating systems. It is not uncommon for vendor approval to be required before patches can be applied. Acute care providers cannot easily take critical care systems offline without jeopardizing patient care, which means vulnerabilities often cannot be addressed.

One of the solutions to improve security and decrease the attack surface is to segment networks and ensure vulnerable devices and systems are kept separate from other parts of the network and are not Internet-facing. Restrictions also need to be implemented to ensure that devices and systems can only be accessed by individuals who need access for their day to day work duties.

However, this best practice is not particularly evident in the data analyzed for the study. Only a small number of VLANs were being used for medical devices, which suggests many healthcare providers are not using network segmentation to a large extent.

Forescout researchers do concede that applying network segmentation best practices across the organization and managing and enforcing segmentation can be a challenge, but it is necessary to improve security. Forescount also recommends enabling agentless discovery of all devices, identifying and auto-classifying devices, and ensuring all devices are continuously monitored.

“It’s critical for healthcare organization security and risk management leaders to look at securing all devices across the extended enterprise. Solely focusing on securing medical devices rather than securing all device classes can cause significant gaps in your security posture,” wrote the researchers. “A holistic approach to security requires continuous visibility and control over the entire connected-device ecosystem—including understanding the role a device visibility and control platform can play in orchestrating actions among heterogeneous security and IT management tools.”

The post New Report Uncovers Serious Holes in Healthcare Cybersecurity appeared first on HIPAA Journal.

7 Month Delay Notifying HIV Study Participants About Exposure of their Confidential Information

Posted by HIPAA Journal

The sensitive information of 24 women diagnosed with HIV has been made available to individuals unauthorized to access that information. Despite the breach being discovered more than 7 months ago, the affected women have still not been notified.

The women were participating in an EmPower Women study at the University of California San Diego (UCSD). All 24 women had been diagnosed with HIV yet had not sought treatment. The HIV research study aimed to explore the reasons why those women had not sought treatment, specifically how substance abuse, domestic violence, trauma, and mental illness affected the decision to seek treatment and commit to treatment programs.  To help recruit patients for the study, UCSD partnered with the non-profit organization Christie’s Place, which provides support to women diagnosed with HIV and AIDS.

The plan was to recruit 100 patients for the study and offer half of participants free support and counselling services and the other half were given the option of receiving standard services at Christie’s Place. The researchers would then monitor the outcomes of the two different groups.

The women’s names, audio recordings of interviews with study participants, and other sensitive information were stored in a database used to track clinical care. Access controls should have been implemented to ensure only individuals authorized to view the women’s confidential information could access the data. However, the database could be accessed by everyone at Christie’s Place.

An inewsource investigation revealed not only that the private and confidential information of study participants had been exposed, but despite UCSD being made aware of the privacy violation in October 2018, notification letters had not been issued.

Lead researcher of the study, Jamila Stockman, associate professor at UCSD and Vice Chief of Global Public Health, was made aware that the database was available to all employees, interns, and volunteers at Christie’s Place by a mental health professional.

She brought the privacy breach to the attention of officials at UCSD and continued to push for notifications to be issued in meetings, emails, and study reports. As a result of the failure to take action over the breach, Stockman suspended the study in October 2018.

The failure to take prompt action and issue notifications would constitute willful neglect of HIPAA Rules and would be punishable with a fine in the highest penalty tier. However, the research was entirely funded by the UC system and, as such, is not subject to HIPAA Rules and is beyond the remit of the HHS’ Office for Civil Rights.

Christie’s Place was accused of deliberately adding patient information to the database with full knowledge that it could be accessed by everyone in an effort to inflate the number of patients participating in the study and bill the County of San Diego for more services. That allegation has been denied.

Christie’s Place issued a statement to inewsource confirming its internal investigation concluded there had been no wrongdoing and that “Christie’s Place did not misuse client data, did not breach client data to inflate patient numbers, did not misrepresent the services we provided, and did not improperly bill the County of San Diego.”

After being notified about the breach, UCSD instructed Empower Women to draft a breach notification letter, but the sending of that letter was repeatedly delayed. In March 2019, the decision was finally taken to to inform the study participants about the breach, but there was a further delay as before those notifications could be issued, UCSD wanted to ensure that all study data was securely deleted from Christie’s Place systems. UCSD now plans to send notification letters in the next 2-3 weeks.

inewsource has brought the matter to the attention of County of San Diego officials who will conduct their own investigation and take appropriate action. The inewsource report can be viewed on this link.

The post 7 Month Delay Notifying HIV Study Participants About Exposure of their Confidential Information appeared first on HIPAA Journal.

Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks

Posted by HIPAA Journal

On Tuesday May 14, 2019, Microsoft released a patch to fix a ‘wormable’ flaw in Windows, similar to the vulnerability that was exploited in the WannaCry ransomware attacks in May 2017.

The flaw is a remote code execution vulnerability in Remote Desktop Services – formerly Terminal Services – that can be exploited via RDP.

The flaw (CVE-2019-0708) can be exploited by sending specially crafted requests via RDP protocol to a vulnerable system. No authentication is required and the flaw can be exploited without any user interaction.

If exploited, malware could propagate from one compromised computer to all other vulnerable computers on a network. If ransomware exploited the vulnerability, healthcare organizations could experience widespread file encryption and major disruption to operations.

Microsoft has not received any reports to suggest the flaw is being actively exploited at present, but it is almost certain that exploits will be developed for the vulnerability and that those exploits will be incorporated into malware.

The vulnerability is not present in Windows 8 and Windows 10, only older Windows versions. However, it is of concern for the healthcare industry as many healthcare organizations are still using older, vulnerable operating systems.

Patches have been released for Windows 7, Windows Server 2008, and Windows Server 2008 R2. The flaw is so serious that Microsoft has taken the unusual step of issuing patches for Windows XP and Windows Server 2003, even though both operating systems are no longer supported.

A workaround is available for all organizations that use the above operating systems but are not able to apply the patch. In such cases, TCP port 3389 should be blocked and Network Level Authentication should be enabled to prevent the flaw from being exploited. Given the speed at which vulnerabilities are exploited once a patch has been released, it is imperative that the patch or workaround is implemented as a priority.

It was slow patching that allowed the 2017 WannaCry attacks to succeed. Those attacks clearly demonstrated that many organizations are slow to apply patches, even those that address critical and actively exploited vulnerabilities.

The WannaCry attacks occurred in May 2017 yet the patch to address the flaw – MS17-010 – was released by Microsoft in March. Had the patch been applied promptly, the attacks would not have been possible.

The UK’s National Health Service (NHS) was badly affected by WannaCry. Around one third of all NHS Trusts and 8% of GP practices were affected. The attacks cost the NHS an estimated £92 million and resulted in the cancellation of 19,000 appointments. The global cost of WannaCry has been estimated to be $4 billion.

Attacks exploiting CVE-2019-0708 have potential to be much worse than WannaCry. It is unlikely that a malware variant will be developed to exploit the vulnerability that contains such an easily activated kill switch as WannaCry.

In addition to the wormable vulnerability, Microsoft has issued updates to correct a further 21 critical flaws, including one that is being actively exploited and another that was disclosed publicly prior to a patch being released. Patches have also been released to address a new type of vulnerability in Intel processors. The Microarchitectural Data Sampling (MDS) flaws could allow a threat actor to deploy malware that can obtain sensitive data from applications, virtual machines, operating systems and trusted execution environments.

The post Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks appeared first on HIPAA Journal.

DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations

Posted by HIPAA Journal

Body:

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a new analysis report highlighting some of the common risks and vulnerabilities associated with transitioning from on-premise mail services to cloud-based services such as Microsoft Office 365. The report details best practices to adopt to manage risks and prevent user and mailbox compromises.

Many healthcare organizations have realized the benefits of transitioning to cloud-based email services yet lack the in-house expertise to manage their migrations. Many have used third-party service providers to migrate their email services to Office 365. CISA notes that use of third parties to manage Office 365 migrations has led to an increase in security incidents.

Over the past 6 months, CISA has had several engagements with customers who have used third-party service providers to manage their migrations and discovered a range of different Office 365 configurations that lowered organization’s security posture and left them vulnerable to phishing and other cyberattacks.

CISA notes that the majority of those organizations didn’t have a dedicated IT security team that was focused on cloud security and, as a result, vulnerabilities went unnoticed. In some cases, the organization experienced mailbox compromises as a result of the risks and vulnerabilities introduced during Office 365 migrations.

According to the AR19-133A analysis report, some of the most common vulnerabilities that were identified which could easily lead to data breaches are:

The failure to implement multifactor authentication for Global Active Directory (AD) Global Administrators. Despite these accounts having the highest level of privileges at the tenant level, MFA is not enabled by default.

Disabled mailbox auditing – The failure to implement mailbox auditing means actions taken by mailbox owners, delegates, and administrators will not be logged. This will hamper investigations into mailbox activity and potential data breaches. Customers who implemented Office 365 prior to 2019 are required to explicitly enable mailbox auditing.

Enabled password syncing – With this setting enabled, the password from on-premises AD overwrites the password in Azure AD, which means that if a mailbox was compromised prior to migration to Office 365, when the sync occurs, an attacker would be able to move laterally to the cloud.

Authentication not supported by legacy protocols – Office 365 uses Azure AD for authentication with Exchange Online; however, several protocols (e.g. POP3, IMAP, and SMTP) used for authentication with Exchange Online do not support modern authentication mechanisms such as MFA. Without MFA, accounts will only be secured by a password, which will greatly increase the attack surface.

CISA suggests several best practices to adopt to ensure that migrating to Office 365 does not result in the lowering of an organization’s security posture:

  • Implement multi-factor authentication – It is the best mitigation technique to protect against credential theft via phishing attacks
  • Ensure audit logging is configured in the Security and Compliance Center
  • Ensure mailbox auditing is activated for each user
  • Ensure Azure AD is correctly configured prior to migrating users to Office 365
  • Ensure legacy email protocols are disabled or are limited to specific users

The post DHS Issues Security Best Practices to Mitigate Risks Associated with Office 365 Migrations appeared first on HIPAA Journal.

CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability

Posted by HIPAA Journal

The second Senate HELP Committee hearing on the proposed roles for implementing the electronic medical records provisions of the 21st Century Cures Act has taken place this week.

The Committee heard from National Coordinator for Health IT, Donald Rucker, and Director and Center for Medicare And Medicaid Services Chief Medical Officer, Kate Goodrich, M.D.

The hearings aim to find a way forward to ensure the efficient accessing and sharing of health information between care providers and patients.

The prevention of information blocking is one of the main goals. By allowing health information to flow freely between providers and be shared with patients, the cost of healthcare can be significantly reduced. According to Dr. Brett James of the National Academies, as much as 50% of the costs of healthcare are unnecessary. Patients are having to repeat tests because their information cannot be shared between different healthcare providers and there is considerable duplication of administrative tasks as a result of information blocking.

Earlier this year both the CMS and ONC proposed new rules to tackle the issue of information blocking, EHR usability, and patient empowerment. Goodrich explained that consumers need to put in the driving seat and be empowered to make decisions about their own healthcare. For that to happen, patients need easy access to their healthcare data. They can then pass that information on to whoever they wish.

The CMS and ONC’s proposed rules believe this goal can be largely achieved through the use of open APIs. APIs have been used in other industry sectors and have “transformed business after business after business,” according to Rucker.

Standards-based API technology should improve the sharing of healthcare data, although Rucker cautioned that for them to work, healthcare business practices that enable information blocking must be dismantled. Rucker suggests that rules preventing information blocking need to be implemented as soon as possible.

While progress needs to be made quickly, Committee Chair Sen. Lamar Alexander, R-Tennessee warned of moving too quickly and encountering similar problems to hose with Meaningful Use. “My major concern is to remind the administration of the advice that my piano teacher used to give me before a recital… Play it a little slower than you can play it, you’re less likely to make a mistake.”

Progress is being made. The CMS has already launched two initiatives (MyHealthEData and Blue Button 2.0) which will require Medicaid fee-for-service, managed care plans, Medicare Advantage Plans and others on the Federal Exchange to maintain secure APIs that allow individuals enrolled in those plans to easily access their own health information. It is hoped that developers will follow suit and build on the work that CMS/ONC has already done in this area.

While everyone wants the goals to be achieved, there is concern that the use of APIs could introduce privacy and security risks. These concerns were shared by Rucker and Goodrich, especially with respect to disclosures of health data to apps.

While apps will undoubtedly be required to receive health data and allow patients to share their health information with others, there are serious concerns as health apps are not well regulated. While there are some FTC regulations covering health apps, they are not covered by HIPAA requirements and are unlikely to be in the future.

If information is disclosed to the apps, patient privacy could be placed in jeopardy. Patients’ health data could be used by app developers and sold on to companies such as Facebook. Patients may not be aware of the implications of what could happen if their health data is disclosed to an app.

After disclosure to an app, healthcare organizations will not be liable for that data – as confirmed by the Office for Civil Rights recently – but patients could be exploited. What happens to data after it has been disclosed to an app is down to a contractual agreement between the patient and the app developer.

The reality is the uses and disclosures of patient data are likely to be hidden in a long list of T&Cs in app privacy policies, which may not be read or understood by patients. There are also few controls over what can be done with that information and how that information is secured.

“How data is secured and used in third-party apps illustrates a pressing issue that is currently part of a national discussion that extends beyond healthcare and into data privacy, stewardship, and regulatory interventions,” said Rucker. At present, patients need to “balance their selection and use of a health app with the potential risk of having negative implications.”

What is clear is there needs to be greater regulation of health apps, especially in light of recent reports about health information being shared with Facebook without user consent.

The post CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability appeared first on HIPAA Journal.

Key Findings of the 2019 Verizon Data Breach Investigations Report

Posted by HIPAA Journal

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe.

The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources.

The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below:

  • C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
  • Cyberespionage attacks increased from 13% of incidents in 2018 to 25% in 2019
  • Financially motivated breaches fell from 76% to 71%
  • Phishing is involved in 32% of breaches and 78% of cyberespionage incidents
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved insiders
  • 43% of cyberattacks were on small businesses
  • Ransomware is the second biggest malware threat and accounts for 24% of breaches
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

C-Suite Executives Beware!

C-suite executives are being extensively targeted by cybercriminals and for good reason. They are likely to have high-level privileges, so their accounts and credentials are more valuable. Compromised email accounts can be used for social engineering, phishing, and BEC attacks on other members of the organization and vendors.

Attacks on the C-suite are 12 times more likely than on other employees and C-suite executives are 9 times more likely to be the target of social incidents. These figures show just how important it is for C-suite executives to receive regular security awareness training.

These attacks are part of a trend of cybercriminals choosing the path of least resistance. Why invest time and money into hacking a company when an email can be sent to the CEO or CFO requesting a fraudulent transfer. Hacking a C-suite email account and using it to send wire transfer requests is simple, effective, and highly profitable.

Figures from the FBI, a new DBIR partner in 2019, show the median losses due to BEC attacks is a few thousand dollars. However, there are an equal number of attacks with losses from zero to the median as there are from the median to $100 million dollars. 12% of all breaches were the result of business email compromise attacks

Cyberattacks on the Healthcare Industry

The 2019 DBIR included 466 healthcare cybersecurity incidents, 304 of which involved confirmed data disclosures.

Out of all industry sectors analyzed, healthcare was the only industry where the number of incidents caused by insiders was greater than those caused by external threat actors. 59% of incidents involved insiders compared to 42% involving external threat actors. Breaches of medical information are 14 times more likely to be caused by doctors and nurses.

The primary motive for attacks on the healthcare industry was financial gain (83%), followed by fun (6%), convenience (3%), because a grudge was held (3%), and espionage (2%). 72% of breaches involved medical data, 34% involved personal information, and 25% involved credential theft.

81% of all healthcare cybersecurity incidents involved either miscellaneous errors such as software misconfiguration, privilege misuse, and web applications.

Across all industries, ransomware is involved in 24% of attacks but 70% of those attacks were reported by healthcare organizations. It should be noted that, in most cases, ransomware attacks are reportable breaches under HIPAA. The overall number of attacks in other industry sectors may well be much higher, as many attacked companies choose not to report the incidents and just quietly pay the ransom.

Patterns Identified in Healthcare Data Breaches

Pattern Number of Data Breaches
Miscellaneous Errors 97
Privilege Misuse 85
Web Applications 65
Lost and Stolen Assets 28
Everything Else 27
Cyber-Espionage 2
Point of Sale 2
Crimeware 1
Denial of Service 0

Causes of Healthcare Data Breaches

Actions Involved   Incidents Data Breaches
Error 124 110
Misuse 110 85
Hacking 100 78
Social 91 78
Malware 85 7
Physical Theft 47 17

The post Key Findings of the 2019 Verizon Data Breach Investigations Report appeared first on HIPAA Journal.

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach.

Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability.

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals.

As a result of the lack of access controls, files had been indexed by search engines and could be found by the public with simple Internet searches. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 C.F.R. § 164.312(a)(1).

The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been exposed. The types of information that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.

In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially notified about the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).

As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach: Well in excess of the 60-day Breach Notification Rule’s maximum time limit for issuing notifications. The delayed breach notices were a violation of 45 C.F.R. § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 C.F.R. § 164.406.

During the course of its investigation, OCR discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors prior to providing access to systems containing ePHI.

OCR cites the use of an IT services company – MedIT Associates  – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

In addition, in violation of 45 C.F.R. § 164.308(b), XO Communications continues to be used without a business associate agreement in place.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

The settlement comes just a few days after OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

The post Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures appeared first on HIPAA Journal.