Healthcare Data Security

What is Texas HB 300?

Posted by HIPAA Journal

What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This article answers these and other important questions about Texas HB 300.

What is Texas HB 300?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in Texas HB 300 (Texas House Bill 300).

Texas HB 300 was passed by the Texas legislature in June 2011 and was signed into law by Texas Governor Rick Perry. The compliance date for Texas HB 300 was September 1, 2012.

Texas HB 300 amended four laws in Texas: The Texas Health Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA.

Who is Required to Comply with Texas HB 300?

Compliance with Texas HB 300 is mandatory for all covered entities that are based in Texas or do business with Texas residents. Covered entities under Texas HB 300 differ from covered entities as defined in HIPAA.

Texas HB 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.

Texas HB 300 therefore applies to all healthcare organizations, including those that are not covered by HIPAA, and also lawyers, schools, universities, researchers, accountants, Internet service providers, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with PHI.

Texas HB 300 Exemptions

The only entities not required to comply with Texas HB 300 are:

  • Not-for-profit agencies that pay for healthcare services or prescription drugs for indigent persons if the primary business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
  • Workers’ compensation insurance and any entity or individual who acts in connection with the provision, support, administration, or coordination of benefits under a self-insured workers’ compensation program.
  • Employee benefit plans and entities or individuals that act in connection with those plans
  • Entities or individuals that provide, administer, support, or coordinate benefits associated with compensation for victims of crime.
  • Processing of certain payment transactions by financial institutions and education records covered by the Family Educational Rights and Privacy Act of 1974.

Texas HB 300 and Electronic Health Records

Texas HB 300 introduced new standards for handling electronic health records. A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.

HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. Texas HB 300 requires covered entities to provide copies of PHI much more rapidly – Within 15 days of a written request being received.

Texas HB 300 Training for All Employees Who Handle PHI

All employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal privacy training within 60 days of commencing employment. In contrast to HIPAA, which does not stipulate how often additional training must be provided, Texas HB 300 requires additional privacy training to be provided at least every two years. Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.

What are the Texas HB 300 Penalties for Noncompliance?

The penalties for noncompliance with Texas HB 300 are severe. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance.

As with HIPAA, the penalties for noncompliance with Texas HB 300 are broken down into tiers:

Tier 1: Up to $5,000 per violation, per year, for violations due to negligence

Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation

Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain

The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.

The level of the financial penalty is dictated by the severity of the violation, whether there has been a history of noncompliance, the measures taken to correct the violation, and whether harm has been caused as a result of the violation.

The post What is Texas HB 300? appeared first on HIPAA Journal.

Most Common Security Weaknesses in Healthcare Identified

Posted by HIPAA Journal

The most common security weaknesses in healthcare have been identified by Clearwater. Clearwater analyzed data from IRM analyses conducted over the past six years. Millions of risk records were assessed from hospitals, Integrated Delivery Networks, and business associates of those entities to identify the most common security vulnerabilities in healthcare.

The analysis revealed almost 37% of high and critical risks were in three areas:

  • User authentication
  • Endpoint leakage
  • Excessive user permissions

The most common security weaknesses in healthcare were deficiencies in user authentication. These are failures to correctly authenticate users and verify the level of access that users should have to an organization’s resources. These deficiencies include the use of default passwords and generic user IDs, writing down passwords and posting them on computer monitors or hiding them under keyboards, and the transmission of user credentials via email in plain text.

User authentication deficiencies were most commonly associated with servers and SaaS solutions. Clearwater also notes that more than 90% of healthcare organizations said they had password/token management policies and procedures, but in many cases the technical implementation of procedures was found to be lacking.

Clearwater recommends enforcing the use of strong passwords, enabling single sign-on, and implementing rate limiting to lock accounts after a set number of failed login attempts. Of the organizations that had user authentication deficiencies, 84.4% had deficiencies in password requirements, 52.2% failed to implement single sign-on, and 40.4% had not implemented rate limiting.

The cybersecurity best practice of limiting the use of admin accounts and restricting the systems and data that end users can access was often not adopted by healthcare organizations.

The failure to restrict access to drives and networks not required by users to perform their work duties increases risk. By restricting user permissions, if credentials are compromised, the damage that can be caused will be restricted. Healthcare organizations should adopt the principle of least privilege and should only give users access to data and networks that they require to perform their work duties.

The post Most Common Security Weaknesses in Healthcare Identified appeared first on HIPAA Journal.

NIST Releases Final Version of Risk Management Framework Update

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has released the final version of its updated Risk Management Framework (RMF 2.0).

RMF 2.0 (SP 800-37 Revision 2: Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) addresses privacy and security concerns in IT risk management.

One key change in the updated version of the RMF is the introduction of a ‘Prepare’ step. This additional step involves assigning responsibilities to specific individuals, enabling enterprise-wide privacy and security controls, eliminating unnecessary functions, publishing common controls, prioritizing resources for high value assets, and establishing communication channels to ensure effective communication between the C-Suite and employees. The ‘Prepare’ step, which comes before the Categorize step, was introduced to help organizations “achieve more effective, efficient, and cost-effective security and privacy risk management processes.”

RMF 2.0 requires maximum use of automation in executing the framework rules to allow continuous assessment and monitoring of privacy and security controls, and the preparation of authorization packages for timely decision making.

NIST has listed seven main objectives for the updated RMF. By achieving some or all of the objectives listed below, execution of the RMF will be simplified, organizations will be able to employ innovative approaches for risk management, and will increase the level of automation for risk management-related tasks.

The seven objectives are:

  • To achieve closer linkage and communication between the risk management processes and activities at the C-suite and the individuals, processes, and activities at the system and operational level of the organization.
  • To institutionalize critical risk management preparatory activities at all risk management levels.
  • To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using current NIST risk management processes.
  • To integrate privacy risk management processes into the RMF
  • To promote the development of secure software and systems through the alignment of life cycle-based systems engineering processes.
  • To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC.
  • To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the NIST consolidated control catalog (SP 800-53, Revision 5).

The Office of Management and Budget (OMB) requires all states and agencies to follow RMF 2.0 to manage security and privacy risks. RMF 2.0 allows them to manage privacy and security risk in a single, unified framework.

According to NIST fellow, Ron Ross, “[RMF 2.0] ensures the term compliance means real cybersecurity and privacy risk management – not just satisfying a static set of controls in a checklist.”

The post NIST Releases Final Version of Risk Management Framework Update appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2018

Posted by HIPAA Journal

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records.

2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records.

A Bad Year for Healthcare Data Breaches

As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records.

It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017.

In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in the exposure of 5,138,179 healthcare records.

The Largest Healthcare Data Breaches of 2018

Listed below is a summary of the largest healthcare data breaches of 2018. A brief description of those breaches has been listed below.

At the time of writing, OCR is still investigating all but one of the breaches listed below. Only the LifeBridge Health breach investigation has been closed.

Rank

 

 Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 AccuDoc Solutions, Inc. Business Associate 2,652,537 Hacking/IT Incident
2 UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
3 Employees Retirement System of Texas Health Plan 1,248,263 Unauthorized Access/Disclosure
4 CA Department of Developmental Services Health Plan 582,174 Theft
5 MSK Group Healthcare Provider 566,236 Hacking/IT Incident
6 CNO Financial Group, Inc. Health Plan 566,217 Unauthorized Access/Disclosure
7 LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
8 Health Management Concepts, Inc. Business Associate 502,416 Hacking/IT Incident
9 AU Medical Center, INC Healthcare Provider 417,000 Hacking/IT Incident
10 SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
11 Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
12 Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
13 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
14 MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
15 HealthEquity, Inc. Business Associate 165,800 Hacking/IT Incident
16 St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
17 New York Oncology Hematology, P.C. Healthcare Provider 128,400 Hacking/IT Incident
18 Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

 

Causes of the Largest Healthcare Data Breaches of 2018

Further information on the causes of the largest healthcare breaches of 2018.

AccuDoc Solutions, Inc.

Morrisville, NC-based AccuDoc Solutions, a billing company that operates the online payment system used by Atrium Health’s network of 44 hospitals in North Carolina, South Carolina and Georgia, discovered that some of its databases had been compromised between September 22 and September 29, 2018. The databases contained the records of 2,652,537 patients. While data could have been viewed, AccuDoc reports that the databases could not be downloaded. Not only was this the largest healthcare data breach of 2018, it was the largest healthcare data breach to be reported since September 2016.

UnityPoint Health

A UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack. A trusted executive’s email account was spoofed, and several employees responded to the messages and disclosed their email credentials. The compromised email accounts contained the PHI of 1,421,107 individuals.

Employees Retirement System of Texas

The Employees Retirement System of Texas discovered a flaw in its ERS OnLine portal that allowed certain individuals to view the protected health information of other members after logging into the portal. The breach was attributed to a coding error. Up to 1,248,263 individuals’ PHI was potentially viewed by other health plan members.

CA Department of Developmental Services

The California Department of Developmental Services experienced a break in at its offices. During the time the thieves were in the offices they potentially accessed the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of 582,174 patients.

MSK Group

Tennessee-based MSK Group, P.C, a network of orthopedic medical practices, discovered in May 2018 that hackers had gained access to its network. Certain parts of the network had been accessed by the hackers over a period of several months. The records of 566,236 patients, which included personal, health and insurance information, may have been viewed or copied by the hackers.

CNO Financial Group, Inc.

Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., discovered hackers gained access to its systems between May 30 and September 13, 2018 and potentially stole the personal information of 566,217 individuals.

LifeBridge Health, Inc

The Baltimore-based healthcare provider LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Those systems contained the PHI of 538,127 patients.

Health Management Concepts, Inc.

Health Management Concepts discovered hackers gained access to a server used for sharing files and installed ransomware. The ransom demand was paid to unlock the encrypted files; however, HMC reported that the hackers were ‘inadvertently provided’ with a file that contained the PHI of 502,416 individuals. It is suspected that the file was unwittingly sent to the attackers to prove they could decrypt files.

AU Medical Center, INC

An Augusta University Medical Center phishing attack resulted in an unauthorized individual gaining access to the email accounts of two employees. The compromised email accounts contained the PHI of 417,000 patients.

SSM Health St. Mary’s Hospital – Jefferson City

St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility; however, on June 1, 2018, the hospital discovered administrative documents containing the protected health information of 301,000 patients had been left behind. In the most part, the breach was limited to names and medical record numbers.

Oklahoma State University Center for Health Sciences

Oklahoma State University Center for Health Sciences discovered an unauthorized individual gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The breach affected 279,865 patients, although only a limited amount of PHI was accessible.

Med Associates, Inc.

The Latham, NY-based health billing company Med Associates, which provides claims services to more than 70 healthcare providers, discovered an employee’s computer has been accessed by an unauthorized individual. It is possible that the attacker gained access to the PHI of up to 276,057 patients.

Adams County

Adams County, WI, discovered hackers gained access to its network and potentially accessed the PHI and PII of 258,102 individuals. The compromised systems were used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

MedEvolve

MedEvolve, a provider of electronic billing and record services to healthcare providers, discovered an FTP server had been left unsecured between March 29, 2018 and May 4, 2018. A file on the FTP server contained the PHI of 205,434 patients of Premier Immediate Medical Care.

HealthEquity, Inc.

HealthEquity, a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, experienced a phishing attack that resulted in hackers gaining access to the email accounts of two employees. Those accounts contained the PHI of 165,800 individuals.

St. Peter’s Surgery & Endoscopy Center

St. Peter’s Surgery & Endoscopy Center in New York discovered malware had been installed on one of its servers which potentially allowed hackers to view the PHI of 134,512 patients. The malware was discovered the same day it was installed. The fast detection potentially prevented patients’ data from being viewed or copied.

New York Oncology Hematology, P.C.

A phishing attack on New York Oncology Hematology in Albany, NY, resulted in hackers gaining access to the email accounts of 15 employees. Those accounts contained the PHI of 128,400 current and former patients and employees.

Boys Town National Research Hospital

Boys Town National Research Hospital, an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, experienced a phishing attack that allowed hackers to gain access to a single email account. The email account contained the PHI of 105,309 patients.

The post Largest Healthcare Data Breaches of 2018 appeared first on HIPAA Journal.

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Posted by HIPAA Journal

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients.

McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center.

The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an alternative, equivalent measure to safeguard PHI.

“Hospitals must take measures to protect the private information of their patients,” said AG Maura Healey. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”

Backups of sensitive data should be made regularly to ensure that, in the event of disaster, patients’ PHI can be recovered. If physical copies of PHI are backed up and taken offsite by employees, appropriate security controls should be put in place to prevent those individuals from accessing the data and to ensure that in the event of loss or theft of devices, PHI will not be exposed. While HIPAA falls short of demanding the use of encryption for PHI, if the decision is taken not to encrypt PHI, an alternative safeguard must be implemented that offers an equivalent level of protection.

In addition to the financial penalty, McLean Hospital has agreed to enhance its privacy and security practices. A written information security program will be implemented and maintained, training will be provided to new and existing employees on privacy and security of personal health information, an inventory will be created and maintained of all portable devices containing ePHI, and all electronic PHI will be encrypted within 60 days.

McLean has also agreed to a third-party audit of the Harvard Brain Tissue Resource Center to assess how it handles portable devices containing personal and health information.

“McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation. The agreement with the Attorney General represents a continuation of those efforts,” explained McLean Hospital in statement issued to the media.

This is the second HIPAA violation penalty to be issued by Massachusetts in 2018. UMass Memorial Medical Group / UMass Memorial Medical Center settled a HIPAA violation case with Massachusetts for $230,000 in September. The fine related to the failure to secure the ePHI of 15,000 state residents.

The post Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital appeared first on HIPAA Journal.

November 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed.

November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November.

To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018.

Healthcare Data Breaches June-November 2018

There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported.

Healthcare Data Breaches June to November 2018

Largest Healthcare Data Breaches in November 2018

The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records.

AccuDoc Solutions discovered hackers had gained access to some of its databases for a week in September 2018. According to AccuDoc, the information in the databases could only be viewed, not downloaded.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 AccuDoc Solutions, Inc. Business Associate 2652537 Hacking/IT Incident
2 HealthEquity, Inc. Business Associate 165800 Hacking/IT Incident
3 New York Oncology Hematology, P.C. Healthcare Provider 128400 Hacking/IT Incident
4 Baylor Scott & White Medical Center – Frisco Healthcare Provider 47984 Hacking/IT Incident
5 Cancer Treatment Centers of America (CTCA) at Western Regional Medical Center Healthcare Provider 41948 Hacking/IT Incident
6 Oprex Surgery (Baytown), L.P. d/b/a Altus Baytown Hospital Healthcare Provider 40000 Hacking/IT Incident
7 Center for Vitreo-Retinal Diseases Healthcare Provider 20371 Unauthorized Access/Disclosure
8 Veterans Health Administration Healthcare Provider 19254 Unauthorized Access/Disclosure
9 Steward Medical Group Healthcare Provider 16276 Hacking/IT Incident
10 Mind and Motion, LLC Healthcare Provider 16000 Hacking/IT Incident

Main Causes of November 2018 Healthcare Data Breaches

As was the case in October, hacking/IT incidents accounted for the highest number of data breaches and the most exposed/stolen healthcare records. There were 18 hacking/IT incidents reported in November. Those breaches impacted 3,138,657 individuals.

There were 11 breaches classified as unauthorized access/disclosure incidents which impacted 65,143 individuals, and 4 loss/theft incidents that resulted in the exposure of 22,333 healthcare records. One improper disposal incident exposed 3,930 healthcare records.

Causes of Healthcare Data Breaches in November 2018

Location of Breached Protected Health Information

Email breaches continue to be a major problem in healthcare. These breaches include phishing attacks, unauthorized accessing of email accounts, and misdirected emails. There were 11 email-related breaches of PHI in November. Up until December 19, 2018, 111 email-related healthcare data breaches have been reported to OCR. Those breaches involved more than 3.4 million healthcare records.

Technical solutions can be implemented to reduce the number of email related breaches. Spam filters will prevent the majority of phishing emails from reaching inboxes, but no technical solution will be 100% effective so employees need to be trained how to recognize phishing attacks and other email threats.

All individuals in an organization from the CEO down should receive regular security awareness training with a particular emphasis on phishing. In addition to regular training sessions, phishing simulation exercises should be conducted. Through phishing simulations, healthcare organizations can assess their security awareness training programs and find out which employees require further training.

Location of Breached Protected Health Information November 2018

Data Breaches by Covered-Entity Type

Healthcare providers were the covered entities worst affected by healthcare data breaches in November 2018 with 29 reported incidents.

Business associates of HIPAA-covered entities reported 5 breaches and there were a further five breaches reported by healthcare providers that had some business associate involvement – Twice the number of breaches involving business associates (to some degree) as October.

There were no health plan data breaches reported in November.

November 2018 healthcare data breaches by Covered-Entity type

Healthcare Data Breaches by State

Texas was the state worst affected by healthcare data breaches in November with 8 reported breaches. New York experienced three healthcare data breaches and there were two breaches reported in each of Georgia, Iowa, Illinois, Missouri, North Carolina, Utah, and Virginia.

One healthcare data breach was reported in Arizona, California, District of Columbia, Massachusetts, Maryland, Nebraska, New Jersey, Pennsylvania, and Washington.

Penalties for HIPAA Violations in November 2018

The Department of Health and Human Services’ Office for Civil Rights settled one HIPAA violation case with a healthcare provider in November.

Allergy Associates of Hartford was fined $125,000 over a physician’s impermissible disclosure of PHI to a TV reporter. The disclosure occurred after the physicians was instructed by the Allergy Associates of Hartford Privacy Officer not to respond to the reporter’s request for information about a patient, or to reply with ‘no comment’. Allergy Associates of Hartford failed to take any action against the physician over the HIPAA violation.

New Jersey also issued a financial penalty to a HIPAA-covered entity in November to resolve a HIPAA violation case. Best Transcription Medical was fined $200,000 for exposing the electronic protected health information of patients over the Internet. The breach affected 1,650 New Jersey residents.

The post November 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

Posted by HIPAA Journal

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past five years and 33% said their organization had experienced multiple ransomware attacks.

In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals.

The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients.

To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding cybersecurity in their organization. 1,758 U.S. and Canadian healthcare employees were surveyed.

81% of small healthcare organizations (1-49 employees), 83% of medium-sized healthcare organizations (50-249 employees), and 81% of large healthcare organizations (250+ employees) said they had experienced between 1 and 4 ransomware attacks.

The cost of mitigating ransomware and malware attacks is considerable. According to the Ponemon Institute/IBM Security’s 2018 Cost of a Data Breach Report, the average cost of a data breach has now risen to $3.86 million. Kaspersky Lab’s 2018 Cost of a Data Breach Report places the average cost at $1.23 million for enterprises and $120,000 for SMBs.

While cybersecurity is important for reducing financial risk, 71% of healthcare employees said it was important for cybersecurity measures to be implemented to protect patients and 60% said it was important to have appropriate cybersecurity solutions in place to protect people and companies they work with.

Even though healthcare organizations have invested heavily in cybersecurity, many employees lack confidence in their organization’s cybersecurity strategy. Only 50% of healthcare IT workers were confident in they cybersecurity strategy, that fell to 29% for management and doctors, 21% for nurses, 23% for finance department employees, and 13% for the HR department.

Many healthcare employees appear to have a false sense of security. Even though healthcare data breaches are being reported on a daily basis, 21% of respondents had total faith in their organization’s ability to prevent cyberattacks and did not believe they would suffer a data breach in the forthcoming year.

While 73% of surveyed employees said they would inform their security team if they received an email from an unknown individual requesting PHI or login credentials, 17% of employees said they would do nothing if they received such a request. 17% of employees also admitted to having received an email request from a third-party vendor for ePHI and provided the ePHI as requested.

“Healthcare companies have become a major target for cybercriminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach,” explained Rob Cataldo, VP of enterprise sales at Kaspersky Lab. “Business leaders and IT personnel need to work together to create a balance of training, education, and security solutions strong enough to manage the risk.”

The post 27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year appeared first on HIPAA Journal.

Vulnerability Identified in Medtronic Encore and Carelink Programmers

Posted by HIPAA Journal

ICS-CERT has issued an advisory about a vulnerability that has been identified in certain Medtronic CareLink and Encore Programmers. Some personally identifiable information (PII) and protected health information (PHI) stored on the devices could potentially be accessed due to a lack of encryption for data at rest.

The programmers are used in hospitals to program and manage Medtronic cardiac devices and may store reports containing patients’ PII/PHI. An attacker with physical access to one of the vulnerable programmers could access the reports and view patients PII/PHI. The vulnerability would require a low level of skill to exploit.

The vulnerability, tracked as CVE-2018-18984 (CWE-311), was identified by security researchers Billy Rios and Jonathan Butts of Whitescope LLC who discovered encryption was either missing or stored PII/PHI was not sufficiently encrypted. The vulnerability has been assigned a CVSS V3 base score of 4.6.

The vulnerability is present in all versions of CareLink 2090 Programmers, CareLink 9790 Programmers, and the 29901 Encore Programmers.

Medtronic has advised all hospitals to stop using CareLink 9790 Programmers for any purpose as they have reached end-of-life and are no longer supported.

Users of CareLink 2090 and 29901 Encore Programmers should ensure that PII/PHI is stored on the Programmers for the shortest possible time. The devices are only intended to be used to store PII/PHI for short periods of time until the information can be transferred to other medical systems or printed to paper reports.

All affected programmers allow reports containing PII/PHI to be manually deleted when they are no longer required. Users of all vulnerable Programmers should ensure that all PII/PHI is deleted from the devices before they are decommissioned.

Medtronic has also advised users to ensure physical control of the Programmers is maintained at all times to prevent unauthorized access and only to use legitimately obtained Programmers and not to use any that are supplied by a third party.

The post Vulnerability Identified in Medtronic Encore and Carelink Programmers appeared first on HIPAA Journal.

Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training

Posted by HIPAA Journal

A new study has revealed the extent to which employees are being fooled by phishing emails and how despite the risk of a data breaches and regulatory fines, many companies are not providing security awareness training to their employees.

For the study, 500 office workers were surveyed by the consultancy firm Censuswide. While all the respondents were based in Ireland, the results of the survey reflect the findings of similar studies conducted in other countries, including the United States.

14% of all surveyed office workers said that they had fallen for a phishing email, which would equate to around 185,000 office workers in Ireland.

There were notable differences in susceptibility to phishing emails across the different age groups: Millennials, generation X, and baby boomers. The age group most likely to be fooled by phishing scams was millennials (17%), followed by baby boomers (7%), and Generation X (6%).

Respondents were asked about how confident they were in their ability to identify phishing scams. Even though almost three times as many millennials had fallen for phishing scams as Generation Xers, millennials had the greatest confidence in their ability to identify phishing scams. That confidence, it would seem, has been somewhat misplaced.

14% of millennials said they would not be certain that they could identify fraud, compared to 17% of Gen Xers, and 26% of baby boomers.

The survey revealed one in five workers had not been given any security awareness training whatsoever, but even when training was provided, many office workers still engaged in unsafe practices such as clicking hyperlinks or opening email attachments in messages from unknown senders. 44% of baby boomers admitted having completed one of those actions in the past, compared with 34% of millennials, and 26% of gen Xers.

The consequences of a successful phishing attack can be severe. Phishing attacks can result in major financial loses, especially when financial information is stolen. Phishing attacks can cause lasting damage to the reputation of a company, business may be lost, and companies can face lawsuits from individuals whose personal information has been exposed or stolen, and regulators can issue substantial civil monetary penalties.

While security solutions can be implemented to block the majority of phishing emails, it is not possible to prevent all phishing emails from being delivered to inboxes. Security awareness training for everyone in the company, from the CEO down, is therefore essential.

Security awareness training needs to be thought of in the same way as health and safety training. It is an organizational and HR matter, not just the responsibility of the IT department.

Simply providing an annual training session for employees is no longer sufficient. Phishing attacks are becoming more sophisticated and cybercriminals are constantly changing tactics. Businesses therefore need to continually educate their employees to ensure training is not forgotten and to keep employees abreast of new threats.

Annual or biannual training sessions should be accompanied by regular refresher training sessions to help develop a security culture. Phishing email simulations are also useful for reinforcing training, gauging the effectiveness of training sessions, and identifying weak links.

The post Study Highlights Seriousness of Phishing Threat and Importance of Security Awareness Training appeared first on HIPAA Journal.