Healthcare Data Security

The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates

Posted by HIPAA Journal

The HIPAA Risk analysis is a foundational element of HIPAA compliance, yet it is something that many healthcare organizations and business associates get wrong. That places them at risk of experiencing a costly data breach and a receiving a substantial financial penalty for noncompliance.

The HIPAA Risk Analysis

The administrative safeguards of the HIPAA Security Rule require all HIPAA-covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” See 45 C.F.R. § 164.308(u)(1)(ii)(A).

The risk analysis is a foundational element of HIPAA compliance and is the first step that must be taken when implementing safeguards that comply with and meet the standards and implementation specifications of the HIPAA Security Rule.

If a risk analysis is not conducted or is only partially completed, risks are likely to remain and will therefore not be addresses through an organization’s risk management process – See § 164.308(u)(1)(ii)(B) – and will not be reduced to a reasonable and appropriate level to comply with the § 164.306 (a) Security standards: General Rules.

A HIPAA risk analysis is also necessary to determine whether it is reasonable and appropriate to use encryption or whether alternative safeguards will suffice – See 45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).

A risk analysis should also be used to guide organizations on authentication requirements – See 45 C.F.R. § 164.312(c)(2) – and the methods that should be used to protect ePHI in transit – See 45 C.F.R. § 164.312(c)(2).

If risks are allowed to persist, they can potentially be exploited by hackers and other malicious actors resulting in impermissible disclosures of ePHI.

During investigations of data breaches, the Department of Health and Human Services’ Office for Civil Rights looks for HIPAA compliance failures that contributed to the cause of the breach. One of the most common violations discovered is a failure to conduct a comprehensive, organization-wide risk analysis. A high percentage of OCR resolution agreements cite a risk analysis failure as one of the primary reasons for a financial penalty.

Requirements of a HIPAA Risk Analysis

The HIPAA Security Rule states that a risk analysis is a required element of HIPAA compliance, but does not explain what the risk analysis should entail nor the method that should be used to conduct a risk analysis. That is because there is no single method of conducting a risk analysis that will be suitable for all organizations, nor are there any specific best practices that will ensure compliance with this element of the HIPAA Security Rule.

OCR has explained the requirements of a HIPAA risk analysis on the HHS website. HHS guidance on risk analysis requirements of the HIPAA Security Rule is also available as a downloadable PDF (36.1 KB), with further information available in the NIST Risk Management Guide for Information Technology Systems – Special Publication 800-30 (PDF – 480 KB).

A Security Risk Assessment Tool to Guide HIPAA-Covered Entities Through a HIPAA Risk Analysis

The risk analysis process can be a challenge. To make the process easier, the HHS’ Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the Office for Civil Rights, has developed a downloadable security risk assessment tool that guides HIPAA-covered entities through the process of conducting a security risk assessment.

After downloading and installing the tool, healthcare organizations can enter information and a report will be generated that helps them determine risks in policies, processes and systems and details some of the methods that can be used to mitigate weaknesses when the user is performing a risk assessment.

On October 15, 2018, ONC updated the tool (version 3.0). The aim of the update was “to make it easier to use and apply more broadly to the risks of the confidentiality, integrity, and availability of health information. The tool diagrams HIPAA Security Rule safeguards and provides enhanced functionality to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks,” wrote ONC.

The new features include an updated and enhanced user interface, a modular workflow, custom assessment logic, a progress tracker, threat and vulnerability ratings, more detailed reports, assess tracking, business associate track, and several enhancements to improve the user experience.

Use of the tool will not guarantee compliance with HIPAA or other federal, state, or local laws, but it is incredibly useful tool for guiding HIPAA-covered entities and business associates through the process of conducting a HIPAA-compliant risk analysis.

The updated Security Risk Assessment Tool can be downloaded from the HealthIT.gov website on this link.

The post The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates appeared first on HIPAA Journal.

FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has issued a warning about vulnerabilities in certain Medtronic implantable cardiac device programmers which could potentially be exploited by hackers to change the functionality of the programmer during implantation or follow up visits. Approximately 34,000 vulnerable programmers are currently in use.

The programmers are used by physicians to obtain performance data, to check the status of the battery, and to reprogram the settings on Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

The flaws are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, specifically how the devices connect with the Medtronic Software Distribution Network (SDN) over the internet. The connection is required to download software updates for the programmer and firmware updates for Medtronic CIEDs.

While a virtual private network (VPN) is used to establish a connection between the programmers and the Medtronic SDN, there is no check performed to establish whether the programmer is still connected to the VPN before software updates are downloaded. This would give hackers the opportunity to install their own updates and alter the functionality of the devices.

The flaws in the programmers were identified by security researchers Billy Rios and Jonathan Butts last year. Medtronic was notified about the flaws but has been slow to take action. An advisory was eventually issued in February 2018, but it has taken until now for action to be taken to correct the vulnerability.

Medtronic is now preventing the programmers from connecting to the SDA to receive software updates. Instead, future updates must be performed by Medtronic through a USB connection. Any attempt to update the device via the SDN will now trigger an “Unable to connect to local network” or “Unable to connect to Medtronic” error message.

The FDA reviewed the cybersecurity vulnerabilities and has confirmed that the flaws could be exploited to cause patients to come to harm. On October 5, 2018, the FDA approved the Medtronic network update that blocks the programmer from accessing the Medtronic SDN.

The FDA recommends that the programmers continue to be used for programming, testing and evaluation of CIED patients. The internet connection is not a requirement for normal operation.

Both the FDA and Medtronic have confirmed that no reports have been received to suggest that the vulnerabilities have been exploited and no patients are known to have come to harm.

The post FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers appeared first on HIPAA Journal.

Most Common Healthcare Phishing Emails Identified

Posted by HIPAA Journal

A new report by Cofense has revealed the most common healthcare phishing emails and which messages are most likely to attract a click.

The 2018 Cofense State of Phishing Defense Report provides insights into susceptibility, resiliency, and responses to phishing attacks, highlights how serious the threat from phishing has become, and how leading companies are managing risk.

The high cost of phishing has been highlighted this week with the announcement of a settlement between the HHS’ Office for Civil Rights and Anthem Inc. The $16 million settlement resolved violations of HIPAA Rules that led to Anthem’s 78.8 million record data breach of 2015. That cyberattack started with spear phishing emails. In addition to the considerable cost of breach remediation, Anthem also settled a class action lawsuit related to the breach for $115 million. Even an average sized breach now costs $3.86 million to resolve (Ponemon/IBM Security, 2018).

Previous Cofense research suggests that 91% of all data breaches start with a phishing email and research by Verizon suggests 92% of malware infections occur as a result of malicious emails. Cofense cites figures from Symantec’s 2018 Internet Security Threat Report which suggests that on average, 16 malicious email messages are delivered to every email user’s inbox every month.

Cofense is the leading global provider of human-driven phishing defense solutions, which are used by half of Fortune 500 companies to improve resiliency to phishing attacks. For its latest report, Cofense analyzed the responses to more than 135 million phishing simulations sent through its platform and approximately 50,000 real phishing threats reported by its customers.

Cofense notes that out of the potentially malicious emails reported by end users, one in ten were confirmed as malicious. Half of those messages were phishing emails designed to get end users to disclose credentials.

Across all 23 industry sectors that were represented in the study, 21% of reported crimeware emails contained malicious attachments. By far the most common theme for phishing emails were fake invoices, which accounted for six of the ten most effective phishing campaigns of 2018 to date.

While fake invoices are often used in phishing attacks on healthcare organizations, they are only the third most common type of phishing email (16.5%). In all other industry sectors, fake invoices were the most common phishing threat. The second most common healthcare phishing emails were alerts of new messages in a mailbox (25.5%). The most common healthcare phishing emails were fake payment notifications (58%).

Cofense data shows that the most effective methods for reducing risk from phishing are training and phishing simulations. Technical email security solutions are essential, but they do not block all malicious messages. Only through training and simulations can end users be conditioned to recognize and respond appropriately to malicious messages. The industries with the highest resiliency to phishing attacks are those that train more often.

Cofense suggests that to get the most out of phishing simulation exercises they should focus on active threats. Training is recommended at least every quarter to condition employees to look for and report phishing emails. Companies that encourage reporting of potential phishing threats rather than scolding employees for failing phishing tests tend to have greater success.

The full list of recommendations for security awareness training and phishing simulations can be found in the Cofense State of Phishing Defense Report, which is available on this link.

The post Most Common Healthcare Phishing Emails Identified appeared first on HIPAA Journal.

HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (HHS OIG) is raising awareness of the work it conducts to combat cyberthreats within the HHS and the healthcare industry as a whole and is taking steps to increase transparency of its cybersecurity activities.

One of those steps is the creation of a new web page, which explains the activities that HHS OIG is undertaking to improve cybersecurity. The new cybersecurity-focused web page will be regularly updated to include details of cybersecurity activities that have positively affected HHS programs and have helped strengthen the cybersecurity defenses, including reports of its audits, evaluations, and inspections of its offices and agencies that HHS OIG oversees.

On the new web page, HHS OIG explains that it currently uses a three-pronged approach to safeguard data and the systems on which those data are stored. They are IT security controls, risk management, and resiliency.

IT security controls are technological and procedural controls that protect against vulnerabilities to the confidentiality, integrity, and availability of data and systems. Risk management is proactively identifying risks and threats and taking action to reduce those risks to a reasonable and acceptable level. Resiliency is the development of policies and procedures for incident response that will ensure it is possible to recover quickly from a cyberattack.

HHS OIG explained it has formed multidisciplinary cybersecurity team that applies those three principles to the various offices within the HHS and agencies that it oversees. The team consists of auditors, investigators, evaluators, attorneys and other industry stakeholders who are focused on fostering enhancements in IT security controls, risk management, and resiliency to cyberattacks.

Independent IT and cybersecurity audits of HHS programs, grantees, and contractors are conducted by the OIG Office of Audit Services, Cybersecurity and Information Technology Audit Division. The audits identify risks and threats to data to allow action to be taken to prevent cyberattacks.

Broad evaluations of HHS cybersecurity-related programs are conducted by the Office of Evaluation and Inspections, expert legal support for OIG cybersecurity work is provided by the HHS OIG Office of Counsel, and criminal investigations into incidents and allegations that affect HHS programs are conducted by the HHS OIG Office of Investigations, Computer Crimes Unit, in particular, violations of the Computer Fraud and Abuse Act.

Reports of HHS OIG activities have already been uploaded to the web page dating back to 2016 and, at launch, there are four reports of cybersecurity-related activities from 2018: A review of Medicare contractor information security program evaluations; A review of HHS compliance with FISMA; A report on an audit of the CMS enrollment system; and a report on a study of the FDA’s review of cybersecurity in premarket submissions for networked medical devices.

HHS OIG summarizes the actions it is taking to address cybersecurity within HHS and the healthcare industry in the video below:

The post HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page appeared first on HIPAA Journal.

HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (HHS OIG) is raising awareness of the work it conducts to combat cyberthreats within the HHS and the healthcare industry as a whole and is taking steps to increase transparency of its cybersecurity activities.

One of those steps is the creation of a new web page, which explains the activities that HHS OIG is undertaking to improve cybersecurity. The new cybersecurity-focused web page will be regularly updated to include details of cybersecurity activities that have positively affected HHS programs and have helped strengthen the cybersecurity defenses, including reports of its audits, evaluations, and inspections of its offices and agencies that HHS OIG oversees.

On the new web page, HHS OIG explains that it currently uses a three-pronged approach to safeguard data and the systems on which those data are stored. They are IT security controls, risk management, and resiliency.

IT security controls are technological and procedural controls that protect against vulnerabilities to the confidentiality, integrity, and availability of data and systems. Risk management is proactively identifying risks and threats and taking action to reduce those risks to a reasonable and acceptable level. Resiliency is the development of policies and procedures for incident response that will ensure it is possible to recover quickly from a cyberattack.

HHS OIG explained it has formed multidisciplinary cybersecurity team that applies those three principles to the various offices within the HHS and agencies that it oversees. The team consists of auditors, investigators, evaluators, attorneys and other industry stakeholders who are focused on fostering enhancements in IT security controls, risk management, and resiliency to cyberattacks.

Independent IT and cybersecurity audits of HHS programs, grantees, and contractors are conducted by the OIG Office of Audit Services, Cybersecurity and Information Technology Audit Division. The audits identify risks and threats to data to allow action to be taken to prevent cyberattacks.

Broad evaluations of HHS cybersecurity-related programs are conducted by the Office of Evaluation and Inspections, expert legal support for OIG cybersecurity work is provided by the HHS OIG Office of Counsel, and criminal investigations into incidents and allegations that affect HHS programs are conducted by the HHS OIG Office of Investigations, Computer Crimes Unit, in particular, violations of the Computer Fraud and Abuse Act.

Reports of HHS OIG activities have already been uploaded to the web page dating back to 2016 and, at launch, there are four reports of cybersecurity-related activities from 2018: A review of Medicare contractor information security program evaluations; A review of HHS compliance with FISMA; A report on an audit of the CMS enrollment system; and a report on a study of the FDA’s review of cybersecurity in premarket submissions for networked medical devices.

HHS OIG summarizes the actions it is taking to address cybersecurity within HHS and the healthcare industry in the video below:

The post HHS OIG Raises Awareness of Its Cybersecurity-Related Activities on New Web Page appeared first on HIPAA Journal.

Vulnerabilities Identified in PeerVue Web Server, Carestream Vue RIS and Siemens Healthcare Products

Posted by HIPAA Journal

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued five advisories in the past week about vulnerabilities discovered in equipment used by healthcare organizations in the United States.

Change Healthcare PeerVue Web Server

A vulnerability (CVE-2018-10624) has been identified in the Change Healthcare PeerVue Web Server which could allow an attacker to gain information about the web server that would enable it to be targeted in a cyberattack. The vulnerability only requires a low level of skill to exploit by an attacker on an adjacent network. The vulnerability exposes information through an error message.

The flaw was discovered by security researcher Dan Regalado of Zingbox and has been assigned a CVSS v3 base score of 4.3.

Change Healthcare took rapid action to address the vulnerability and a patch has now been issued. Users should contact Change Healthcare if they are running PeerVue Web Server 7.6.2 or earlier for information about installing the patch.

Carestream Vue RIS

A remotely exploitable vulnerability (CVE-2018-17891) has been discovered in the CareStream Vue RIS web-based radiology system which, if exploited, would allow an attacker with access to the network to passively read traffic.

Carestream has confirmed that the vulnerability affects version 11.2 of RIS Client Builds and earlier versions, which are running on Windows 8.1 machines with IIS/7.5.

The vulnerability would allow an attacker to gain access to information through an HTTP 500 error message that is triggered when contacting a Carestream server when there is no Oracle TNS listener available. The information that is exposed could be used to initiate a more elaborate attack.

The vulnerability, which was also identified by Dan Regalado of Zingbox, has been assigned a CVSS v3 base score of 3.7.

Carestream has resolved the vulnerability in the current version of its software (v11.3). Users unable to upgrade immediately should disable “Show debug messages” and enable SSL for client/server communications.

Siemens SCALANCE W1750D

Siemens has discovered a vulnerability (CVE-2018-13099) in version 8.3.0.1 and earlier versions of its SCALANCE W1750D WLAN access point which could allow an attacker to decrypt TLS traffic. UCS-CERT notes that there are already public exploits available for the vulnerability.

To exploit the vulnerability, the attacker would require network access to a vulnerable device. By observing TLS traffic between a legitimate user and a device it would be possible for the attacker to decrypt TLS traffic.

The vulnerability has been assigned a CVSS v3 base score of 5.9.

Siemens has corrected the flaw with a firmware upgrade and all users are advised to upgrade to v8.3.0.1 as soon as possible. Siemens recommends that administrators restrict access to the web interface of affected devices until the firmware upgrade is applied, and to only operate the devices in a protected IT environment.

Siemens ROX II

Siemens has discovered two improper privilege management vulnerabilities affecting all versions of its ROX II products prior to v2.12.1. The vulnerabilities can be exploited remotely and only require a low level of skill.

Siemens reports that an attacker with access to Port 22/TCP with valid low-privileged user credentials for the device could exploit a vulnerability (CVE-2018-13801) to escalate privileges and gain root access to the device. The vulnerability has been assigned a CVSS v3 base score of 8.8.

An authenticated individual with high-privileged user account access via SSH interface in on Port 22/TCP could bypass restrictions and execute arbitrary operating system commands. This vulnerability (CVE-2018-13802) has been assigned a CVSS v3 base score of 7.2.

Both vulnerabilities have been corrected in v2.12.1 of the software and users have been advised to upgrade as soon as possible. In the meantime, network access to Port 22/TCP should be restricted, if possible.

Siemens SIMATIC S7-1200 CPU Family Version

A remotely exploitable vulnerability (CVE-2018-13800) has been identified in all versions prior to 4.2.3 of SIMATIC S7-1200 CPU Family Version 4.

The cross-site request forgery vulnerability could be exploited if a legitimate user who has been authenticated to the web interface is fooled into accessing a malicious link – via email for instance. By exploiting the vulnerability, the attacker could read or modify parts of the device configuration.

The vulnerability, identified by Lisa Fournet and Marl Joos from P3 communications GmbH, has been assigned a CVSS v3 base score of 7.5.

Siemens has addressed the vulnerability with a new firmware version and has urged all users to upgrade to v4.2.3 as soon as possible. Until the firmware upgrade has been applied, Siemens recommends that users do not visit other websites while they are authenticated against the PLC.

The post Vulnerabilities Identified in PeerVue Web Server, Carestream Vue RIS and Siemens Healthcare Products appeared first on HIPAA Journal.

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

Posted by HIPAA Journal

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices to help medical device manufacturers improve the security of their devices and help healthcare provider organizations improve security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way.

The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete.

HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the National Health Service in the UK was badly affected and had its systems crippled.

Later in 2017, the Healthcare Industry Cybersecurity Task Force, which was set up following the passing of the Cybersecurity Act of 2015, submitted a report to Congress that included more than 200 recommendations for improving healthcare cybersecurity and preventing cyberattacks on healthcare organizations from succeeding.

Since the report was released, scores of healthcare industry stakeholders have joined the HSCC Cybersecurity Working Groups and Task Groups and have been working toward strengthening cybersecurity in the healthcare industry and improving privacy protections for patients.

HSCC held a multi-stakeholder meeting in February 2018 to improve coordination of efforts to address cybersecurity challenges and the HHS held a meeting in June 2018 where members of the HSCC Cybersecurity Working Group provided an update on progress and received further direction on key priorities.

HSCC notes that there is considerable momentum and great strides are being taken to improve healthcare cybersecurity. As detailed in September’s National Cyber Strategy, policymakers within the Administration and Congress are addressing cybersecurity threats and state that the government will work closely with the private sector to manage risks to critical infrastructure, including healthcare.

The Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2018 (H.R. 6378) now contains cybersecurity provisions and requires the HHS to submit its strategy to Congress for public health preparedness and response to address cybersecurity threats. A joint table-top exercise will also be conducted with the HHS covering a simultaneous flu pandemic and cascading ransomware attack.

“We recognize that patient safety has taken on a new dimension that demands our attention – the recognition that patient security requires cybersecurity,” explained HSCC. “The health sector is now organized and working to fortify the industry’s immune system against a cyber epidemic that has become as infectious as a human epidemic.”

The post Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC appeared first on HIPAA Journal.

Summary of Recent Healthcare Data Breaches

Posted by HIPAA Journal

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities.

Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection

The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection.

On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data.

The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab test results, medications, driver’s license numbers, insurance billing information, bank routing numbers, bank account numbers, employee payroll data, and for Medicare patients, Social Security numbers.

Tillamook Chiropractic Clinic removed the malware on August 3, 2018 and has now modernized and upgraded its computer security systems and policies.

Gwinnett Medical Center Investigating Possible Hack

A possible data breach has occurred at Lawrenceville, GA-based Gwinnett Medical Center. The PHI of approximately 40 patients has been accessed by an unauthorized individual according to Gwinnett Medical Center spokeswoman Beth Hardy. Names, genders, and dates of birth were exposed on Twitter and notification letters are being sent to those 40 individuals to alert them to the breach.

However, the breach could be far larger. Steve Ragan at Salted Hash reported that a source at the medical center said threats had been received from the attackers and that the breach potentially impacts hundreds of patients. The attackers allegedly posted data on Twitter as they claimed the medical center was attempting to cover up the breach.

Gwinnett Medical Center has informed the FBI about the security breach and is still conducting investigations into the cyberattack.

Hardy said, “GMC takes cyber security very seriously and we are committed to maintaining the integrity, availability and confidentiality of our systems and data.”

Toyota Industries North America Breach Impacts 19,000 Individuals

Columbus, IN-based Toyota Industries North America (TINA) has announced that approximately 19,000 current and former employees and health plan participants of the TINA family of companies have been informed that some of their PHI has been exposed. An unauthorized individual succeeded in gaining access to a small number of company email accounts and potentially viewed/copied PHI.

The breach was discovered on August 30 and information security experts were called in to help secure its system and investigate the breach. A wide range of PII and PHI were present in the compromised email accounts including first and last names, home addresses, dates of birth, phone numbers, financial account information, social security numbers, photographs of social security cards, driver’s license numbers, photographs of driver’s licenses, email addresses, photographs of birth certificates, photographs of passports, treatment information, prescription information, diagnoses, health plan beneficiary numbers and portal usernames, passwords and security questions.

All affected individuals have been notified by mail and have been offered a year of free credit monitoring and identity theft protection services. TINA has taken several steps following the breach to improve security, including implementing multi-factor authentication, making real-time security monitoring enhancements, and revising its password protection and password resetting policies. TINA is also currently reviewing and updating user training and technology and security practices to reduce the risk of further email breaches.

722 Patients Affected by Kansas City Business Associate Mis-mailing Incident

The Kansas City, MO-based revenue cycle management company, Pulse Systems, has announced that the PHI of 722 patients of Lincoln Pulmonary and Critical Care in Nebraska has been impermissibly disclosed. An error was made sending statements on July 27 that resulted in individuals receiving statements intended for other patients. The statements included only included names and procedure information. Steps have now been taken to prevent similar errors from being made in the future and all affected individuals have been notified about the privacy breach.

Oklahoma Department of Human Services Mis-mailing Incident Affects 813 Individuals

More than 800 parents and guardians who were involved in a developmental disabilities services program run by the Oklahoma Department of Human Services (ODHS) have been notified that some of their PHI has been impermissibly disclosed as a result of a computer software error. The error resulted in envelopes being mis-addressed in Plan of Care change notice mailings sent between May 17 and July 25.

The mailings contained names, addresses, DHS case numbers, Medicaid client ID numbers, plan of care numbers, providers’ names, services authorized and beginning and end dates, and an explanation that the person is authorized to receive Medicaid Home and Community-Based Waiver Services. No Social Security numbers were disclosed.

ODHS believes 813 individuals have received mailings containing someone else’s information, although it is not possible to tell if any other individuals have been affected.

Email Account Breaches Result in Exposure of 16,000 Individuals’ PHI

Ransom Memorial Hospital in Ottawa, KS, has discovered an unauthorized individual has gained access to an as of yet undisclosed number of email accounts which have been determined to contain the PHI of 14,239 individuals. A further email account breach was detected by Lakewood, CO-based Personal Assistance Services of Colorado, which has resulted in the exposure of 1,839 individuals’ PHI.

The post Summary of Recent Healthcare Data Breaches appeared first on HIPAA Journal.

Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards

Posted by HIPAA Journal

The ECRI Institute, a non-profit organization that researches new approaches to improve patient care, has published its annual list of the top ten health technology hazards for 2019.

The purpose of the list is to help healthcare organizations identify possible sources of danger or issues with technology that have potential to cause patients harm to allow them to take action to reduce the risk of adverse events occurring.

To create the list, ECRI Institute engineers, scientists, clinicians and patient safety analysts used expertise gained through testing of medical devices, investigating safety incidents, assessing hospital practices, reviewing literature and talking to healthcare professionals and medical device suppliers to identify the main threats to medical devices and systems that warrant immediate attention.

Weighting factors used to produce the final top 10 list includes the likelihood of hazards causing severe injury or death, the frequency of incidents, the number of individuals likely to be affected, insidiousness, effect on the healthcare organization, and the actions that could realistically be taken to reduce any impact on patient care.

Unsurprisingly, given the volume of cyberattacks on healthcare organizations, the high potential for harm, and the number of individuals that could be affected, the remote accessing of healthcare systems by hackers was rated as the number one hazard for 2019.

There is considerable potential for the remote access functionality of medical devices and systems to be exploited by hackers. A cyberattack could render medical devices and systems inoperative or could degrade their performance, which could have a major negative impact on patient care and could place patients’ lives at risk. Cyberattacks could also result in the theft of health data, which could also have a negative effect on patients.

ECRI notes that while cyberattacks can have a negative impact on healthcare providers, resulting in reputation damage and significant fines, cybersecurity is also a critical patient safety issue.

Hackers can easily take advantage of unmaintained and vulnerable remote access systems to gain access to medical devices and healthcare systems. They can move laterally within the network and gain access to medical and nonmedical assets and connected devices and systems. Patient data can be stolen, malware installed, computing resources can be hijacked, and ransomware can be installed which could render systems inoperable. In the most part, these attacks are preventable.

“Safeguarding assets requires identifying, protecting, and monitoring all remote access points, as well as adhering to recommended cybersecurity practices, such as instituting a strong password policy, maintaining and patching systems, and logging system access,” suggests ECRI.

The full Top Ten List of Health Technology Hazards for 2019 are:

  1. Hackers Can Exploit Remote Access to Systems, Disrupting Healthcare Operations
  2. “Clean” Mattresses Can Ooze Body Fluids onto Patients
  3. Retained Sponges Persist as a Surgical Complication Despite Manual Counts
  4. Improperly Set Ventilator Alarms Put Patients at Risk for Hypoxic Brain Injury or Death
  5. Mishandling Flexible Endoscopes after Disinfection Can Lead to Patient Infections
  6. Confusing Dose Rate with Flow Rate Can Lead to Infusion Pump Medication Errors
  7. Improper Customization of Physiologic Monitor Alarm Settings May Result in Missed Alarms
  8. Injury Risk from Overhead Patient Lift Systems
  9. Cleaning Fluid Seeping into Electrical Components Can Lead to Equipment Damage and Fires
  10. Flawed Battery Charging Systems and Practices Can Affect Device Operation

The post Remote Hacking of Medical Devices and Systems Tops ECRI’s 2019 List of Health Technology Hazards appeared first on HIPAA Journal.