Healthcare Data Security

OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media

Posted by HIPAA Journal

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media.

Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner.

HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes.

Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI.

If electronic devices are not disposed of securely and a data breach occurs, the costs to a healthcare organization can be considerable. Patients must be notified, it may be appropriate to pay for credit monitoring and identity theft protection services, and third-party breach response consultants, forensic investigators, and public relations consultants may need to be hired. OCR and/or state attorneys generals may conduct investigations and substantial financial penalties may be applied. Breach victims may also file lawsuits over the exposure of their financial information.

The costs all add up. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute/IBM Security highlighted the high cost of data breaches, in particular healthcare data breaches. The average cost of a breach of up to 100,000 records was determined to be $3.86 million. Healthcare data breaches cost an average of $408 per exposed record to mitigate, while the cost of data breaches of one million or more records was estimated to be between $40 million and $350 million.

It is not possible to ensure that all ePHI is disposed of securely if an organization does not know all systems and devices where PHI is stored. A full inventory of all equipment that stores ePHI must be created and maintained. When new equipment is purchased the list must be updated.

A full risk analysis should be conducted to determine the most appropriate ways to protect data stored on electronic devices and media when they reach the end of their lifespan.

Organizations must develop a data disposal plan that meets the requirements of 45 C.F.R. §164.310(d)(2)(i)-(ii). Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. OCR notes that “Redaction is specifically excluded as a means of data destruction.”

Electronic devices should be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” to ensure that ePHI cannot be retrieved. If reusable media are in use, it is important to ensure that all data on the devices are securely erased prior to the devices being reused. Before electronic devices are scrapped or disposed of, asset tags and corporate identifying marks should be removed.

Third party contractors can be used to dispose of electronic devices, although they would be considered business associates and a business associate agreement would need to be in place. All individuals required to handle the devices must be aware of their responsibilities with respect to ePHI and its safe handling and should be subjected to workforce clearance processes.

Organizations should also consider the chain of custody of electronic equipment prior to destruction. Physical security controls should be put in place to ensure the devices cannot be stolen or accessed by unauthorized individuals and security controls should cover the transport of those devices until all data has been destroyed and is no longer considered ePHI.

The OCR newsletter, together with further information on secure disposal of ePHI and PHI, can be found on this link (PDF).

The post OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media appeared first on HIPAA Journal.

NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices

Posted by HIPAA Journal

The HIPAA Security Rule requires HIPAA-covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information at all times. Healthcare organizations must ensure patients’ health is not endangered, their privacy is protected, and their identities are not compromised.

A range of physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers, but ensuring the same level of security for mobile devices can be a major challenge.

Mobile devices offer many benefits for healthcare providers. They can improve access to protected health information, ensure that data can be accessed anywhere, and they help healthcare providers improve coordination of care.

However, when ePHI is stored on mobile devices such as laptops, tablets and mobile phones, or is transmitted using those devices, it is particularly vulnerable. Mobile devices are easy to lose, are often stolen, and data transmitted through mobile devices can also be vulnerable to interception. In healthcare, mobile device security is a major concern.

Despite security concerns, the majority of healthcare providers are either using mobile devices or plan to implement a mobile device initiative. Mobile device usage by healthcare providers is expected to increase significantly over the next two years.

To help healthcare organizations take advantage of mobile devices without violating the HIPAA Security Rule and patient privacy, the National Institute of Standards and Technology (NIST) and The National Cybersecurity Center of Excellence (NCCoE) has produced a new guideSecuring Electronic Health Records on Mobile Devices.

The guide focuses on healthcare organizations that use mobile devices to review, update, and exchange electronic health records and addresses risks such as the loss or theft of devices, the hacking of devices, connecting to untrusted networks, and interaction between mobile devices and other systems.

The guide explains how ePHI can be secured on mobile devices without having a negative impact on delivering quality care and offers straightforward and detailed advice on securing electronic health records on mobile devices.

The guide explains how IT professionals can implement a security architecture to improve device security and better protect ePHI that is accessed, stored, or transmitted through mobile devices. The guide explains how commercially available and open-source technologies and tools can be deployed as part of a layered cybersecurity strategy to ensure ePHI can be accessed and shared securely.

The guide maps security characteristics to NIST standards and best practices and to the HIPAA Security Rule and includes a detailed architecture and capabilities that address security controls. The guide provides detailed information on automated configuration of security controls for ease of use and addresses both in-house and outsourced implementations.

The guide serves as a how-to guide to implement NIST’s security solution, or it can be taken as a starting point and customized to suit each individual organization. Since the guide is modular, healthcare providers can choose to implement the parts to suit their own needs.

”All healthcare organizations need to fully understand the potential risk posed to their information systems, the bottom-line implications of those risks, and the lengths that attackers will go to exploit them,” wrote NIST/NCCoE in the guide. “Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of business processes and technologies, the threat landscape, and the data itself. The guide describes [NIST’s] approach to risk assessment. We recommend that organizations implement a continuous risk management process as a starting point for adopting this or other approaches that will increase the security of EHRs. It is important for management to perform regular periodic risk review, as determined by the needs of the business.”

The post NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices appeared first on HIPAA Journal.

Email Account Compromises Continue Relentless Rise

Posted by HIPAA Journal

There has been a steady rise in the number of reported email data breaches over the past year. According to the July edition of the Beazley Breach Insights Report, email compromises accounted for 23% of all breaches reported to Beazley Breach Response (BBR) Services in Q2, 2018.

In Q2, 2018 there were 184 reported cases of email compromises, an increase from the 173 in Q1, 2018 and 120 in Q4, 2017. There were 45 such breaches in Q1, 2017, and each quarter has seen the number of email compromise breaches increase.

In Q2, 2018, the email account compromises were broadly distributed across a range of industry sectors, although the healthcare industry experienced more than its fair share.

Healthcare email accounts often contain a treasure trove of sensitive data that can be used for identity theft, medical identity theft, and other types of fraud. The accounts can contain the protected health information of thousands of patients. The recently discovered phishing attack on Boys Town National Research Hospital resulted in the attackers gaining access to the PHI of more than 105,000 patients.

Email Accounts Used for Further Attacks on an Organization

If hackers gain access to an email account, not only do they have access to the data stored in that mailbox, the account provides the hacker with a platform for conducting further attacks. The email account can be used to send messages to other employees, and since the messages are sent internally, they are unlikely to be flagged as malicious by email security solutions.

These internal emails are carefully crafted based on information gathered from the compromised mailbox. Rather than just sending a standard phishing email from the compromised account to other employees, targets are identified through reconnaissance, the account holder’s message style is copied, and messages are crafted based on past conversations between the account holder and the targets. This allows the attacker to conduct highly convincing spear phishing campaigns that are much more likely to be successful.

Once access to a single account is gained, it is difficult to prevent further email accounts from being compromised, although it is relatively easy to prevent the initial attack. Spam filtering solutions are a must, as they will block the vast majority of malicious messages and prevent them from reaching inboxes. Security awareness training is also essential for preparing employees for attacks and training them how to recognize phishing emails and other email threats. If two-factor authentication is used, an additional form of authentication is required in order for the account to be accessed remotely.

Beazley notes that organizations that use Office 365 are more susceptible to email account compromises. Microsoft’s PowerShell is often exploited and used to login to email accounts for reconnaissance, and if an email account is compromised with the right administrative privileges, the attacker could potentially be able to search every single inbox in an organization.

Beazley also recommends preventing third-party applications from accessing Office 365, as this can reduce the potential for PowerShell to be used for reconnaissance.

The High Cost of Email Account Compromises

BBR Services often discovers that organizations are only aware of half the inboxes that are compromised in an attack, and that it is not uncommon for hundreds of inboxes to have been compromised in a single phishing campaign.

These breaches can be extremely costly to resolve, as each message must be checked to determine whether it contains PHI or PHI. Even a small-scale email breach may cost $100,000 to resolve, while larger breached can easily cost in excess of $2 million. “Business email compromise attacks are among the more expensive data breaches we see,” said Katherine Keefe, head of BBR Services.

A case study was included in the report detailing the high cost of healthcare phishing attacks. An employee received a phishing email with a link to a website that appeared official, which required that person to enter their email account credentials. That gave the attacker access to that individual’s email account, which was then used in further attacks on the organization.

A forensic investigation revealed the attacker gained access to 20 email accounts and that the method used would have allowed all 20 of those mailboxes to have been downloaded. The messages were programmatically searched for PHI, although 350,000 documents in the email accounts could not be searched and required a manual check. The cost of paying a vendor to search those documents cost $800,000. A further $150,000 was spent on notifications and credit monitoring services.

Main Causes of Data Breaches in Q2, 2018

Across all industry sectors, the main causes of data breaches were hacks and malware attacks (39%) and accidental disclosures (22%). Even though the number of email attacks increased, hacks and malware attacks decreased by 3% compared to Q1, 2018. The decline was attributed to a fall in ransomware attacks.

The Beazley report shows the main cause of healthcare data breaches was accidental disclosures, which accounted for 38% of all breaches reported to BBR Services in Q2, 2018. That represents an increase of 29% since Q1, 2018. Hacking and malware attacks accounted for 26% of healthcare data breaches. 14% of breaches were insider incidents, 7% involved loss of physical PHI, 6% were due to the loss/theft of portable devices and 4% were due to social engineering attacks.

The post Email Account Compromises Continue Relentless Rise appeared first on HIPAA Journal.

Consumers More Worried About Exposure of Financial Information Than Health Data

Posted by HIPAA Journal

The privacy and security of health data is less of a concern for consumers than the privacy and security of financial information such as credit card numbers, according to a recent survey by the healthcare marketing agency SCOUT.

The Harris Poll survey was conducted on 2,033 adults from May 10-14, 2018 as part of a new research series called SCOUT Rare Insights. The survey revealed fewer than half of consumers (49%) were very concerned about the privacy and security of their health data, whereas more than two thirds of consumers (69%) were very concerned about the privacy and security of their financial data such as credit/debit card numbers and bank account information.

Consumers are often covered by insurance policies on their credit cards and can reclaim losses in many cases. A new credit card number can be issued in cases of theft and there are laws that limit personal liability. However, if health insurance information and Social Security numbers are stolen, breach victims can suffer severe losses that may not be recoverable.

Medical identity theft can also cause patients serious problems. When identities are stolen for the purpose of obtaining medications or medical services, medical records can be altered and patients may come to physical harm as a result. There is a booming market for medical identity theft and healthcare data breaches are occurring at an alarming rate.

Financial data breaches are usually detected rapidly and victims are alerted to the fraudulent use of their information promptly. In the case of health data breaches, it may take many months or even years before patients become aware that their health data has been misused. There are also few protections in place to limit liability and damages.

“We need to be much more aware and concerned about the safety of our health data,” said Raffi Siyahian, principal at SCOUT. “First, the risk of having your medical data exposed is pretty significant. And second, the consequences of someone gaining unauthorized access to your personal health information can be far more damaging than having someone illegally access your personal financial information.”

The survey also revealed that just over a third of patients (36%) are using online portals to access their personal health information. Only 28% of under 35s were using portals compared to 39% of over 35s. Checking health records regularly can ensure mistakes are promptly corrected and misuse of personal health information is detected rapidly.

The main reasons why online portals were not used were a preference for discussing health matters in person (47%) and concerns over the security of health data in online portals (39%).

When asked about the types of medical information patients were most concerned about being mishandled and shared, the area of most concern was diagnosed medical conditions and diseases, rated as a concern by 31% of respondents.

The post Consumers More Worried About Exposure of Financial Information Than Health Data appeared first on HIPAA Journal.

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

Posted by HIPAA Journal

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers.

This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May.

This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016.

Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials

The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams.

Business email compromise scams involve hackers gaining access to the email account of a senior executive and using that email account to send internal emails to try to obtain sensitive data such as W-2 Forms or to convince employees top make fraudulent wire transfers. However, access to an executive’s email account is not always necessary. If the attackers spoof an executive’s email account, it may be sufficient to fool employees into responding.

That is what appears to have happened in the UnityPoint Health phishing attack. A trusted executive’s email account was spoofed and several employees responded to the messages and disclosed their email credentials.

UnityPoint Health investigated the breach with assistance provided by a third-party digital forensics firm. The investigation suggested the primary purpose of the attack was to divert vendor payments and payroll funds to accounts controlled by criminals.

An analysis of the compromised email accounts revealed they contained a wide range of protected health information in the body of messages and attachments. That information could have been accessed by the hackers and downloaded.

The types of information exposed varied patient to patient, but may have included names, addresses, birth dates, medical record numbers, diagnosis information, treatment information, lab test results, health insurance information, surgical information, provider names, dates of service, driver’s license numbers, Social Security numbers and, for a limited number of patients, financial information such as credit card numbers.

A year of credit monitoring services has been offered to affected patients whose social security number, driver’s license numbers, or financial information has been exposed. UnityPoint Health says it has not received any reports of PHI misuse to date.

Second Major UnityPoint Health Phishing Attack to Be Detected in 2018

This is not the first UnityPoint Health phishing attack to be reported in 2018. In April, UnityPoint Health announced it had discovered several email accounts had been compromised resulting in the exposure of 16,400 patients’ PHI. Unauthorized individuals gained access to employees’ email accounts between November 1, 2017 and February 7, 2018. In response to that attack, UnityPoint Health said it had strengthened security controls to prevent further attacks. Whatever additional controls had been implemented clearly were not effective at protecting against email impersonation attacks.

The latest breach has prompted UnityPoint Health to implement further security controls, which include the use of two-factor authentication on employee’s email accounts, additional technological controls to detect suspicious emails from external sources, and further training has been conducted to help employees recognize phishing attempts.

When multiple data breaches are reported by a healthcare provider, especially breaches that involve large numbers of patient records, the Department of Health and Human Services’ Office for Civil Rights takes a keen interest. An investigation into these phishing attacks is likely to be conducted, with the UnityPoint Health’s security controls and security awareness training programs likely to be carefully scrutinized for evidence of compliance failures.

Even without fines for non-compliance, data breaches on this scale can prove incredibly costly. Recently, the Ponemon Institute/IBM Security released the results of its 2018 Cost of a Data Breach Study. This year’s study showed the average cost of a data breach has risen to $3.86 million for a breach of up to 100,000 records. The healthcare industry has the highest breach costs at an average of $408 per record.

For the first time, the study investigated the cost of ‘mega’ data breaches – Those that involve the exposure of more than 1 million records. The cost of resolving these mega data breaches was estimated to be $40 million when more than 1 million records have been exposed.

The post 1.4 Million Patients Warned About UnityPoint Health Phishing Attack appeared first on HIPAA Journal.

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Posted by HIPAA Journal

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform.

The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein.

Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats.

Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams.

However, security teams can struggle to identify real threats quickly. Employees will typically report a wide range of emails, not just malicious messages. Most organizations will see their abuse mailboxes fill up rapidly and security teams often waste valuable time sifting through messages to find the real threats.

Cofense has attempted to solve the problem with the release of a SOAR platform that helps incident response teams identify and mitigate phishing attacks in progress much more rapidly. Cofense Triage allows incident response teams to rapidly assess, analyze, and remediate phishing attacks in real-time by filtering out the noise.

Cofense Triage has recently been enhanced with new features that allow third-party security solutions to be integrated through its REST API to ensure an optimized, security orchestration response. Remediating phishing threats has been made easier through automation using playbooks and workflows – sets of criteria that will automatically execute a response to mitigate an attack if certain criteria are met.

Now the Leesburg, VA-based anti-phishing vendor has developed a new anti-phishing solution – Cofense Vision – which will soon be incorporated into its phishing-specific SOAR. Cofense Vision – due to be generally available in Q4 2018 – will make it easier and quicker to identify all phishing emails in a campaign and quarantine them rapidly to neutralize the threat.

When a phishing email is identified, it is unlikely to be the only copy of the message in an organization’s email system. Tens or even hundreds of copies may be hiding in other inboxes, including carbon copies of the message, variations along the same theme, and totally different messages containing the same malicious payload.

Cofense Vision helps incident response teams search, identify, and quarantine all phishing emails in a particular campaign, querying messages by sender, date, subject, attachment name, attachment hash, and many more criteria. When all messages have been identified, they can be quarantined with a single click, removing all malicious messages from an organization’s entire email system.

This is just one of a host of new anti-phishing solutions that can be deployed to help healthcare organizations deal with the threat of phishing. As news breaks of a million-record-plus healthcare phishing attack, advanced phishing solutions are clearly needed to tackle the threat to the confidentiality, integrity, and availability of PHI.

The post Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform appeared first on HIPAA Journal.

Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform

Posted by HIPAA Journal

Cofense has developed a new product which will soon be added to its portfolio of anti-phishing solutions for healthcare organizations and incorporated into its phishing-specific security orchestration, automation and response (SOAR) platform.

The announcement comes at a time when the healthcare industry has been experiencing an uptick in phishing attacks. The past few months have seen a large number of healthcare organizations fall victims to phishing attacks that have resulted in cybercriminals gaining access to employee’s email accounts and the PHI contained therein.

Perimeter security defenses can be enhanced to greatly reduce the number of malicious emails that reach employees’ inboxes, but even when multiple security solutions are deployed they will not block all phishing threats.

Security awareness training is essential to reduce susceptibility to phishing attacks by conditioning employees to stop and think before clicking links in emails or opening questionable email attachments and to report suspicious emails to their security teams.

However, security teams can struggle to identify real threats quickly. Employees will typically report a wide range of emails, not just malicious messages. Most organizations will see their abuse mailboxes fill up rapidly and security teams often waste valuable time sifting through messages to find the real threats.

Cofense has attempted to solve the problem with the release of a SOAR platform that helps incident response teams identify and mitigate phishing attacks in progress much more rapidly. Cofense Triage allows incident response teams to rapidly assess, analyze, and remediate phishing attacks in real-time by filtering out the noise.

Cofense Triage has recently been enhanced with new features that allow third-party security solutions to be integrated through its REST API to ensure an optimized, security orchestration response. Remediating phishing threats has been made easier through automation using playbooks and workflows – sets of criteria that will automatically execute a response to mitigate an attack if certain criteria are met.

Now the Leesburg, VA-based anti-phishing vendor has developed a new anti-phishing solution – Cofense Vision – which will soon be incorporated into its phishing-specific SOAR. Cofense Vision – due to be generally available in Q4 2018 – will make it easier and quicker to identify all phishing emails in a campaign and quarantine them rapidly to neutralize the threat.

When a phishing email is identified, it is unlikely to be the only copy of the message in an organization’s email system. Tens or even hundreds of copies may be hiding in other inboxes, including carbon copies of the message, variations along the same theme, and totally different messages containing the same malicious payload.

Cofense Vision helps incident response teams search, identify, and quarantine all phishing emails in a particular campaign, querying messages by sender, date, subject, attachment name, attachment hash, and many more criteria. When all messages have been identified, they can be quarantined with a single click, removing all malicious messages from an organization’s entire email system.

This is just one of a host of new anti-phishing solutions that can be deployed to help healthcare organizations deal with the threat of phishing. As news breaks of a million-record-plus healthcare phishing attack, advanced phishing solutions are clearly needed to tackle the threat to the confidentiality, integrity, and availability of PHI.

The post Cofense Develops New Phishing-Specific Security Orchestration, Automation and Response Platform appeared first on HIPAA Journal.

Warnings Issued Following Increase in ERP System Attacks

Posted by HIPAA Journal

The United States Computer Emergency Readiness Team (US-CERT) has warned businesses about the increasing risk of cyberattacks on enterprise resource planning (ERP) systems such as the cloud-based ERPs developed by SAP and Oracle.

These web-based applications are used to manage a variety of business operations, including finances, payroll, billing, logistics, and human resources functions. Consequently, these systems contain a treasure trove of sensitive data – The exact types of data sought by cybercriminals for fraud and cyber espionage.

Further, many businesses rely on their ERP systems to function. A cyberattack that takes those systems out of action can have catastrophic consequences, making the systems an attractive target for sabotage by hacktivists and nation state backed hacking groups.

The US-CERT warning follows a joint report on the increasing risk of ERP system attacks by cybersecurity firms Digital Shadows and Onapsis. The report focused on two of most widely used ERP systems: SAP HANA and Oracle E-Business.

The authors explained that the number of publicly available exploits for SAP and Oracle E-Business have increased by 100% over the past three years and detailed information on how to attack these systems is being exchanged on darknet forums.

“ERP applications are being actively targeted by a variety of cyber-attackers across different geographies and industries,” wrote the authors. Some hackers have repurposed banking malware (Dridex) to obtain ERP system logins as demand for stolen credentials has increased significantly.

Access to ERP servers is often sought in order to mine cryptocurrencies. The researchers note that one cybercriminal group used a publicly available exploit for WebLogic to gain access to servers to install Monero mining software. Through that single attack the group managed to generate $226,000 in Monero coins. The researchers note that there is plenty of chat about using SAP servers to mine cryptocurrency on Internet Relay Chat (IRC) channels.

When ERP systems are connected to the Internet they are much more vulnerable to attack. The researchers note that internet-connected ERP systems are not difficult to find. More than 17,000 internet-connected ERPs were identified by the researchers that could potentially be accessed using dictionary or brute force tactics to guess logins. Many exploits are available for vulnerabilities that allow remote code execution, with more than 50 SAP exploits and 30 Oracle exploits being actively traded on darknet forums.

ERP system developers regularly release patches to address flaws in the software. As with any software solution, patches should be applied promptly. However, all too often patching is delayed due to the complexity of system architectures and customized functionality, which can make patching problematic. Those delays or the failure to apply patches plays into cybercriminals’ hands.

The researchers explain that prompt patching is critical. Additionally, strong, unique passwords should be used, and users should only have the privileges they need for their job role. ERP applications should be checked for uninstalled patches and insecure configurations, and unused APIs and unnecessary internet-facing logins should be disabled. Companies need to do as much as they can to reduce the attack surface.

The report is essential reading for IT security teams at all businesses that use ERP systems. The ERP Applications Under Fire report can be downloaded on this link.

The post Warnings Issued Following Increase in ERP System Attacks appeared first on HIPAA Journal.

FDA Issues New Guidance on Use of EHR Data in Clinical Investigations

Posted by HIPAA Journal

The U.S. Food and Drug Administration has released new guidance on the use of EHR data in clinical investigations and the requirement to ensure that appropriate controls are in place to ensure the confidentiality, integrity, and availability of data.

While the guidance is non-binding, it provides healthcare organizations with valuable information on steps to take when deciding whether to use EHRs as a source of data for clinical investigations, how to use them and ensure the quality and integrity of EHR data, and how to make sure that any data collected and used as an electronic source of data meets the FDA’s inspection, recordkeeping and data retention requirements.

The aim of the guidance is to promote the interoperability of EHR and EDC systems and facilitate the use of EHR data in clinical investigations, such as long-term studies on the safety and effectiveness of drugs, medical devices, and combination products.

The guidance does not apply to data collected for registries and natural history studies, the use of EHR data to evaluate the feasibility of trial design or as a recruitment tool for clinical investigations, or the use of EHR data in postmarketing observational pharmacoepidemiologic studies that assess adverse events and risks associated with drug exposure or those that are designed to test prespecified hypotheses for such studies.

The FDA is aware that EHRs have the potential to provide researchers with access to real time data for reviews and allow post-trail follow ups on patients to determine the long -term effectiveness of specific treatments. They also provide access to the data or large numbers of patients, which can be particularly useful in clinical investigations, especially when certain outcomes are rarely observed. The use of EHR data in clinical investigations is broadly encouraged by the FDA.

However, it is important for best practices to be adopted to ensure patient privacy is protected, data integrity is maintained, and data are secured at all times.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 required the Office of the National Coordinator of Health IT (ONC) to establish a voluntary certification program for Health IT. Certified EHRs comply with 45 CFR part 170 of the HITECH Act which covers interoperability and data security and confirms EHRs meet minimum requirements for privacy and security.

The FDA recommends that only certified EHR systems are used in clinical investigations and that policies and procedures on their use should be developed. The FDA recommends that a list of EHR systems is maintained, detailing the manufacturer of the system, the model number, version number, and whether it is certified by ONC.

There may be times when EHRs are de-certified by ONC during the clinical investigation, as they may no longer meet appropriate standards. In such cases, sponsors should determine the reason for de-certification and its impact on the quality and integrity of data used in the clinical investigation.

At times, it may be necessary to incorporate data from EHR systems used in other countries, which are not certified by ONC. While the use of data from these systems is acceptable, and can be highly beneficial for clinical investigations, sponsors should evaluate whether the systems have appropriate privacy and security controls in place to ensure the confidentiality, integrity, and availability of data.

Sponsors should ensure that policies and procedures for these EHRs are in place at the investigation site and appropriate measures have been implemented to protect study data. They must also ensure that access to the electronic systems housing the EHRs is limited to authorized personnel. Authors of the records must be clearly identifiable, audit trails need to be maintained, and records need to be available and retained for FDA inspection.

If these controls are not in place, sponsors should consider the risks associated with using those systems, including the potential for harm to research subjects, the impact on data integrity of the clinical investigation, and the regulatory implications.

The guidelines also suggest EHRs not certified by ONC should meet various data standards, and the guidance offers advice about choosing between structured and unstructured data, and the validation of interoperability between EHRs and electronic data capture (EDC) systems.

The post FDA Issues New Guidance on Use of EHR Data in Clinical Investigations appeared first on HIPAA Journal.