Healthcare Data Security

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Posted by HIPAA Journal

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems.

Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri.

Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software.

In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages containing highly sensitive information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not necessary to be in close vicinity of a hospital to intercept the pages and view PHI. Pages were picked up from hospitals and medical centers in Blue Springs, MO; Harrisonville, MO; Liberty, MO; Kansas City, KS; Wichita, KS; and even hospitals further away in Kentucky and Michigan.

Reporters from the Kansas City Star made contact with several of the patients whose information was exposed to confirm the information was correct. Understandably, the patients were shocked to find out that their sensitive information had been obtained by unauthorized individuals, as were the hospitals.

While not all hospitals responded, some of those that did said they are working with their vendors to correct the problem to ensure that pages cannot be intercepted in the future.

Intercepting pages is illegal under the Electronic Communications Protection Act, although hacking healthcare networks or conducting phishing campaigns to obtain protected health information is similarly illegal, yet that does not stop hackers.

HIPAA-covered entities should take note of the recent privacy violations and should consider implementing a secure messaging solution in place of pagers; however, in the meantime they should contact their vendors and explore the options for encrypting pages to prevent ePHI from being intercepted.

The post Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist appeared first on HIPAA Journal.

Advisory Issued After 8 Vulnerabilities Discovered in Natus Xltek NeuroWorks Software

Posted by HIPAA Journal

ICS-CERT has issued an advisory following the discovery of eight vulnerabilities in version 8 of Natus Xltek NeuroWorks software used in Natus Xltek EEG medical products.

If the vulnerabilities are successfully exploited they could allow a malicious actor to crash a vulnerable device or trigger a buffer overflow condition that would allow remote code execution.

All eight vulnerabilities have been assigned a CVSS v3 score above 7.0 and are rated high.  Three of the vulnerabilities – tracked as CVE-2017-2853, CVE-2017-2868, and CVE-2017-2869 – have been assigned a CVSS v3 base score of 10, the highest possible score. CVE-2017-2867 has been assigned a base score of 9.0, with the other four vulnerabilities – CVE-2017-2852, CVE-2017-2858, CVE-2017-2860, and CVE-2017-2861 – given a rating of 7.5. The vulnerabilities are a combination of stack-based buffer overflow and out-of-bounds read vulnerabilities.

CVE-2017-2853 would allow an attacker to cause a buffer overflow by sending a specially crafted packet to an affected product while the product attempts to open a file requested by the client.

CVE-2017-2868 and CVE-2017-2869 relate to flaws in how the program parses data structures. Exploitation would allow an attacker to trigger a buffer overflow and execute arbitrary code, allowing the attacker to take full control of the affected system.

The vulnerabilities were discovered by security researcher Cory Duplantis from Cisco Talos who reported them to Natus. Natus took immediate action and has now released an updated version of its software which corrects all of the flaws.

To date there have been no reported instances of the vulnerabilities being exploited in the wild, and no public exploits for the vulnerabilities are known. Natus recommends all users of the vulnerable software to update to NeuroWorks/SleepWorks 8.5 GMA 3 as soon as possible.

The update is available free of charge for users of NeuroWorks/SleepWorks Version 8.0, 8.1, 8.4, or 8.5. The Natus Neuro technical support department should be contacted for further information.

In addition to updating to the latest version of the software, organizations can take further steps to limit the potential for zero-day vulnerabilities to be exploited.

The National Cybersecurity & Communications Integration Center (NCCIC) recommends minimizing network exposure for all control systems and devices and ensuring they are not accessible over the Internet. Control systems and remote devices should be located behind firewalls and should be isolated from the business network. If remote access is necessary, secure methods should be used to connect, such as Virtual Private Networks (VPNs), which should be kept up to date.

The post Advisory Issued After 8 Vulnerabilities Discovered in Natus Xltek NeuroWorks Software appeared first on HIPAA Journal.

May 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April.

Healthcare Data Breaches (May 2018)

There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April.

Healthcare Data Breaches - Records (May 2018)

In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records.

Causes of May 2018 Healthcare Data Breaches

Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices reported in May and no improper disposal incidents.

The 12 hacking/IT incidents reported in May resulted in the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Unauthorized access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Theft incidents resulted in unauthorized individuals obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

Causes of Healthcare Data Breaches (May 2018)

Largest Healthcare Data Breaches Reported in May 2018

The largest healthcare data breach reported in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was reported in May, although it occurred more than a year and a half earlier in September 2016, when malware was installed on its server that hosts electronic health records.

In addition to names and contact information, clinical and treatment information, insurance information, and, in some instances, Social Security numbers, were compromised. The scale of the breach and the types of information exposed makes it one of the most serious healthcare data breaches discovered in 2018.

As the table below shows, hacks and IT incidents were behind the most serious breaches in May.

Breached Entity Entity Type Records Breached Breach Type
LifeBridge Health, Inc Healthcare Provider 538127 Hacking/IT Incident
The Oregon Clinic, P.C. Healthcare Provider 64487 Hacking/IT Incident
Dignity Health Healthcare Provider 55947 Unauthorized Access/Disclosure
Aultman Hospital Healthcare Provider 42625 Hacking/IT Incident
Holland Eye Surgery and Laser Center Healthcare Provider 42200 Hacking/IT Incident
USACS Management Group, Ltd. Business Associate 15552 Hacking/IT Incident
Florida Hospital Healthcare Provider 12724 Hacking/IT Incident
Aflac Health Plan 10396 Hacking/IT Incident
Cerebral Palsy Research Foundation of Kansas, Inc. Healthcare Provider 8300 Unauthorized Access/Disclosure
Associates in Psychiatry and Psychology Healthcare Provider 6546 Hacking/IT Incident

 

Records Exposed in Healthcare Data Breaches (May 2018)

Location of Breached Protected Health Information

In May, the most common location of breached protected health information was email. 11 of the 29 reported breaches involved hacks of email accounts and misdirected emails. It was a similar story in April, when email was also the main location of breached PHI.

In May there were 7 incidents affecting network servers – hacks, malware infections, and ransomware incidents – and 7 incidents involving paper records.

Healthcare Data Breaches (May 2018) - Location of Breached PHI

Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of the healthcare data breaches in May 2018, with 22 incidents reported. Only two health plans suffered a data breach in May.

Five business associates of HIPAA-covered entities reported a breach, although a further four breaches had some business associate involvement.

Healthcare Data Breaches (May 2018) - Breaches by Covered Entity Type

Healthcare Data Breaches by State

California and Ohio were the worst affected by healthcare data breaches in May 2018, with each state having four breaches. Oregon and Texas each experienced two data breaches in May. Nevada saw four breaches reported, but three of those were the same incident, only reported separately by each of the three Dignity Health hospitals affected.

One healthcare data breach was reported by a HIPAA-covered entity or business associate based in Arkansas, Arizona, Colorado, Florida, Georgia, Indiana, Kansas, Massachusetts, Maryland, Michigan, Minnesota, Nebraska, and New York.

Financial Penalties for HIPAA Violations

While OCR and state attorneys general continue to enforce HIPAA Rules and take action against covered entities and business associates for noncompliance, there were no financial settlements announced by either in May 2018.

Data Source: The Department of Health and Human Services’ Office for Civil Rights.

The post May 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013.

MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules.

The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals.

The investigation revealed that MD Anderson had conducted a risk analysis, as is required by HIPAA. That risk analysis revealed the use of unencrypted devices posed a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted.

However, even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson had implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented.

Preventable Data Breaches Experienced by MD Anderson

The laptop was stolen from the home of Dr. Randall Millikan on April 30, 2012. Dr. Millikan confirmed that the ePHI on the device were not encrypted, the laptop was not password protected, and the ePHI could potentially have been viewed by family members at his home as a result, as well as by the individual who stole the laptop.

The USB devices were lost on or around July 12, 2012 and December 2, 2013. The first contained an Excel file containing the ePHI of 2,264 individuals. The device was lost by a summer intern on her way home from work. The second USB drive was lost by a visiting researcher from Brazil at some point over the Thanksgiving weekend. The device was usually left in the tray on her desk. Neither device was encrypted or password protected.

Between 2010 and 2011, MD Anderson’s Information Security Program and Annual Reports stated clearly that the storage of ePHI on mobile media was a key risk area that had not yet been mitigated, which was also detailed in its risk analysis for fiscal year 2011. That risk analysis determined that employees were downloading ePHI onto portable storage devices for use outside the institution. The failure to address the risk was a violation of 45 C.F.R. § 164.312(a)(2)(iv) and its own policies.

Penalties for HIPAA Violations

When financial penalties are deemed appropriate, OCR usually negotiates with the covered entity and a settlement is agreed; however, MD Anderson disagreed with OCR’s decision and maintained the financial penalty was unreasonable. Specifically, MD Anderson claimed that it was not obligated to use encryption as the data on the devices were used for research purposes, and that the research was not subject to HIPAA’s nondisclosure requirements. A covered entity has the right to contest penalties for HIPAA violations. Consequently, the matter was referred to an Administrative Law Judge.

OCR proposed penalties for HIPAA violations under the tier of ‘reasonable cause’. OCR wrote in its Notice of Proposed Determination, “Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalty amounts in such cases are a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year.

 

Penalty Structure for HIPAA Violations

OCR determined penalties were appropriate for calendar year 2011 (283 days from March 24 to December 31), calendar year 2012 (366 days from January 1 to December 31) and calendar year 2013 (25 days from January 1 to January 25), and applied the maximum penalty of $1.5 million for each of those calendar years.

Administrative Law Judge Steven T. Kessell granted summary judgement in favor of OCR to remedy MD Anderson’s noncompliance with 45 C.F.R. § 164.312(a) – Technical Safeguards; encryption – and 45 C.F.R. § 164.502(a) – Uses and Disclosure of PHI; impermissible disclosure of ePHI.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

The post OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center appeared first on HIPAA Journal.

CSO Online Rates Cofense Triage One of Best Security Software Solutions of 2018

Posted by HIPAA Journal

Cofense Triage, the phishing incident response platform, has been included in CSO Online’s 2018 list of the best security software solutions of 2018.

To produce the list, CSO Online conducted independent reviews of a wide range of software solutions. Strict review methodologies were used to select the best security products currently on the market. Each product was researched to find out how it worked, how the solution could be deployed in customer environments, the benefits it provided, and the major problems that the solution resolved.

The review was based on the top technology areas for security identified by Gartner, which included cloud workload protection platforms, remote browsers, deception technologies, endpoint detection and response platforms, network traffic analysis solutions, managed detection and response services, microsegmentation solutions, cloud access security brokers, OSS security scanning services for DevSecOps, and container security.

CSO Online tested all security solutions in a dedicated lab environment with each tested, where appropriate, against some of the most dangerous threats faced by businesses.

CSO Online selected 12 top vendors – one in each category – with Cofense Triage selected as the best security software solution in the phishing defense category. CSO Online explained that Cofense Triage is still evolving but even in its current form it is one of the most advanced defenses businesses and implement to protect them from phishing attacks.

Cofense Triage is deployed as an on-premises virtual appliance that connects with corporate email programs and helps companies manage reports from employees of suspected phishing attempts and phishing attacks in progress.

Secure email gateways and anti-spam solutions are essential, but they fail to block all phishing threats. Many malicious emails make it past those perimeter defenses and are delivered to end users’ inboxes.

Security awareness training – also provided by Cofense – helps employees recognize phishing threats. A one-click phishing email reporting solution – such as Cofense Reporter – allows employees to quickly send suspicious emails to their security teams. Managing those emails can be difficult and time consuming, which is where Cofense Triage helps. Through a combination of human intelligence and machine learning, the solution helps security teams quickly identify the wheat from the chaff and concentrate on the real phishing attempts rather than wasting time on false positives.

Cofense notes that typically only 10% of reported emails are malicious in nature. Security teams often spend a considerable amount of time assessing the 90% of reported emails that are non-malicious in nature.

“Cofense Triage is crucial for security operations teams to quickly find and disrupt active phishing attacks mere minutes after being reported within their organization. Having Triage recognized as one of this year’s best security software solutions, and the best phishing defense solution, by the technical experts at CSO Online is a true testament to that ability,” said Aaron Higbee, CTO and co-founder of Cofense.

The post CSO Online Rates Cofense Triage One of Best Security Software Solutions of 2018 appeared first on HIPAA Journal.

Advisory Issued About Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers

Posted by HIPAA Journal

Siemens has proactively issued an advisory over two recently discovered vulnerabilities in its RAPIDLab and RAPIDPoint Blood Gas Analyzers.

No reports have been received to data to suggest either vulnerability has been exploited in the wild, although users of the devices are being encouraged to take steps to mitigate risk.

The vulnerabilities affect Siemens RAPIDLab 1200 Series and RAPIDPoint 400/405/500 cartridge-based blood-gas, electrolyte, and metabolite analyzers.

CVE-2018-4845 would allow local or remote credentialed access to the Remote View feature. Successful exploitation of the vulnerability could result in privilege escalation that could potentially compromise the confidentiality, integrity, and availability of the system. No user interaction would be required to exploit the vulnerability. The vulnerability has been assigned a CVSS v3.0 score of 8.8.

CVE-2018-4846 relates to a factory account with a hardcoded password which could potentially be exploited to gain remote access to the device over port 8900/tcp, thus compromising the confidentiality, integrity, and availability of the device. Exploitation would require no privileges or user interaction. The vulnerability has been assigned a CVSS v3.0 score of 7.3. No special skills would be required to exploit either vulnerability.

No patch has been issued to correct the flaws at present, although Siemens has identified workarounds and mitigations that will reduce the risk of the vulnerabilities being exploited, as detailed in the table below:

Affected Product and Versions Remediation
RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems:

All versions without use of Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Disable Remote Viewing feature by following the instructions in the “Enabling or Disabling Remote Viewing” section of the analyzer Operator’s Guide to limit exposure to CVE-2018-4845 and mitigate CVE-2018- 4846.
RAPIDLab 1200 Series:

All versions < V3.3 with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Upgrade to V3.3 or 3.3.1. Please contact your Siemens Healthineers service desk for more information.

·         Change the password according to the release notes, or contact the service department.

·         To ensure seamless and secure connectivity with the RAPIDComm® Data Management System, RAPIDComm® V7.0 or higher is recommended.
RAPIDPoint 500 systems:

All versions >= V3.0 with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Change the password according to the release notes or contact the service department.

·         To ensure seamless and secure connectivity with RAPIDComm, RAPIDComm V7.0 or higher is recommended.
RAPIDPoint 500 systems:

V2.4.X with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Upgrade to and follow instructions provided for V3.0.
RAPIDPoint 500 systems:

All versions =< V2.3 with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Siemens Healthineers will update this advisory when new information becomes available.
RAPIDPoint 400 systems:

All versions with Siemens Healthineers Informatics products

 ·         Restrict physical access to only authorized individuals to limit exposure to CVE-2018- 4845.

·         Upgrade to RAPIDPoint 500 Series.

·         If upgrading is not an option, disable Remote Viewing feature by following the instructions in the “Enabling or Disabling Remote Viewing” section of the analyzer Operator’s Guide to limit exposure to CVE-2018- 4845 and mitigate CVE-2018-4846.

The post Advisory Issued About Vulnerabilities in Siemens RAPIDLab and RAPIDPoint Blood Gas Analyzers appeared first on HIPAA Journal.

Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security

Posted by HIPAA Journal

A recent HIMSS survey has confirmed that medical device security is a concern and strategic priority for most healthcare organizations, yet fewer than half of healthcare providers have an approved budget for tackling security flaws in medical devices.

For the study, HIMSS surveyed 101 healthcare industry practitioners in the United States and Asia on behalf of global IT company Unisys.

85% of respondents to the survey said medical device security was a strategic priority and 58% said it was a high priority, yet only 37% of respondents had an approved budget to implement their cybersecurity strategy for medical devices. Small to medium sized healthcare providers were even less likely to have appropriate funds available, with 71% of companies lacking the funds for medical device security improvements.

Vulnerabilities in medical devices are frequently being identified. ICS-CERT has issued several recent advisories about flaws in a wide range of devices. In many cases, flaws are identified and corrected before they can be exploited by cybercriminals, although the WannaCry attacks last year showed just how much of a risk is involved – to providers as well as patients.

A recent MedCrypt-funded study from the University of California Cyber Team has revealed some healthcare organizations have experienced cybersecurity incidents involving insecure medical devices that have had an adverse effect on patients. The organizations that had experienced incidents involving compromised medical devices said between 100 and 1,000 patients had been affected.

“While most life sciences and healthcare organizations understand the need to strengthen device security, many are struggling with legacy devices that were never designed to be internet-accessible – and with the explosion of ransomware and sophisticated cyberattacks like WannaCry, that can put both the provider and the patient at risk,” said Bill Parkinson global senior director, Unisys Life Sciences and Healthcare.

Respondents to the HIMSS/Unisys survey were asked what security measures they had in place to secure their medical devices. 85% said they used firewalls and network access control systems, although only 53% said they used segregated networks for medical devices, even though segmentation of networks can help organizations manage risk.

“To ensure proper security, all devices require equally strong protection – firewalls alone are not enough in today’s environment,” said Parkinson. “In this regard, microsegmentation, the ability to segment and restrict network and device data to pre-authorized groups of users and devices, can be a critical asset for hospitals and medical providers.”

The survey also investigated how healthcare providers are capturing and managing data collected by medical devices. Approximately 60% of healthcare providers said they were ready for a device audit at all times, but fewer than a third of providers were capturing device data in real-time.

“The importance of having access to real-time data cannot be underestimated. Not only can data analytics help life sciences and healthcare organizations reduce device downtime by ensuring devices are operational, it can significantly improve audit readiness and better inform future purchasing decisions,” said Parkinson.

The post Medical Device Security a Major Concern, Yet Funds Not Available to Improve Security appeared first on HIPAA Journal.

More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes

Posted by HIPAA Journal

90% of hospitals and 94% of physicians have adopted mobile technology and say it is helping to improve patient safety and outcomes, according to a recent survey conducted by Black Book Research.

The survey was conduced on 770 hospital-based users and 1,279 physician practices between Q4, 2017 and Q1, 2018.

The survey revealed 96% of hospitals are planning on investing in a new clinical communications platform this year or have already adopted a new, comprehensive communications platform.

85% of surveyed hospitals and 83% of physician practices have already adopted a secure communication platform to improve communications between care teams, patients, and their families. Secure text messaging platform are fast becoming the number one choice due to the convenience of text messages, the security offered by the platforms, and the improvements they make to productivity and profitability.

98% of hospitals and 77% of physician practices said they have implemented secure, encrypted email and are using intrusion detection systems to ensure breaches are detected rapidly.

Many providers of secure text messaging solutions have developed their platforms specifically for the healthcare industry. The platforms incorporate all the necessary safeguards to meet HIPAA requirements and ensure PHI can be transmitted safely and securely. Text messaging is familiar to almost all employees who are provided access to the platforms and they make communication quick and easy.

However, 63% of respondents to the survey said they are still facing ongoing challenges with buy-in of general mobile adoption strategies and related enterprise technology execution.

30% of respondents said that even though secure methods of communication have been implemented such as encrypted text messaging platforms and secure email, they are still receiving communications on a daily basis from unsecured sources that contain personally identifiable information such as patients’ names and birthdates.

Part of the study involved an assessment of cybersecurity and privacy software and services, allowing the company to identify the vendors that are most highly regarded by customers. TigerText, the market leading provider of secure text messaging solutions for the healthcare industry, was rated highly across the board, as were Vocera, Spok, Doc Halo, and Imprivata.

Doc Halo was the highest rated secure communications platform provider among physician organizations, with Perfect Serve, Patient Safe Solutions, OnPage, Telemediq, and Voalte also scoring highly. Spok ranked highest among hospital systems and inpatient organizations, with Qlik and Cerner also receiving high marks.

“Stakeholders across the healthcare industry are in the quest of finding solutions to use comprehensive real-time data and connectivity cleverly to advance patient safety, productivity and profitability,” Doug Brown, president of Black Book Market Research. “Organizations are adopting secure text messaging platforms because texts are convenient, as well.”

The post More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes appeared first on HIPAA Journal.

Colorado Governor Signs Data Protection Bill into Law

Posted by HIPAA Journal

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018.

The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required.

Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable):

  • Social Security number
  • Student ID number
  • Military ID number
  • Passport number
  • Driver’s license number or ID card number
  • Medical information
  • Health insurance ID number
  • Biometric data
  • Email addresses in combination with passwords or security Q&As
  • Financial account numbers, and credit cards and debit cards with associated security codes that would permit access/use

Reasonable Security Measures Must be Implemented

Covered entities will be required to implement and maintain “Reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Those measures should protect PII from unauthorized access, modification, disclosure, and destruction. In cases where PII is passed to a third party, the covered entity must ensure the third party also has reasonable security measures in place.

A written policy must be developed by all businesses that maintain the personal information of Colorado residents covering the disposal of that information when it is no longer required. Electronic data and physical documents containing PII must be disposed of securely. The bill suggests “Shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”

30-Day Maximum Time Limit for Issuing Breach Notifications

When the bill was first introduced, it required the state attorney general to be notified of a breach of PII within 7 days of discovery. Such a short time frame for issuing notifications can help to ensure prompt action is taken to prevent harm or loss, although such a short time frame means notifications would need to be issued before it would be possible, in many cases, to determine whether there had been any misuse of data. This requirement of the bill attracted considerable criticism from large businesses operating in Colorado.

After careful consideration, this requirement was amended and the time limit for issuing notifications has been extended to 30 days following the discovery of the breach. Even so, this makes the notification requirements the strictest of any state.  The state attorney general only needs to be notified of the breach if it has impacted more than 500 Colorado residents. Regardless of the scale of the breach, affected individuals must be notified within 30 days.

HIPAA-covered entities should note that the 30-day time limit will apply even though HIPAA allows up to 60 days to issue notifications. HIPAA-covered entities and entities covered by the Gramm-Leach-Bliley Act are not exempt.

Breach notices are required for any security breach that exposes personal information, except a good faith acquisition of personal information by an employee or agent of a covered entity if the information is not used for a purpose unrelated to the lawful operation of the business and if that information is not subject to further unauthorized disclosure.

A notice must also be placed on the website of the breached entity and a notification issued to statewide media.

The post Colorado Governor Signs Data Protection Bill into Law appeared first on HIPAA Journal.