Healthcare Data Security

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

Posted by HIPAA Journal

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General.

While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members.

Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information.

The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law § 399-ddd(2)(e).

In addition to the $575,000 settlement, EmblemHealth is required to adopt a robust corrective action plan that requires a comprehensive risk analysis to be conducted related to the mailing of policy documents. The results of that risk analysis must be reported to the Attorney General’s office within 180 days. Policies and procedures related to mailings must also be reviewed and updated based on the findings of the risk analysis.

EmblemHealth must catalogue, review, and monitor mailings and ensure that all employees involved in mailings receive appropriate training. They must also be instructed to report any violations of the HIPAA Minimum Necessary Standard to EmblemHealth officials to allow prompt action to be taken manage risks to plan members. EmblemHealth is also required to report all security incidents to the Attorney General’s office for a period of 3 years from the date of the settlement.

According to Attorney General Schneiderman, New York has “weak and outdated security laws” which he has attempted to address by introducing the ‘Stop Hacks and Improve Electronic Data Security (SHIELD) Act’ in November 2017. There will now be a further push to get the SHIELD Act passed. Schneiderman claims the SHIELD Act will improve protections for state residents. Businesses will also be held accountable for data breaches that result in customers’ personal data being exposed.

“The careless handling of social security numbers is never acceptable,” said Attorney General Schneiderman. “New Yorkers need to be able to trust that companies entrusted with their private information will guard it appropriately. This starts with good governance—which is why my office will continue to push for stronger security laws and hold businesses accountable for protecting their customers’ personal data.”

The post EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach appeared first on HIPAA Journal.

What is HIPAA Certification?

Posted by HIPAA Journal

A frequently asked question in the healthcare industry is what is HIPAA certification; for although there is no standard or implementation specification within HIPAA that requires Covered Entities or Business Associate to certify compliance, several third-party organizations offer HIPAA certification services.

What is HIPAA Certification?

Although there is no official HHS-mandated HIPAA certification process or accreditation, it would be beneficial if there was. A HIPAA compliance certification could demonstrate that a Covered Entity or Business Associate understands and complies with HIPPA regulations – thus, for example, saving Covered Entities a considerable amount of time conducting due diligence on prospective vendors.

Nonetheless, despite there being no requirement for HIPAA certification, some companies claim to be certified as HIPAA compliant. What this means is they have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance. In the absence of a program endorsed by the Department of Health and Human Services (HHS), this is the next best thing.

Why there is No HHS-Endorsed HIPAA Certification

The Department of Health and Human Services does not endorse any type of HIPAA certification because HIPAA compliance is an on-going progress. A HIPAA certified company may have passed a third-party organization´s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the company will remain HIPAA compliant in the future.

There are multiple reasons why a company may not remain HIPAA compliant in the future. It may change the technologies it uses or the ways in which technologies are used. It may change business objectives, operational procedures, or change staff management policies. Any of these changes might invalidate a HIPAA certification – notwithstanding that HIPAA regulations may also change in the future.

HIPAA Training and Certification

HIPAA does not require employees to complete any specific training program and obtain HIPAA certification. However it is necessary for HIPAA training to be provided “as necessary and appropriate for members of the workforce to carry out their functions.” It is also necessary for the date and nature of the training to be documented, and the documentation maintained for at least six years.

Since HIPAA Rules are complex and far-reaching, HIPAA training companies are often used as an alternative to in-house training. The training companies employ HIPAA compliance experts to train employees on the aspects of HIPAA relevant to their roles – such as the correct ways of handling protected health information (PHI), and allowable uses and disclosures of PHI.

One of the benefits to Covered Entities of using a third-party HIPAA training company is that, at the successful conclusion to a training course, they are issued with a HIPAA certification to verify and validate that employees have attended a HIPAA training course. While the certification may not be endorsed by the HHS, it will be beneficial to the Covered Entity in the event of a HIPAA audit.

Third Party Audits Confirming HIPAA Compliance

With regards to HIPAA audits, it is important to note the HHS states on its website that “Certifications do not absolve Covered Entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.”

Nonetheless, it is common for potential Business Associates of HIPAA Covered Entities to undergo audits by third party HIPAA compliance experts in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for Covered Entities´ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for Business Associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party organization that not only offers HIPAA certification services, but one that can help Business Associates implement effective HIPAA compliance programs.

The post What is HIPAA Certification? appeared first on HIPAA Journal.

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

Posted by HIPAA Journal

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients.

This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009.

The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty.

In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses are separate from St. Peter’s Hospital and Albany Gastroenterology Consultants. Protected health information held by those medical centers was not compromised as a result of the malware infection. Only patients who have previously visited St. Peter’s Surgery & Endoscopy Center for medical treatment have potentially been affected. Letters to affected patients were mailed on February 28, 2018 and the incident has been reported to the HHS’ Office for Civil Rights.

The information potentially accessed/copied was limited to patients’ names, addresses, dates of birth, dates of service, diagnosis codes, procedure codes, and insurance information. Some patients also had Medicare information exposed. Patients without Medicare did not have their social security numbers exposed and no patients’ banking or credit/debit card numbers were exposed.

Patients whose Medicare information was exposed have been offered one year of credit monitoring and identity theft protection services without charge “out of an abundance of caution” and all patients have been advised to check their health insurance statements carefully for any sign of fraudulent use of their information.

No information has been released on the exact nature of the security breach, such as how the hackers gained access to the server to install malware. St. Peter’s Surgery & Endoscopy Center said action is being taken to bolster security, which includes further staff training. The purchase of additional – and more elaborate – anti-virus and anti-malware solutions is also being evaluated.

The post New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach appeared first on HIPAA Journal.

Is Google Slides HIPAA Compliant?

Posted by HIPAA Journal

Is Google Slides HIPAA compliant? Can Google Slides be used by healthcare organizations without violating HIPAA Rules? This post explores whether Google Slides is HIPAA compliant and whether it is possible to use the presentation editor in connection with electronic protected health information.

Google Slides is a presentation editor that allows users to create slide shows, training material, and project presentations. It is an ideal option for users who do not regularly create slide shows or presentations and do not have a software package that offers the same functionality. Google Slides is available free of charge for consumers to use and is equivalent to Microsoft’s PowerPoint.

Healthcare organizations that are looking to create training courses and slideshows that involve the use of data protected by HIPAA need to exercise caution. Use of Google Slides with electronic protected health information could potentially violate HIPAA Rules and patient privacy. That could all too easily result in a financial penalty.

Google Slides is a web-based presentation program that is not exempt from HIPAA under the HIPAA Conduit Exception Rule. The use of any ePHI with Google Slides is prohibited by the Privacy Rule unless healthcare organizations enter into a business associate agreement with Google prior to the use of Google Slides.

How to Make Google Slides HIPAA Compliant

The first step to take before using Google Slides in connection with any ePHI is to enter into a business associate agreement with Google. Google offers a BAA for healthcare organizations covering G Suite and Google Drive, which includes Google Docs, Google Sheets, Google Forms, and Google Slides.

As with all Google Drive services, it is essential to control who has access to files created on Google Drive. Healthcare organizations must ensure that any files created can only be accessed by individuals authorized to view the files and links to the files can only be shared with specific people. Sharing permissions should be carefully configured to prevent any accidental disclosures of ePHI.

It is important that no ePHI is included in the titles of any files created on Google Drive and third-party applications should be disabled. If applications need to be used, the security of those applications must be assessed and the developer’s documentation carefully checked. Third-party application developers would also be considered business associates and BAAs would be necessary.

Provided a BAA has been obtained from Google, Google Drive permissions are configured correctly, and best practices are followed, the Google Drive suite of products can be used by healthcare organizations in connection with ePHI.

The post Is Google Slides HIPAA Compliant? appeared first on HIPAA Journal.

Hacking Responsible for 83% of Breached Healthcare Records in January

Posted by HIPAA Journal

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records.

The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches.

While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing.

Protenus has drawn attention to one particular insider breach. A nurse was discovered to have accessed the health information of 1,309 patients without authorization over a period of 15 months. If the healthcare organization had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been violated.

The second biggest cause of healthcare data breaches in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare organizations in January – 30% of all breaches. In contrast to insider incidents, these were not small breaches. They accounted for 83% of all breached records in January. One single hacking incident involved 279,865 records. That’s 59% of all breached records in the month.

In total, 393,766 healthcare records were exposed by hacks and other IT incidents. The final figure could be substantially higher as figures for five of those breaches have not been obtained. One of the incidents involving an unknown number of records was the ransomware attack on the EHR company Allscripts, which resulted in some of its applications being unavailable for several days. That incident could well be the biggest breach of the month.

Ransomware attacks are still a major problem in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in at least two breaches.

The loss or theft of electronic devices containing ePHI or physical records accounted for 22% of the breaches. Two incidents involving the loss of patient records impacted 10,590 individuals and four out of the six theft incidents impacted 50,929 individuals. The number of individuals affected by the other two theft incidents is unknown. The cause of 16% of January’s data breaches has not yet been disclosed.

The types of breached entities followed a similar pattern to previous months, with healthcare providers accounting for the majority of breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other entities.

Information on the length of time it took to detect breaches was only obtained for 11 of the 37 incidents. The median time from the incident to detection was 34 days and the average was 252 days. The average was affected by one incident that took 1445 days to discover.

The median time from discovery of a breach to reporting the incident was 59 days; one day shy of the 60-day absolute limit of the Breach Notification Rule. The average was 96 days. Four healthcare organizations took longer than 60 days to report their breaches, with one taking more than 800 days.

The post Hacking Responsible for 83% of Breached Healthcare Records in January appeared first on HIPAA Journal.

Fresh FBI Warning Issued Following Spike in W-2 Phishing Campaigns

Posted by HIPAA Journal

The Federal Bureau of Investigation has issued a fresh warning to businesses due to a significant rise in phishing attacks targeting payroll employees. The aim of the phishing attacks is to obtain copies of the W-2 forms of employees. Data on the forms is used for identity theft and tax fraud.

Last year saw record numbers of attacks on businesses, educational institutions, and healthcare organizations. In some cases, the W-2 form information of thousands of employees was emailed to scammers by payroll employees. The IRS reports that there were at least 200 businesses targeted and more than 900 complaints were received about tax-related scams.

The Internal Revenue Service’s Online Fraud Detection & Prevention division has been monitoring for phishing scams impersonating the IRS and has recorded a sharp increase in email scams. While some email scams have targeted consumers, businesses are most at risk.

Consumer-focused scams typically involve IRS-themed emails, whereas attacks on businesses typically see company executives and the CEO impersonated. The emails request copies of W-2 forms for employees who have worked in the past fiscal year.

The scammers typically research companies to identify the format of emails used, the name of the CEO and executives, and payroll and accounts department employees to target. Some scams involve spoofed email addresses, others have seen the emails accounts of executives compromised, adding legitimacy to the requests.

In many cases, once the attackers have obtained W-2 Form data a further request is sent requesting a wire transfer. Several organizations have fallen for these scams, which may not be detected for days, weeks, or months.

The email scams can be convincing and difficult to detect, especially when email accounts have been compromised. However, if basic security best practices are followed, risk can be minimized.

The FBI recommends:

  • Out of band authentication of all requests for copies of W-2 Form and tax-related information
  • Limiting the number of employees who have access to employee tax information and are authorized to make wire transfers
  • Implementation of procedures that require changes to bank account information of suppliers to be verified by phone with the telephone number taken from a contact list
  • Procedures requiring wire transfers over a set threshold to be subjected to more rigorous security checks, including verification by more than one member of staff
  • Dual approval of wire transfers for all new trading partners and for non-standard transactions, including transfers to overseas accounts
  • Delaying transactions to allow additional verifications to be performed

The post Fresh FBI Warning Issued Following Spike in W-2 Phishing Campaigns appeared first on HIPAA Journal.

OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit

Posted by HIPAA Journal

The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has issued a Flash Audit Alert alleging Health Net of California has refused to cooperate with a recent security audit.

Health Net provides benefits to federal employees, and under its contract with OPM, is required to submit to audits. OPM has been conducting security audits on FEHBP insurance carriers for the past 10 years, which includes scanning for vulnerabilities that could potentially be exploited to gain access to the PHI of FEHBP members.

When OPM conducts audits, it is focused on the information systems that are used to access or store the data of Federal Employee Health Benefit Program (FEHBP) members. However, OPM points out that many insurance carriers do not segregate the data of FEHBP members from the data of commercial and other Federal customers. Audits of technical infrastructure need to be conducted on all parts of the system that have a logical or physical nexus with FEHBP data. Consequently, systems containing data other than that of FEHBP members will similarly be assessed for vulnerabilities.

In its Flash Audit Alert, OPM said Health Net refused to allow OPM to conduct vulnerability and configuration management testing and documentation was not provided that would allow OPM to test whether Health Net was able to remove information system access for contractors who no longer needed data access and for terminated employees.

By refusing to cooperate, OPM was unable to determine whether Health Net has been acting as a responsible custodian of sensitive protected health information of FEHBP members.

Health Net maintains that it has cooperated with OPM and allowed the agency to conduct the audit, although the insurance carrier consulted with its external counsel and was advised that if it cooperated fully with OPMs requests and submitted to certain parts of the audit process, it would risk violating contracts with other third parties. Health Net has obligations to those third parties to ensure their data is protected.

Health Net maintains that it has – and will – be able to satisfy the requests of OPM and OIG without compromising the security of its system and the privacy and confidentiality of members’ and employees’ data. Health Net also claims that the allegations made in the OPM report are unfounded.

“We understand the concerns associated with work of this nature, we take great care to minimize risk. Our procedures were developed as part of a collaborative working group comprised of health insurance industry Chief Information Officers and Chief Information Security Officers,” said OPM in its report. “There is nothing unique about Health Net, its technical environment, or the nature of our proposed testing that would exempt Health Net from our oversight and this testing.”

At this stage it is unclear what, if any, action OPM will take against Health Net if the company continues to refuse to comply with its audit requests in full.

The post OPM Alleges Health Net Refused to Fully Comply with Recent Security Audit appeared first on HIPAA Journal.

Is Google Sheets HIPAA Compliant?

Posted by HIPAA Journal

Is Google Sheets HIPAA compliant? Can HIPAA-covered entities use Google Sheets to create, view, or share spreadsheets containing identifiable protected health information or would using Google Sheets violate HIPAA Rules? In this post we assess whether Google Sheets supports HIPAA compliance. 

Under HIPAA Rules, healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. While it is straightforward to implement controls internally to keep data secure, oftentimes third parties are contracted to provide services that require access to PHI. They too must abide by HIPAA Rules covering privacy, security, and breach notifications.

A third-party that requires access to PHI – or copies of health data – to perform services on behalf of a covered entity is considered a business associate. A covered entity and business associate must enter into a contract – a business associate agreement – in which the business associate agrees to comply with certain aspects of the HIPAA Privacy, Security, and Breach Notification Rules. Without a business associate agreement in place, any sharing of PHI would be considered a HIPAA violation.

While Google does not look at the information uploaded to Google Sheets, since Google can potentially access the information, and data is stored on its servers, a business associate agreement would be required.

Will Google Sign a BAA with HIPAA Covered Entities for Google Sheets?

Google is committed to protecting the privacy of its customers’ data and ensuring all of its services are secure and data can always be accessed. Google is aware of the requirements of the Health Insurance Portability and Accountability Act and the firm is prepared to enter into a business associate agreement with HIPAA covered entities for certain services.

Google offers a BAA for G Suite, which includes Google Drive. Google Sheets, Google Docs, Google Slides, and Google Forms are all part of Google Drive and are covered by the BAA.

Google explains in its terms and conditions that any HIPAA covered entity or business associate of a HIPAA covered entity that wishes to use G Suite in connection with any PHI must enter into a BAA with Google before any of its services are used in connection with PHI.

Is Google Sheets HIPAA Compliant?

Since Google offers a BAA, is Google Sheets HIPAA compliant? Google can be considered a HIPAA compliant service provider as Google supports HIPAA compliance for G Suite Basic, G Suite for Education, G Suite Business, and G Suite Enterprise domains and will enter into a BAA with healthcare customers.

Once a BAA has been obtained, it is the responsibility of the covered entity or business associate to ensure that Google Sheets and all other Google Drive and G Suite products and services are used correctly in a manner that does not violate HIPAA Rules.

The post Is Google Sheets HIPAA Compliant? appeared first on HIPAA Journal.

Is IBM Cloud HIPAA Compliant?

Posted by HIPAA Journal

Is IBM Cloud HIPAA compliant? Is the cloud platform suitable for healthcare organizations in the United States to host infrastructure, develop health applications and store files? In this post we assess whether the IBM Cloud supports HIPAA compliance and the platform’s suitability for use by healthcare organizations.

IBM offers a cloud platform to help organizations develop their mobile and web services, build native cloud apps, and host their infrastructure along with a wide range of cloud-based services for the capture, analysis, and processing of data.

The platform has already been adopted by many healthcare providers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their health information.

IBM Cloud Security

IBM is a leader in the field of network and data security, and its expertise has meant its cloud platform is highly secure. Security is built into the core of all of the firm’s software and services to ensure that sensitive data remains confidential and cannot be accessed by unauthorized individuals. Its audit and security reports are made available to its clients to assess during risk analysis and risk management processes.

Business Associate Agreement for the IBM Cloud Platform

Since 2014, IBM has been offering its cloud services to healthcare clients and has been entering into business associate agreements for its social, mobile, meetings, and mail cloud offerings.

IBM’s business associate agreements covers the IBM Cloud and details its responsibilities for security, including technical and physical controls in its data centers, permitted uses and disclosures of PHI, use of subcontractors, and its reporting requirements in the event of a security breach.

Healthcare customers must ensure they have a signed copy of the business associate agreement from IBM before any IBM cloud services are used in conjunction with protected health information.

IBM also offers HIPAA covered entities and their business associates services to help them configure their cloud applications correctly and create appropriate privacy and security solutions.

Is the IBM Cloud HIPAA Compliant?

Is the IBM Cloud HIPAA compliant? IBM meets its responsibilities as a business associate by ensuring its cloud platform meets and exceeds the minimum requirements of the HIPAA Security Rule and IBM agrees to abide by the HIPAA Privacy Rule and Breach Notification Rule.

IBM will enter into a business associate agreement with HIPAA covered entities covering the IBM Cloud, So the IBM Cloud can be considered a HIPAA compliant cloud platform.

However, HIPAA compliance is a shared responsibility. IBM only provides the security and the tools to ensure its cloud platform can be used without violating HIPAA Rules. It is the responsibility of HIPAA-covered entities to ensure that cloud-based infrastructure and applications are not misconfigured, and that stored files are appropriately secured.

The post Is IBM Cloud HIPAA Compliant? appeared first on HIPAA Journal.