Healthcare Data Security

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

Posted by HIPAA Journal

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk.

The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016.

Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records.

While hacks were commonly experienced, it was not electronic healthcare data that was the biggest problem area. Paper and film were the most common locations of breached protected health information. 65 hospitals reported paper/film data breaches over the time period that was studied; however, while those breaches were the most common, they typically affected a relatively small number of patients.

Recently, there has been an increase in hacks and malware and ransomware attacks on network servers, although between 2009 and 2016 – for hospitals at least – network servers were the least common location of breached PHI. While the least common, they were the most severe. Network server breaches resulted in the highest number of stolen records.

The second most common location of breaches was PHI stored in locations other than paper/film, laptops, email, desktops, EHRs, or network servers. Those breaches had been reported by 56 hospitals. In third place was laptop breaches, reported by 51 hospitals.

The types of data breaches most commonly experienced were theft incidents, which had been reported by 112 hospitals. Unauthorized access/disclosures were in second place with incidents reported by 54 hospitals. Hacking/IT incidents was third and was behind 27 hospital data breaches.

Multivariate logistic regression analyses were performed to explore factors associated with hospital data breaches. The researchers found significant differences between hospitals that had experienced a data breach and those that had not.

Teaching hospitals and pediatric hospitals were found to be the most susceptible to data breaches. 18% of teaching hospitals had experienced at least one data breach, compared to 3% without a breach. Six percent of pediatric hospitals had experienced a breach compared to 2% that had not.

Larger hospitals were also more prone to data breaches than smaller facilities. 26% of large hospitals had experienced a data breach, compared to 10% that had no breaches. Investor-owned hospitals had reported fewer breaches than not-for profit hospitals.

There were no significant differences based on the level of IT sophistication, health system membership, biometric security use, hospital region, or area characteristics.

The researchers suggest that while hospitals have invested in technology and have digitized health data to meet Meaningful Use requirements, security has not been a major focus and investment in data security has been lacking. Hospitals are typically only spending 5% of their IT budgets on security and that needs to improve if hospital data breaches are to be prevented. Security measures also need to be improved for paper/films to reduce the opportunity for unauthorized access and theft.

The researchers suggest hospitals should be conducting regular audits to determine who is accessing PHI, while audits of data security protections will help hospitals identify vulnerabilities before they are exploited.

The use of biometric identifiers can limit the potential for unauthorized access of ePHI and 2-Factor authentication should be implemented on all user accounts.

The researchers also suggest access to PHI should be limited to the minimum necessary amount to allow employees to complete their work duties. By restricting access, the severity of data breaches will be reduced.

The methodology, full results, and conclusions can be found on this link.

The post AJMC Study Reveals Common Characteristics of Hospital Data Breaches appeared first on HIPAA Journal.

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

Posted by HIPAA Journal

Healthcare organizations can benefit greatly from transitioning to the cloud, but it is essential to understand the requirements for cloud computing to ensure HIPAA compliance.

In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance.

Myths About Cloud Computing and HIPAA Compliance

There are many common misconceptions about the cloud and HIPAA compliance, which in some cases prevent healthcare organizations from taking full advantage of the cloud, and in others could result in violations of HIPAA Rules.

Some of the common myths about cloud computing and HIPAA compliance are detailed below:

Use of a ‘HIPAA compliant’ cloud service provider will ensure HIPAA Rules are not violated

False: A cloud service provider can incorporate all the necessary safeguards to ensure the service or platform can be used in a HIPAA compliant manner, but it is the responsibility of the covered entity or business associate using the service to ensure that HIPAA Rules are followed. CSPs will not accept liability for misuse of their service/platform or misconfigurations by healthcare employees.

Cloud service providers are classed as conduits and a BAA is not required

False: Cloud services providers are considered business associates (see below) even if they do not – or cannot access stored data. The failure to enter into a business associate agreement prior to using the platform or service in connection with ePHI is a serious violation of HIPAA Rules.

A business associate agreement is required before de-identified PHI can be stored in the cloud

False: There are no HIPAA Privacy Rule restrictions covering the use or storage of de-identified PHI. De-identified PHI is not considered to be protected health information.

Physicians cannot use mobile devices to access ePHI stored in the cloud

False. There is nothing in HIPAA Rules that prevents the use of mobile devices for accessing data stored in the cloud, provided administrative, technical, and physical safeguards are in place to ensure the confidentiality, integrity, and availability of PHI for any data stored in the cloud or downloaded to a mobile device.  However, some healthcare organizations may have internal policies prohibiting the use of mobile devices with cloud services.

Cloud service providers must retain PHI for 6 years

False: HIPAA-covered entities must retain PHI for 6 years, but that rule does not apply to cloud service providers. If a HIPAA covered entity stops using a cloud service, all stored data must be returned to the covered entity or should be permanently deleted. If the CPS is required to retain stored data to meet the requirements of other laws, the information must be returned or deleted when that time period has elapsed.

A cloud service provider cannot be used if data is stored outside of the United States

False: A cloud service provider can store data on servers located in any country. There are no geographical restrictions. However, HIPAA covered entities should assess the risks – by means of a risk analysis – before using such a cloud service, as data stored on servers overseas may not be subject to the same level of protection as data stored on U.S-based servers.

Cloud Service Providers and Business Associate Agreements

While cloud service providers have long been known to be HIPAA business associates, the introduction of the HIPAA Omnibus Rule in 2013 made this clearer. “A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”

The HIPAA conduit exception rule does not apply to cloud service providers. Companies are only considered ‘conduits’ if they offer a transmission only communication services when access to communications is only transient in nature. Cloud service providers are not considered to be conduits, even if the service provider encrypts all data and does not hold the keys to unlock the encryption.

Consequently, a business associate agreement must be entered into with the cloud platform or service provider before the platform or service is used for storing, processing, or transmitting ePHI.

If the cloud service is only ever used for sharing or storing de-identified PHI, a BAA is not required. De-identified PHI is no longer PHI, provided all identifiers have been stripped from the data. (See deidentification of PHI for further information.)

Cloud Computing and HIPAA Compliance

Cloud computing and HIPAA compliance are not at odds. It is possible to take advantage of the cloud and even improve security, but there are important considerations for any healthcare organizations considering using cloud services for storing, sharing, processing, or backing up ePHI

Risk Analysis and Risk Management

Prior to the use of any cloud service it should be subjected to a risk assessment. HIPAA-covered entities and their business associates must conduct their own risk analysis and establish risk management policies.

Business Associate Agreements

Before any cloud platform or service is used in connection with ePHI, the service provider and covered entity must enter into a HIPAA-compliant business associate agreement. The use of a cloud service without a BAA in place is a violation of HIPAA Rules.

Service Level Agreements (SLA)

In addition to a BAA, covered entities should consider a service level agreement (SLA) covering more technical aspects of the service, which may or may not address HIPAA concerns. The service level agreement can cover system uptime, reliability, data backups, disaster recovery times, customer service response times, and data return or deletion when the BAA is terminated. The SLA should also include the penalties should performance fall short of what has been agreed.

Encryption

Any data shared via the cloud should be protected by end-to-end encryption, and any data stored in the cloud should be encrypted at rest. Full considerations should be given to the level of encryption used by the CSP, which should meet NIST standards. While encryption is important, it will not satisfy all Security Rule requirements and will not maintain the integrity of ePHI nor ensure its availability.

Access Controls

Covered entities must ensure that access controls are carefully configured to ensure that only authorized individuals are able to access ePHI stored in the cloud. Prior to the use of any cloud platform or service, the administrative and physical controls implemented by the cloud service provider should be carefully evaluated.

Data Storage Locations

Covered entities should determine the locations where data is stored and risks associated with those locations should be evaluated during the risk analysis. Cloud service providers often store data in multiple locations to ensure fast access and rapid data recovery in the event of disaster. Data protection laws in foreign countries may differ considerable from those in the U.S.

Maintaining an Audit Trail

Healthcare organizations must have visibility into how cloud services are used, who is accessing cloud data, failed attempts to view cloud resources, and files that have been shared, uploaded, or downloaded. An audit trail must be maintained and logs should be reviewed regularly.

Cloud Benefits for Healthcare Organizations

Some of the key benefits for healthcare organizations from transitioning to the cloud are detailed below:

  • Linking a public cloud with data centers allows healthcare organizations to increase capacity without having to invest in additional hardware
  • The cloud is highly scalable – Capacity can be easily increased to meet business demands
  • Healthcare organizations can improve security by avoiding transporting ePHI on portable devices such as zip drives, portable hard drives, and laptop computers. The loss and theft of portable devices is a major cause of HIPAA data breaches
  • The cloud makes sharing ePHI with partners, patients, and researchers easier and faster
  • An unlimited number of data backups can be stored in the cloud. Data can be recovered quickly in the event of disaster
  • The cloud can help healthcare organizations decommission legacy infrastructure and improve security
  • The cloud allows healthcare organizations to reduce their data center footprints
  • Healthcare data can be securely accessed by authorized individuals in any location
  • The cloud allows healthcare organizations to offer and improve their telehealth services
  • The cloud supports the creation of an edge computing system to reduce latency and speed up data access

Choosing a Cloud Partner

While there are many cloud service providers that are willing to work with healthcare organizations, not all are prepared to accept liability for data breaches or violations of HIPAA Rules. Any CSP that will not sign a BAA should be avoided; however, not all cloud companies offer the same level of protection for stored and transmitted data. Willingness to sign a BAA is no guarantee of the quality of the service.

It is essential for a HIPAA covered entity to carefully assess any cloud service, even if the company claims it supports HIPAA compliance.

HIPAA-Compliant Cloud Platforms and Cloud Services

Over the coming weeks we will be assessing the services of a wide variety of cloud service providers to determine whether their platforms support HIPAA compliance.

For further information on specific vendors and to find out if they offer platforms that support HIPAA compliance, visit the links below:

Cloud Platforms

Cloud-Based Services

The post What Covered Entities Should Know About Cloud Computing and HIPAA Compliance appeared first on HIPAA Journal.

January 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017.

Healthcare data breaches by Month (August 2017-January 2018)

Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month.

records exposed in January 2018 Healthcare Data Breaches

The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was 15,857 records.

Largest Healthcare Data Breaches in January 2018

In January there were only four breaches reported that impacted more than 10,000 individuals, compared to nine such incidents in December 2017. Hacking incidents continue to result in the largest data breaches with five of the top six breaches the result of hacking/IT incidents, which includes hacks, malware infections and ransomware attacks.

 

Covered Entity Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Charles River Medical Associates, pc Healthcare Provider 9387 Loss
Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Healthcare Provider 5228 Hacking/IT Incident
RGH Enterprises, Inc. Healthcare Provider 4586 Unauthorized Access/Disclosure
Gillette Medical Imaging Healthcare Provider 4476 Unauthorized Access/Disclosure
Zachary E. Adkins, DDS Healthcare Provider 3677 Theft
Steven Yang, D.D.S., INC. Healthcare Provider 3202 Theft

Main Causes of Healthcare Data Breaches in January 2018

While hacking/IT incidents and unauthorized access/disclosures shared top spot in January, the biggest cause of breaches was actually errors made by employees and insider wrongdoing. Insiders were behind at least 11 of the 21 breaches reported in January.  Four of the five loss/theft incidents involved portable electronic devices. Those incidents could have been avoided if encryption had been used.

Main Causes of January 2018 Data Breaches

  • Hacking/IT Incidents: 7 breaches
  • Unauthorized Access/Disclosure: 7 breaches
  • Loss/theft of physical records and portable devices: 5 breaches

January 2018 Healthcare Data Breaches by Incident Type

 

Records Exposed by Breach Type

The vast majority of individuals impacted by healthcare data breaches in January 2018 had their health data accessed or stolen in hacking/IT incidents. January saw a significant reduction in records exposed due to loss or theft – In December, incidents involving the loss or theft of devices and physical records impacted 122,921 individuals.

Main Causes of Exposed Healthcare Records in January 2018

  • Hacking/IT Incidents: 394,787 healthcare records exposed in 7 security incidents
  • Loss/theft of physical records and portable devices: 18,519 records exposed in 5 incidents
  • Unauthorized Access/Disclosure: 13,329 healthcare records exposed in 7 incidents

Main Causes of Healthcare Data Breaches in January 2018 - Records by breach type

Location of Data Breaches in January 2018

Overall, more incidents were reported involving electronic copies of health data in January, but covered entities must ensure that appropriate physical security and access controls are in place to prevent unauthorized accessing and theft of paper records. Training must also be provided to staff on disposing of physical records. Two improper disposal incidents were reported in January involving physical records.

Main Locations of Exposed Healthcare Records in January 2018

  • Paper/Films: 13,514 records exposed in 7 incidents: 4 unauthorized access/disclosures; 2 improper disposal incidents, and one incident involving the loss of records
  • Network Servers: 310,593 healthcare records exposed in 4 hacking/IT incidents involving network servers: 1 Hack, 2 malware incidents and one incident for which the cause is unknown
  • Laptop computers: 3 incidents involving laptop computers: 2 stolen devices and one hack/IT incident
  • Email: Three incidents involving unauthorized access/disclosure due to phishing and two hacking incidents
  • EMRs:  3 incidents involving EMRs: 2 unauthorized access incidents (Physician/nurse) and 1 hacking incident

January 2018 Healthcare Data Breaches - Location of breached PHI

January 2018 Healthcare Data Breaches by Covered Entity

In January, no business associates of HIPAA covered entities reported data breaches, and according to the OCR breach summaries, none of the 21 security breaches had any business associate involvement. Healthcare providers were the worst affected with 19 breaches reported.

Healthcare Records Breached

  • Healthcare providers: 398,009 healthcare records exposed in 19 incidents
  • Health plans: 30,634 healthcare records exposed in 2 incidents

January 2018 Healthcare Data Breaches by Entity Type

January Healthcare Data Breaches by State

In January, covered entities based in 15 states reported data breaches that impacted more than 500 individuals.

California was the worst hit state by some distance with 5 covered entities reporting breaches. Tennessee and Wyoming had two breaches apiece, with one incident reported by organizations based in Florida, Illinois, Kentucky, Massachusetts, Maryland, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, and Washington.

Financial Penalties for HIPAA Covered Entities in January

There were no OCR HIPAA fines or settlements announced in January to resolve violations of HIPAA Rules, although the New York Attorney General did settle a case with health insurer Aetna.

Aetna was required to pay the NY AG’s office $1.15 million to resolve violations of HIPAA Rules and state laws. The violations were discovered during an investigation into a serious privacy breach experienced in July 2017. A mailing was sent to approximately 12,000 members in which details of HIV medications were visible through the clear plastic windows of the envelopes – An unauthorized disclosure of PHI. The mailing was sent on behalf of Aetna by a settlement administrator.

Further, it was alleged that Aetna provided PHI to its outside counsel, who in turn provided that information to the settlement administrator – a subcontractor – yet no business associate agreement was in place prior to that disclosure.

Aetna also settled a class action lawsuit in January over the breach. The lawsuit was filed by HIV/AIDS organizations on behalf of the victims of the breach. Aetna settled the lawsuit for $17,161,200.

That is unlikely to be the end of the fines. OCR may decide to take action over the breach and alleged HIPAA violations, and other state attorneys general have opened investigations. Aetna is also embroiled in costly legal action with its settlement administrator.

Data source for breaches: Department of Health and Human Services’ Office for Civil Rights.

The post January 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Is eFileCabinet HIPAA Compliant?

Posted by HIPAA Journal

eFileCabinet is a document management and storage solution for businesses that offers on-site and cloud storage, but is the service suitable for the healthcare industry? Is eFileCabinet HIPAA compliant or will using the platform be considered a violation of HIPAA Rules?

What are Document Management Systems?

Document management systems allow organizations to carefully manage electronic documents and store them securely in one location. With huge volumes of documents being created, such systems take the stress out of document management and can help HIPAA covered entities share documents containing ePHI securely and avoid HIPAA violations.

There are many document management systems on the market, but not all support HIPAA compliance, so what about eFileCabinet? Is eFileCabinet HIPAA compliant?

eFileCabinet Security and Privacy Controls

Security controls include the encryption of data in transit and at rest with 256-bit encryption. Sensitive data can be securely shared with third-parties and remote employees via the company’s SecureDrawer feature. SecureDrawer allows files to be shared without having to send documents beyond the protection of the firewall. The files remain in the eFileCabinet system and are accessed through a secure, encrypted portal.

eFileCabinet allows user and role-based permissions to be set to limit access to sensitive information as well as restrict what users and user groups can do with documents containing ePHI. Controls can be set with varying levels of user authentication, from simple passwords to voice prints and facial recognition. Users are also automatically logged off after a period of inactivity.

Automated file retention satisfies HIPAA integrity control requirements, data backups are performed, and an audit trail is maintained with records kept of user access, what users have done with documents, and whether documents have been copied or downloaded.

Will eFileCabinet Sign a BAA with HIPAA Covered Entities and their Business Associates?

Privacy and security controls are only one part of HIPAA compliance. Even with all appropriate controls in place, a document management system is not a ‘HIPAA compliant’ service unless a business associate agreement (BAA) has entered into with the service provider. By providing a BAA, the service provider is confirming they have implemented all appropriate controls to ensure data security and are aware of their responsibilities with respect to HIPAA.  eFileCabinet is prepared to sign a BAA with HIPAA covered entities and their business associates.

However, it is up to the covered entity to ensure that all controls made available through eFileCabinet to support HIPAA compliance are configured correctly. Fail to set access controls appropriately, for example, and HIPAA Rules would be violated.

Is eFileCabinet HIPAA Compliant?

In our opinion, eFileCabinet has all the necessary security, access, and audit controls to ensure it can be used by healthcare organizations in a manner compliant with HIPAA Rules. eFileCabinet will also sign a business associate agreement with HIPAA covered entities and their business associates.

So, is eFileCabinet HIPAA compliant? Provided a business associate agreement has been entered into prior to the platform being used for storing or sharing ePHI, eFileCabinet can be considered a HIPAA compliant document management system.

The post Is eFileCabinet HIPAA Compliant? appeared first on HIPAA Journal.

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

Posted by HIPAA Journal

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses closes the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading.

FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations.

An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork.

That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In total, the records of 2,150 patients were included in the paperwork.

OCR determined that between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 patients as a result of either: A) Leaving the records in an unlocked truck where they could be accessed by individuals unauthorized to view the information or; B) By granting permission to an individual to remove the PHI and leaving the unsecured paperwork outside its facility for the woman to collect.

Since FileFax is no longer in business – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be covered by the court appointed receiver, who liquidated the assets of FileFax and is holding the proceeds of that liquidation.

A corrective action plan has also been issued that requires the receiver to catalogue all remaining medical records and ensure the records are stored securely for the remainder of the retention period. Once that time period has elapsed, the receiver must ensure the records are securely and permanently destroyed in accordance with HIPAA Rules.

The settlement has been agreed with no admission of liability.

HIPAA Retention Requirements and Disposal of PHI

There are no HIPAA retention requirements – Covered entities and their business associates are not required to keep medical records after their business has ceased trading. However, that does not mean medical records and PHI can be disposed of immediately. Businesses are bound by state laws, which do require documents to be retained for a set period of time. For instance, in Florida, physicians must maintain medical records for 5 years after the last patient contact and in North Carolina hospitals must maintain records for 11 years following the last date of discharge.

During that time, HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure those records are secure and remain confidential. After the retention period is over, all PHI must be disposed of in a compliant manner.

In the case of paper records, disposal typically means shredding, burning, pulping, or pulverization. Whatever method chosen must render the documents indecipherable and incapable of reconstruction.

This HIPAA breach is similar to several others that have occurred over the past few years. Businesses have ceased trading and paper records containing the protected health information of patients have been dumped, abandoned, or left unsecured. There have also been cases where businesses have moved location and left paperwork behind, only for contractors performing a cleanup or refurb of the property to find the paperwork and dispose of it with regular trash.

The failure to secure PHI during the retention period and the incorrect disposal of records after that retention period is over are violations of HIPAA Rules that can attract a significant financial penalty.

“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a press release about the latest HIPAA settlement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

The post $100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes appeared first on HIPAA Journal.

Is Box HIPAA Compliant?

Posted by HIPAA Journal

Is Box HIPAA compliant? Can Box be used by healthcare organizations for the storage of documents containing protected health information or would doing so be a violation of HIPAA Rules? An assessment of the security controls of the Box cloud storage and content management service and its suitability for use in healthcare.

What is Box?

Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit or upload content. Box can be used for personal use; however, businesses need to sign up for either a business, enterprise, or elite account.

Is Box Covered by the Conduit Exception Rule?

The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim they never access any data uploaded to their cloud service. Therefore, cloud storage services can only be used if a business associate agreement is entered into with the service provider.

Box and the HIPAA Business Associate Agreement

Box is confident it has put appropriate security controls in place to ensure all customers’ data is secured, both in transit to Box and while stored in the cloud. The company was formed in 2004, although it took nine years for the company to make its move into the healthcare sphere. In April 2013, Box started signing business associate agreements with HIPAA covered entities and their business associates. Box only offers a BAA to HIPAA covered entities if they have an enterprise or elite account.

Box for Healthcare Launched

In addition to agreeing to sign a BAA and having its service verified as supporting HIPAA compliance by an independent auditor, the company has now launched its Box for Healthcare service. The Box for Healthcare service has been developed to integrate seamlessly with top healthcare vendors such as IBM, Microsoft, Apple, TigerText, eHealth Technologies, and EDCO Health apps. The service helps healthcare organizations coordinate care, collaborate with research organizations, and share information securely with third parties outside the protection of the firewall.

The service includes all the necessary security controls to comply with the HIPAA Security Rule including data encryption at rest and in transit, audit controls, and configurable administrative controls that allow customers to monitor access, usage and document edits by employees and third parties, and set appropriate access and authentication controls.

Is Box HIPAA Compliant?

Any cloud service can be used in a manner that violates HIPAA Rules, as HIPAA compliance is more about the people that use a product or service rather than the product or service itself. That said, Box has implemented a wide range of safeguards and controls to ensure data privacy and security. So, is Box HIPAA compliant?

Provided a BAA has been obtained before the platform is used to store documents containing PHI, Box can be considered a HIPAA compliant cloud storage provider. However, it is the responsibility of the covered entity to ensure that the service is configured correctly and HIPAA Rules are followed.

The post Is Box HIPAA Compliant? appeared first on HIPAA Journal.

Healthcare Industry Scores Poorly on Employee Security Awareness

Posted by HIPAA Journal

A recent report published by security awareness training company MediaPro has revealed there is still a lack of preparedness to deal with common cyberattack scenarios and privacy and security threats are still not fully understood by healthcare professionals.

For MediaPro’s 2017 State of Privacy and Security Awareness Report, the firm surveyed 1,009 US healthcare industry employees to assess their level of security awareness. Respondents were asked questions about common privacy and security threats and were asked to provide answers on several different threat scenarios to determine how they would respond to real world threats.

Based on the responses, MediaPro assigned respondents to one of three categories. Heroes were individuals who scored highly and displayed a thorough understanding of privacy and security threats by answering 93.5%-100% of questions correctly. Novices showed a reasonable understanding of threats, answering between 77.4% and 90.3% of answers correctly. The lowest category of ‘Risks’ was assigned to individuals with poor security awareness, who scored 74.2% or lower on the tests. Those individuals were deemed to pose a significant risk to their organization and the privacy of sensitive data.

Overall, 78% of healthcare employees were classified as risks or novices. The percentage of individuals rated in these two categories across all industry sectors was 70%, showing the healthcare industry still lags behind other industry sectors on security awareness and privacy and security best practices.

The survey revealed physicians’ understanding of privacy and security threats was particularly poor. Half of physicians who took part in the study were classified as risks, meaning their actions were a serious security threat to their organization. Awareness of the common identifiers of phishing emails was particularly poor, with 24% of physicians displaying a lack of understanding of phishing, compared with 8% of office workers and non-provider counterparts.

One of the main areas where security awareness was lacking was the identification of the common signs of a malware infection. 24% of healthcare employees had difficulty identifying the signs of a malware infection compared to 12% of the general population.

Healthcare employees scored worse than the general population in eight areas assessed by MediaPro: Incident reporting, identifying personal information, physical security, identifying phishing attempts, identifying the signs of malware infections, working remotely, cloud computing, and acceptable use of social media.

MediaPro points out that the 2017 Data Breach Investigations Report from Verizon showed human error accounted for more than 80% of healthcare data breaches last year, emphasizing the need for improved security awareness training for healthcare employees. Further, cybercriminals have been increasing their efforts to gain access to healthcare networks and sensitive patient information.

“The results of our survey show that more work needs to be done,” MediaPro explains in the report. “HIPAA courses often do not include information on how to stay cyber-secure in an increasingly interconnected world. Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack, for example.”

If the security awareness of healthcare employees is not improved, the healthcare industry is likely to continue to be plagued by data breaches, irrespective of the level of maturity of their security defenses.

The post Healthcare Industry Scores Poorly on Employee Security Awareness appeared first on HIPAA Journal.

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

Posted by HIPAA Journal

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017.

How Many HIPAA Violations Occurred in 2017?

The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”.

To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to accidently click on a phishing link for a data breach to occur. The breach reports are therefore not an accurate guide to the number of HIPAA violations that have occurred.

Some attorneys general publish details of data breaches, and many of those breaches are the result of HIPAA violations; however, only a small number of states publish that data breach summaries and as with OCR’s breach portal, there are many breaches that have occurred at organizations that are fully compliant with HIPAA Rules. It is also not possible to say how many of those breaches were the result of HIPAA violations. That can only be determined with a detailed investigation.

Complaints about potential HIPAA violations are frequently submitted to OCR. These tend to be smaller incidents involving relatively few individuals, such as a patient who believes HIPAA Rules have been violated or employees who believe colleagues have violated HIPAA Rules. OCR occasionally releases figures on the number of complaints that it receives, but many of those complaints turn out to be unfounded and, in many cases, OCR cannot prove beyond reasonable doubt that a HIPAA violation has occurred.

It is also not possible to gauge the level of serious HIPAA violations that have occurred based on settlements and civil monetary penalties. Even when there is evidence to suggest HIPAA Rules have been violated, financial settlements are typically only pursued when a case against a HIPAA-covered entity is particularly strong and likely to be won.

It is therefore not possible to determine how many HIPAA violations in 2017 resulted in data breaches nor how many violations occurred last year.

How Many HIPAA Violations in 2017 Resulted in Financial Settlements?

It is also not possible to determine how many HIPAA violations in 2017 have resulted in financial penalties being issued, at least not yet. OCR and state attorneys general open investigations when data breaches are experienced or complaints are received about potential HIPAA violations. However, it takes time to conduct investigations and gather evidence. Even when there is evidence of HIPAA violations, cases can take years before settlements are reached or civil monetary penalties are issued.

The latest HIPAA settlement is a good example. Fresenius Medical Care North America settled its case with OCR for $3,500,000 in 2018, yet the data breaches that triggered the investigation occurred in 2012. The list below shows the settlements and civil monetary penalties issued in 2017 and the years in which the violations occurred.

So unfortunately, it is not possible to say how many HIPAA violations in 2017 resulted in financial penalties, as that will not be known for many years to come

HIPAA Settlements and Civil Monetary Penalties in 2017

 

Covered Entity Penalty Amount Penalty Type Reason for Penalty Date of Violation(s)
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations 2015
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI 2015
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI 2014
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement 2003-2015
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI 2011
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process 2011
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls 2007-2012
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI 2006-2013
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI 2011
Presense Health $475,000 Settlement Delayed Breach Notifications 2013

 

What we can say is HIPAA violations have occurred at most healthcare organizations, although oftentimes the violations are minor and inconsequential. We can go further and say that a majority of healthcare organizations have failed to follow HIPAA Rules to the letter all of the time.

The evidence comes from the second round of HIPAA compliance audits conducted by OCR in late 2016 and 2017. A final report on the findings of the audits has yet to be published, but last September preliminary results were released. They showed that healthcare organizations are still not getting to grips with HIPAA Rules and noncompliance is commonplace.

Findings of the 2017 HIPAA Compliance Audits

Listed below are the preliminary findings of the second round of HIPAA compliance audits. The audits consisted of ‘Desk Audits’ conducted on 166 covered entities on the HIPAA Privacy, Security, and Breach Notification Rules and 41 business associates of HIPAA covered entities on the Security and Breach Notification Rules.

OCR gave each audited entity a rating from 1-5 based on the level of compliance. A rating of 1 means the organization was in compliance with the goals and objectives of the audited standards and implementation specifications. A rating of 5 was given to entities that did not provide OCR with evidence to show that a serious attempt had been made to comply with HIPAA Rules.

HIPAA Rule Aspect of HIPAA Rule 1 Rating 2 Rating 3 Rating 4 Rating 5 Rating N/A
Breach Notification Rule Timeliness of Notification 65% 6% 2% 9% 11% 7%
Breach Notification Rule Content of Notification 14% 14% 23% 37% 7% 5%
Privacy Rule Patient Right to Access 1% 10% 27% 54% 11% N/A
Privacy Rule Notice of Privacy Practices 2% 33% 39% 11% 15% 2%
Privacy Rule Provision of eNotice 57% 15% 4% 6% 15% 3%
Security Rule Risk Analysis 0% 2% 19% 23% 13% N/A
Security Rule Risk Management 1% 3% 13% 29% 17% N/A

The post How Many HIPAA Violations in 2017 Resulted in Financial Penalties? appeared first on HIPAA Journal.

VA OIG Discovers Security Vulnerabilities Introduced at Orlando VA Medical Center

Posted by HIPAA Journal

The VA Office of Inspector General has discovered a Wi-Fi network was set up at a Florida VA medical center without being coordinated with the VA’s Office of Information & Technology (OI&T). As a result, vulnerabilities were introduced that could have been exploited to gain unauthorized access to VA systems.

The VA Office of Inspector General conducted an audit of the Orlando Veterans Affairs Medical Center (VAMC) at Lake Nona, FL after receiving a complaint that the Veterans Services Adaptable Network (VSAN) was being developed without coordination with the Office of Information & Technology (OI&T), and that appropriate funding for the project had not been obtained through proper channels.

While evidence of funding irregularities was not uncovered, the VA OIG did confirm that a WiFi network for patients had been set up without coordination with OI&T, and that the network did not have the appropriate security controls applied in accordance with VA policies.

After the network had been set up, a risk assessment was not performed and there was no segregation between the VSAN and VA network. The VA OIG explained in its report that the lack of oversight by local OI&T staff resulted in unnecessary risks being introduced that could have resulted in other VA systems being compromised. No evidence was uncovered to suggest any vulnerabilities had been exploited.

The VA OIG reports that staff did not ensure security controls were applied in accordance with the VA’s security requirements due to competing priorities and resources. A security risk assessment was not performed because management did not allocate the necessary resources to the task.

The VA OIG has recommended the executive in charge for the Office of the Under Secretary for Health and the executive in charge for the Office of Information and Technology ensure that all guest Internet networks, industrial control systems, and external air-gapped networks are properly segregated and meet VA security requirements.

The report highlights a common problem: The installation of software or use of hardware that has not been authorized by IT departments. Referred to as shadow IT, the unauthorized hardware and software can introduce vulnerabilities that may not be discovered and corrected by IT departments.

Without the oversight of the IT department, software may not be kept up to date and vulnerabilities could easily be exploited to gain access to healthcare networks.

Health IT departments can implement controls that prevent the installation of software by employees and employees should be instructed, in no uncertain terms, that the installation of software or use of devices without first having obtained authorization from the IT department is strictly prohibited.

IT departments should also consider conducting scans of the network to identify rogue devices that have been connected, although that means that IT departments must also maintain an accurate inventory of all authorized devices.

Network access tools can also be deployed to further protect healthcare networks. These tools restrict network access to authorized devices that have the appropriate security controls, AV software, and latest versions of software installed.

The post VA OIG Discovers Security Vulnerabilities Introduced at Orlando VA Medical Center appeared first on HIPAA Journal.