Healthcare Data Security

20% of RNs Had Breaches of Patient Data at Their Organization

Posted by HIPAA Journal

A recent survey conducted by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are confident in their organization’s ability to prevent data breaches.

The survey was conducted on 504 full time RNs and administrative staff across the United States. Respondents had held their position for at least two years.

Almost half of RNs (48%) and 57% of administrative staff said they were very confident that their organization could prevent data breaches and protect against the theft of patient data, even though 19% of administrative staff and 20% of RNs said their organization had had a data breach in the past. 21% did not know if a breach had occurred.

The survey confirmed that healthcare organizations have made many changes over the years to better protect data and patient privacy, with most of the changes occurring in the past year, according to a quarter of RNs and 40% of administrative staff.

Those changes have occurred across the organization. The biggest areas for change were safety, quality of care, population health, data security and the digitalization of health records.

67% of RNs said privacy and data access policies were being implemented to better protect patient data, while data surveillance was an initiative to improve data privacy and security according to 56% of respondents. 59% of RNs said their organization was implementing role based access to medical records.

69% of administrative staff who took part in the survey said privacy and access policies were being updated, 60% said their organization was implementing role based access, and 55% said data surveillance was a major focus area.

Privacy and security training is being provided to RNs and administrative staff, although 34% of administrative staff and 23 of RNs do not recognize the benefit of such training; however, half of administrative staff respondents and two in five RNs felt they could benefit from further training in his area.

The post 20% of RNs Had Breaches of Patient Data at Their Organization appeared first on HIPAA Journal.

Achieving HIPAA Compliant File Sharing In and Outside the Cloud

Posted by HIPAA Journal

HIPAA compliant file sharing consists of more than selecting the right technology to ensure the security, integrity and confidentiality of PHI at rest or in transit. Indeed, you could implement the most HIPAA compliant file sharing technology available and still be a long way short of achieving HIPAA compliance.

It is not the technology that is at fault. Many Covered Entities and Business Associates fail to configure the technology properly or train employees how to use the technology in compliance with HIPAA. According to a recent IBM X-Force Threat Intelligence Report, 46% of data breaches in the healthcare industry are attributable to “inadvertent actors”.

Of the remaining 54% of data breaches in the healthcare industry, 29% are attributable to “outsiders”, while the remaining 25% are the work of “malicious insiders”. Therefore, if a Covered Entity implements HIPAA compliant file sharing technology, but fails to configure it properly, train employees how to use it compliantly, or introduce mechanisms to monitor access to PHI, it may only be 29% of the way towards achieving HIPAA compliance.

Understanding the Risks to PHI when Sharing Data

In order to fully understand the risks to PHI when sharing data, it is important to conduct a thorough risk assessment detailing how PHI is created, used, stored and shared – and what happens to the data once it has been shared. When the risk assessment is completed, it is necessary to conduct a risk analysis to identify vulnerabilities and weaknesses that could result in the unauthorized disclosure of PHI.

Part of the risk analysis should concern what happens to data shared with Business Associates. Business Associates should conduct their own risk assessments and risk analyses, and it is a HIPAA Security Officer´s duty to conduct due diligence on any Business Associate data is shared with, in order to ensure their file sharing procedures are also HIPAA compliant.

HIPAA Compliant File Sharing Exists Outside the Cloud

Most articles relating to file sharing and HIPAA compliance focus on the technology available to share files securely in the cloud. Although these articles provide valuable information about one specific area of sharing data, they do not address the subject of HIPAA compliant file sharing in its entirety – for example, when data is shared within a private network or in physical format.

As well as evaluating cloud-based technology for HIPAA compliant file sharing, HIPAA Security Officers should also consider access controls to files and folders stored on private networks and access logs to monitor when PHI is accessed – both online and in physical format. Done effectively, this should help prevent the #1 cause of HIPAA security breaches – employee snooping.

Explaining File Sharing and HIPAA Compliance to Employees

Employee snooping – viewing the healthcare records of family, friends, colleagues or personalities without authorization – may not result in headline data breaches, but it is a HIPAA violation – and a common one at that. However, without being told it is a violation, many employees would consider snooping no more than a misdemeanor with inquisitive intent.

Explaining that snooping is a HIPAA violation punishable by sanctions is a good foundation for explaining file sharing and HIPAA compliance to employees. It will help them better understand the seriousness of unauthorized disclosures of PHI and make them more careful about taking shortcuts “to get the job done” – a leading cause of data breaches in the healthcare industry attributable to “inadvertent actors”.

Train, Monitor, Sanction when Necessary, then Review

Whenever new HIPAA-related technology is introduced or working practices are changed, it is essential employees are provided with adequate training on the new technology or working practices. By using employee HIPAA training sessions to reinforce the message about file sharing and HIPAA compliance, the message will likely be better absorbed.

If the Covered Entity is able to support employee training with mechanisms to monitor access to PHI, and the enforcement of sanctions when necessary, the likelihood is “malicious insiders” will likely think twice before attempting to access PHI without authorization. Thereafter, HIPAA Security Officers should review policies and procedures to assess whether any further adjustments need to be made in order to ensure HIPAA compliant file sharing.

The post Achieving HIPAA Compliant File Sharing In and Outside the Cloud appeared first on HIPAA Journal.

Data Breach Notification Bill Introduced in North Carolina

Posted by HIPAA Journal

A new data breach notification bill has been introduced in North Carolina in response to the rise in breaches of personal information in 2017. Last year, more than 5.3 million residents of North Carolina were impacted by data breaches.

The rise in data breaches prompted state Attorney General Josh Stein and state Representative Jason Saine to introduce the Act to Strengthen Identity Theft Protections. If passed, North Carolina will have some of the toughest data breach notification laws in the United States.

The Act, introduced on January 8, 2018, is intended to strengthen protections for state residents. The Act updates the definitions of personal information and security breaches, and decreases the allowable time to notify state residents of a breach of their personal information.

The definition of personal information has been expanded to include insurance account numbers and medical information. It is currently unclear whether the new law will apply to organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) or if they will be deemed to be in compliance with state laws if they comply with HIPAA.

The definition of a breach has been updated to include any breach of personal information, including ransomware attacks, even if the personal information of state residents is only encrypted by ransomware and no data theft has occurred.

In the event of a breach of personal information, the Act requires companies to issue notifications to breach victims within 15 days of the discovery of a breach. Faster breach notifications will allow consumers to take prompt action to secure their accounts and limit potential harm from the exposure of their personal information.

Breaches must also be reported to the Attorney General’s office. This will empower the attorney general to determine the risk of harm from the breach, rather than leaving it to the breached entity to make that determination.

The Act also requires businesses to implement and maintain reasonable security protections to keep data secure. The nature of those protections should be appropriate to the sensitivity of the data concerned. The failure to implement sufficient controls would be deemed a violation of the Unfair and Deceptive Trade Practices Act, and each person whose data has been exposed would represent “a separate and distinct violation of the law.”

North Carolina residents must also be allowed to place a credit freeze on their accounts free of charge and the Act requires credit reporting agencies “to put in place a simple, one-stop shop for freezing and unfreezing a consumer’s credit reports.” This would allow consumers to quickly and easily freeze and unfreeze credit across all major consumer reporting agencies.

A new provision has also been included to cover credit reference and consumer reporting agencies. If those agencies experience a breach they will be required to provide five years of free credit monitoring services to consumers.

A summary of the Act is available here.

Image source: By Darwinek [CC BY-SA 3.0] via Wikimedia Commons

The post Data Breach Notification Bill Introduced in North Carolina appeared first on HIPAA Journal.

The Top HIPAA Threats Are Likely Not What You Think

Posted by HIPAA Journal

Many articles listing the Top HIPAA Threats pretty much follow a similar theme. Protect devices against theft, protect data against cybercriminals, and protect yourself against unauthorized third party disclosures by signing a Business Associate Agreement. Unfortunately these articles are way off the mark.

Inasmuch as the recommendations are sensible, and indeed should be followed, they fail to address the top HIPAA threats – employees. According to the recently-published IBM X-Force Threat Intelligence Report, 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious Insiders” (25%) and “inadvertent actors” (46%).

A Quarter of Healthcare Data Breaches Attributable to Malicious Insiders?

Although IBM´s Intelligence Report focuses on the number of breaches – rather than the number of records breached – the percentage of data breaches attributed to malicious insiders appears high. However, it is not the case that a quarter of the medical profession is stealing Protected Health Information for personal gain. A closer inspection of the data reveals the “malicious insiders” category includes employees snooping on the medical records of friends, colleagues and celebrity patients.

Snooping was identified as the largest single cause of data breaches in the healthcare industry in a 2013 study conducted by Veriphyr Identity and Access Intelligence. As snooping constitutes an unauthorized disclosure of Protected Health Information, it is classified as a violation of HIPAA and therefore – by the number of violations alone – is one of the top HIPAA threats Covered Entities should be aware of. It is certainly a threat OCR would expect a Covered Entity to address in a HIPAA risk assessment.

Other Data Breaches Attributable to Malicious Insiders Tend to Attract Headlines

Whereas snooping can be the biggest cause of employee HIPAA violations by number, the biggest cause of employee HIPAA violations by records breached is insider data theft. In a recent high-profile case, a secretary employed by the Jackson Health System in Florida was charged with accessing more than 24,000 computerized patient records and selling the data to criminals, who subsequently used it to file fraudulent tax returns with the Internal Revenue Service.

A spate of high-volume data breaches around the same time prompted the HHS´ Office for Civil Rights to issue a reminder to Covered Entities to take action to prevent insider data theft. Unfortunately many Covered Entities appear not to have responded to the reminder. A survey conducted in late 2016 revealed half of healthcare IT professionals were more concerned about insider data theft than external data theft, but were not given the resources to deal with the threat.

Are Inadvertent Actors Really More of a HIPAA Threat than Cybercriminals?

According to the basic data it would appear so. However, the category of “inadvertent actors” includes victims of phishing attacks and IT professionals who fail to configure their security mechanisms properly; so it may be more accurate to rename this category “employees who inadvertently invited cybercriminals to steal data”. Nonetheless, the percentage of reported data breaches attributable to inadvertent actors is nearly twice that of external hacks.

This would imply another of the top HIPAA threats is a lack of employee awareness. Phishing is a massive threat to HIPAA compliance, but it is one that can mitigated with phishing simulation training. Similarly, errors made by IT security can be reduced by implementing procedures to review the configuration of security mechanisms on a regular basis – which should be part of an annual risk assessment in any case. Basically, data breaches due to inadvertent actors are mostly avoidable.

The Top HIPAA Threats and How to Defend Against Them

At HIPAA Journal we strongly recommend Covered Entities encrypt data, implement two-factor authentication and conduct due diligence on Business Associates. These practices – and others provided by HIPAA threat-style articles- will help defend against some HIPAA threats, but not the top HIPAA threats. In order to defend against the top HIPAA threats of snooping, insider data theft and a lack of employee awareness, Covered Entities need to:

  • Implement strong policies relating to employee conduct and enforce them with an equally strong sanctions policy.
  • Implement effective access controls that monitor who accesses PHI when and where, and what happens to it afterwards.
  • Implement a comprehensive HIPAA training program to raise employee awareness – particularly in the area of Internet security.

More than anything, Covered Entities need to allocate more resources to eliminating data breaches attributable to employee actions. If the data provided in the IBM X-Force Threat Intelligence Report is taken at face value, Covered Entities should allocate three times as many resources to defending against the top HIPAA threats that come from within than they allocate to external threats.

The post The Top HIPAA Threats Are Likely Not What You Think appeared first on HIPAA Journal.

Is Azure HIPAA Compliant?

Posted by HIPAA Journal

Is Azure HIPAA compliant? Can Microsoft’s cloud services be used by HIPAA covered entities without violating HIPAA Rules?

Many healthcare organizations are considering moving some of their services to the cloud, and a large percentage already have. The cloud offers considerable benefits and can help healthcare organizations lower their IT costs, but what about HIPAA?

HIPAA does not prohibit healthcare organizations from taking advantage of cloud services; however, it does place certain restrictions on the services that can be used, at least as far as protected health information is concerned.

Most healthcare organizations will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We have already covered AWS HIPAA compliance here, but what about Azure? Is Azure HIPAA compliant?

Is Azure HIPAA Compliant?

Before any cloud service can be used by healthcare organizations, they must first enter into a business associate agreement with the service provider.

Under HIPAA Rules, cloud service providers are considered business associates. Before any PHI can be uploaded to the cloud, HIPAA-covered entities must obtain satisfactory assurances that the service incorporates all the appropriate privacy and security safeguards to meet the requirements of the HIPAA Privacy and Security Rules.

Those assurances come in the form of a business associate agreement – essentially a contract with a vendor in which the responsibilities of the vendor are explained. The BAA must be obtained before any cloud service can be used for storing, processing, or sharing PHI. It does not matter is the service provider does not access customers’ data. A BAA is still required.

Microsoft Will Sign a BAA for Azure

Microsoft is willing to sign a BAA with healthcare organizations that covers Azure*, so does that make Azure HIPAA compliant?

Unfortunately, it is not that simple. No cloud platform can be truly HIPAA compliant. Cloud HIPAA compliance is not so much about platforms and security controls, but how those services are used. Even a cloud service such as Azure can easily be used in a way that violates HIPAA Rules. It is the responsibility of the covered entity to ensure cloud instances are configured correctly.

So Azure is not HIPAA compliant per se, but it does support HIPAA compliance, and incorporates all the necessary safeguards to ensure HIPAA requirements can be satisfied.

Access, Integrity, Audit and Security Controls

Microsoft provides a secure VPN to connect to Azure, so any data uploaded to, or downloaded from, Azure is encrypted and all data stored in its cloud instances are encrypted.

HIPAA requires access controls to be implemented to limit who can access to PHI. Azure offers these controls and uses Active Directory to allow permissions to be set. Multi-factor authentication can also be added.

Audit controls are also necessary for HIPAA compliance. Azure includes detailed logging, so administrators can see who accessed, attempted to access PHI.

So, is Azure HIPAA compliant? Azure can be used in a way that satisfies HIPAA Rules, but note that it is the responsibility of the covered entity to ensure the service is configured and used correctly and staff are trained on its use. Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services.

*Not all Azure services are included in the BAA. See here for up-to-date information.

The post Is Azure HIPAA Compliant? appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2017

Posted by HIPAA Journal

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches.

2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen.

2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations fared in 2017? Was 2017 another record-breaking year?

Healthcare Data Breaches Increased in 2017

The mega data breaches of 2015 were fortunately not repeated in 2017, and the decline in massive data breaches continued in 2017.

Last year, there were three breaches reported that impacted more than one million individuals and 14 breaches of more than 100,000 records.

In 2017, there was only one reported data breach that impacted more than 500,000 people and 8 breaches that impacted 100,000 or more individuals. The final total for individuals impacted by breaches last year was 14,679,461 – considerably less than the 112,107,579 total the previous year.

The final figures for 2017 cannot yet be calculated as there is still time for breaches to be reported to OCR. The HIPAA Breach Notification Rules allows covered entities up to 60 days to report data breaches of more than 500 records, so the final figures for 2017 will not be known until March 1, 2018. However, based on current data, 2017 has been a reasonably good year in terms of the number of exposed healthcare records. The current total stands at 3,286,498 records – A 347% reduction in breached records year on year.

While it is certainly good news that the severity of breaches has reduced, that only tells part of the story. Breaches of hundreds of thousands of records have reduced, but breaches of more than 10,000 records have remained fairly constant year over year. In 2015, there were 52 breaches of 10,000 or more records. That figure jumped to 82 in 2016. There were 78 healthcare data breaches in 2017 involving more than 10,000 records.

The bad news is there has been a significant rise in the number of healthcare data breaches in 2017.  As of January 4, 2017, there have been 342 healthcare security breaches listed on the OCR breach portal for 2017. It is likely more incidents will be added in the next few days.

The final total for 2015 was 270 breaches, and there were 327 breaches reported in 2016. The severity of healthcare security incidents may have fallen, but the number of incidents continues to rise year on year.

 

reported healthcare data breaches in 2017

 

Unfortunately, there is little evidence to suggest that the annual rise in healthcare data breaches will stop in 2018. Many cybersecurity firms have made predictions for the coming year, and they are united in the view that healthcare data breaches will continue to increase.

The 20 Largest Healthcare Breaches of 2017

The list of the 20 largest healthcare data breaches of 2017 is listed below.

Position Breached Entity Entity Type Records Exposed Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Airway Oxygen, Inc. Healthcare Provider 500,000 Hacking/IT Incident
3 Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
4 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
5 Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
6 Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
7 Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
8 McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
9 Harrisburg Gastroenterology Ltd Healthcare Provider 93,323 Hacking/IT Incident
10 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
11 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
12 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
13 Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
14 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
15 Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
16 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
17 Enterprise Services LLC Business Associate 56,075 Unauthorized Access/Disclosure
18 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
19 Network Health Health Plan 51,232 Hacking/IT Incident
20 Oklahoma Department of Human Services Health Plan 47,000 Hacking/IT Incident

The Largest Healthcare Data Breaches of 2017 Were Due to Hacking

One thing is abundantly clear from the list of the largest healthcare data breaches of 2017 is hacking/IT incidents affect more individuals than any other breach type. Hacking/IT incidents accounted for all but three of the largest healthcare data breaches of 2017.

In 2016, hacking incidents only accounted for 11 out of the top 20 data breaches and 12 of the top 20 in 2015. Hacking incidents therefore appear to be rising.

 

healthcare data breaches in 2017 (hacking)

 

The rise in hacking incidents can partly be explained by the increase in ransomware attacks on healthcare providers in 2017. Healthcare organizations are also getting better at discovering breaches.

Other Major Causes of Healthcare Data Breaches in 2017

Unauthorized access/disclosures continue to be a leading cause of healthcare data breaches, although there was a slight fall in numbers of these incidents in 2017. That decrease is offset by an increase in incidents involving the improper disposal of physical records and electronic devices used to store ePHI.

 

healthcare data breaches of 2017 (Unauthorized access/disclosures)

 

The use of encryption for stored data is more widespread, with many healthcare organizations having implemented encryption on all portable storage devices and laptops, which has helped to reduce the exposure of ePHI when electronic devices are stolen.

 

Healthcare Data Breaches of 2017 (loss/theft)

Minimizing the Risk of Healthcare Data Breaches

This year saw OCR publish the preliminary findings of its HIPAA compliance audits on HIPAA-covered entities. The audits revealed there is still widespread non-compliance with HIPAA Rules.

One of the biggest problems was not a lack of cybersecurity defenses, but the failure to conduct an enterprise-wide risk analysis.

Even with several layers of security, vulnerabilities are still likely to exist. Unless a comprehensive risk analysis is performed to identify security gaps, and those gaps are addressed, it will only be a matter of time before they are exploited.

Complying with HIPAA Rules will not prevent all data breaches, but it will ensure healthcare organizations achieve at least the minimum standard for data security, which will prevent the majority of healthcare data breaches.

There is a tendency to invest cybersecurity budgets in new technology, but it is important not to forget the basics. Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly, if secure passwords had been chosen, and if cloud storage services and databases had been configured correctly. Many data breaches were caused as a result of employees leaving unencrypted laptops in risky locations – in unattended vehicles for instance.

Phishing remains one of the main ways that malicious actors gain access to protected health information, yet security awareness training is still not being provided frequently. As a result, employees are continuing to fall for phishing and social engineering scams. Technological solutions to block phishing emails are important, but healthcare organizations must also educate employees about the risks, teach them how to recognize scams, and reinforce training regularly. Only then will organizations be able to reduce the risk from phishing to an acceptable and appropriate level.

Insiders continue to be a major threat in healthcare. The value of data on the black market is high, and cash-strapped healthcare employees can be tempted to steal data to sell to identity thieves. Healthcare organizations can hammer the message home that data theft will be discovered and reported to law enforcement, but it is the responsibility of healthcare organizations to ensure policies and technologies are implemented to ensure that the unauthorized accessing of records – theft or snooping – is identified rapidly.  That means frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics.

2017 was a bad year for ransomware attacks and extortion attempts on healthcare organizations. There is no sign that these attacks will slow in 2018, and if anything, they are likely to increase. Ensuring data is backed up will allow organizations to recover files in the event of an attack without having to pay a ransom. The rise in sabotage attacks – NotPetya for example – mean data loss is a real possibility if backups are not created.

By getting the basics right and investing in new technologies, it will be possible for the year on year rise in data breaches to be stopped. But until healthcare organizations get the basics right and comply with HIPAA Rules, healthcare data breaches are likely to continue to rise.

The post Largest Healthcare Data Breaches of 2017 appeared first on HIPAA Journal.

OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of the North Carolina State Medicaid agency. The report shows the State agency has failed to implement sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility data.

HHS oversees the administration of several federal programs, including Medicaid. Part of its oversight of the Medicaid program involves the auditing of State agencies to determine whether appropriate system security controls have been implemented and State agencies are complying with Federal requirements.

The aim of the OIG audit was to determine whether adequate information system general controls had been implemented by the state of North Carolina to ensure its Medicaid eligibility determination system and data were secured.

The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was tasked with operating North Carolina’s Medicaid eligibility determination system. NC FAST was assessed on entitywide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control, and how those controls related to the North Carolina eligibility determination system for State fiscal year 2016.

OIG found the information security general controls were inadequate and did not meet federal requirements.

The vulnerabilities identified by OIG placed the confidentiality, integrity, and availability of North Carolina’s Medicaid eligibility data in jeopardy. The vulnerabilities could potentially be exploited by malicious actors to gain access to sensitive information. A cyberattack could also result in critical disruption of North Carolina Medicaid eligibility operations. OIG reports “the vulnerabilities are collectively and, in some cases, individually significant.”

While the vulnerabilities could be exploited, no evidence was uncovered to suggest that its system had been compromised or sensitive information had been viewed or stolen.

OIG made several recommendations to North Carolina to ensure its Medicaid eligibility determination system is appropriately secured. North Carolina must work with NC FAST to address all vulnerabilities in a timely manner and bring its information security general controls up to the required Federal standards.

North Carolina did not directly address the recommendations, but concurred with eight of the nine findings and partly agreed with one finding. North Carolina has agreed to make corrective actions that will resolve all nine security vulnerabilities identified by the auditors.

Last year, North Carolina was also found to have failed to ensure sufficient controls were implemented to ensure the security of its Medicaid claims processing systems. Those systems are managed by CRSA, Inc. OIG auditors similarly found vulnerabilities that were collectively and, in some cases, individually significant and could potentially compromise the confidentiality, integrity, or availability of data and its systems. North Carolina concurred with all recommendations and agreed to take corrective actions to address the vulnerabilities.

The post OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency appeared first on HIPAA Journal.

CMS Clarifies Position on Use of Text Messages in Healthcare

Posted by HIPAA Journal

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy.

SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI.

The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms.

In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information being transmitted. This resulted in the no texting determination.”

In December, the Health Care Compliance Association (HCCA) published an article questioning the stance of the CMS. HCCA said in its Report on Medicare Compliance, that at least two hospitals had received emails from the CMS explaining all forms of text messaging were prohibited.

Nina Youngstrom, Managing Editor of the Report on Medicare Compliance, said in the article that several compliance officers and healthcare attorneys were horrified about the position of the CMS. One attorney said a total ban would be “Like going back to the dark ages.”

CMS explained that concern about text messages in healthcare was not just about transmission security. There was the potential for a lack of access controls on the senders’ and receivers’ devices, stored data may not necessarily be secure and encrypted, and the privacy of patients is not guaranteed. Another concern was information transmitted via text messages also needs to be entered into the patient record and made available for retrieval.

Last year, the Joint Commission relaxed its ban on the use of text messages in healthcare for sending patient orders, only to later backtrack and reinstate the ban. The Joint Commission’s current position is the use of text messaging in healthcare is permitted, provided a secure messaging platform is used. However, the ban on the use of text messages for sending orders for patient care remains in place.

The CMS appeared to be saying no to all forms of text messaging, even though a large percentage of hospitals have switched over to secure text messaging platforms and are finally replacing their outdated pagers. Such a ban would therefore not be too dissimilar to implementing a ban on email, given how text messaging is so extensively used in healthcare.

A recent survey conducted by the Institute for Safe Medication Practices (ISMP) confirms this. In its survey of 788 healthcare professionals, 45% of pharmacists and 35% percent of nurses said texting was used in their facilities. 53% said there was a policy in place prohibiting the use of text messages for patient orders, but despite the Joint Commission ban, 12% said texting patient orders was allowed – 8% only when a secure platform was used and 3% said text messages were permitted under any circumstances.

CMS Confirms The Use of Text Messages in Healthcare is Permitted

On December 28, 2017, a month after the emails were sent, the CMS sent a memo clarifying its position on the use of text messages in healthcare, confirming there is not a total ban in place.

The CMS explained that the ban on the use of all forms of text messaging, including secure text messaging systems, remains in place for orders by physicians or other health care providers. “The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs),” specifically stating §489.24(b) and §489.24(c) apply.

Order entries should be made by providers using Computerized Provider Order Entry (CPOE), or via hand written orders. The CMS explained that, “An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”

The CMS accepts that text messages are an important means of communication in healthcare, and that text messages are now essential for effective communication between care team members. However, in order to comply with the CoPs and CfCs, healthcare organizations must use and maintain text messaging systems/platforms that are secure.

Those platforms must encrypt messages in transit and healthcare organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that “It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”

The stance of the CMS is therefore aligned with that of the Joint Commission. Secure text messaging platforms can be used in healthcare, just not for texting orders. Even though secure text messaging meet HIPAA requirements for privacy and security, the ban remains in place over concerns about inputting orders sent by text messages into the EHR. CPOE is still the preferred method of entry to ensure accuracy.

The post CMS Clarifies Position on Use of Text Messages in Healthcare appeared first on HIPAA Journal.

2017 HIPAA Enforcement Summary

Posted by HIPAA Journal

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017.

In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints.

Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases.

Summary of 2017 HIPAA Enforcement by OCR

Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates.

Covered Entity Amount Type Violation Type
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
Presense Health $475,000 Settlement Delayed Breach Notifications
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement

OCR’s 2017 HIPAA enforcement activities have revealed covered entities are continuing to fail to comply with HIPAA Rules in key areas: Safeguarding PHI on portable devices, conducting an organization-wide risk analysis, implementing a security risk management process, and entering into HIPAA-compliant business associate agreements with all vendors.

Throughout 2016 and 2017, many covered entities have failed to issue breach notifications promptly. In 2017, OCR took action for this common HIPAA violation and agreed its first HIPAA settlement solely for delaying breach notifications to patients.

HIPAA Desk Audits Revealed Widespread HIPAA Violations

In late 2016, OCR commenced the much-delayed second phase of its HIPAA-compliance audit program. The first stage involved desk audits of 166 HIPAA-covered entities – 103 audits on the Privacy and Breach Notification Rules, and 63 audits on the Security Rule. 41 desk audits were conducted on business associates on the Breach Notification and Security Rules.

While the full results of the compliance audits have not been released, this fall OCR announced preliminary findings from the compliance audits.

Covered entities were given a rating from 1 to 5 for the completeness of compliance efforts on each control and implementation specification. A rating of 1 signifies full compliance with goals and objectives of the standards and implementation specifications that were audited. A rating of 5 indicates there was no evidence that the covered entity had made a serious attempt to comply with HIPAA Rules.

Preliminary Findings of HIPAA Compliance Audits on Covered Entities

Listed below are the findings from the HIPAA compliance audits. A rating of 5 being the worst possible score and 1 being the best.

Preliminary HIPAA Compliance Audit Findings (2016/2017)
HIPAA Rule Compliance Controls Audited Covered Entities Given Rating of 5 Covered Entities Given Rating of 1
Breach Notification Rule (103 audits) Timeliness of Breach Notifications 15 67
Breach Notification Rule (103 audits) Content of Breach Notifications 9 14
Privacy Rule (103 audits) Right to Access PHI 11 1
Privacy Rule (103 audits) Notice of Privacy Practices 16 2
Privacy Rule (103 audits) Electronic Notice 15 59
Security Rule (63 audits) Risk Analysis 13 0
Security Rule (63 audits) Risk Management 17 1

 

Almost a third of covered entities failed to issue breach notifications promptly and next to no covered entities were found to be fully compliant with the HIPAA Privacy and Security Rules.

OCR has delayed the full compliance reviews until 2018. While some organizations will be randomly selected for a full review – including a site visit – OCR has stated that poor performance in the desk audits could trigger a full compliance review. Financial penalties may be deemed appropriate, especially when there has been no attempt to comply with HIPAA Rules.

Attorneys General Fines for Privacy Breaches

The HITECH Act gave state attorneys general the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules. Relatively few state attorneys general exercise this right. Instead they choose to pursue cases under state laws, even if HIPAA Rules have been violated.

Notable 2017 settlements with healthcare organizations and business associates of HIPAA covered entities have been listed below.

Covered Entity State Amount Individuals affected Reason
Cottage Health System California $2,000,000 More than 54,000 Failure to Safeguard Personal Information
Horizon Healthcare Services Inc., New Jersey $1,100,000 3.7 million Failure to Safeguard Personal Information
SAManage USA, Inc. Vermont $264,000 660 Exposure of PHI on Internet
CoPilot Provider Support Services, Inc. New York $130,000 221,178 Late Breach Notifications
Multi-State Billing Services Massachusetts $100,000 2,600 Failure to Safeguard Personal Information

The post 2017 HIPAA Enforcement Summary appeared first on HIPAA Journal.