Healthcare Data Security

OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs

Posted by HIPAA Journal

An annual review of Medicare administrative contractors’ (MACs) information security programs has shown them to be ‘adequate in scope and sufficiency’, although a number of security gaps were found to exist.

The Social Security Act requires each MAC to have its information security program evaluated on an annual basis by an independent assessor. Each MAC must have the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) evaluated, in addition to the information security controls of a subset of systems.

The Department of Health and Human Services’ Office of Inspector General (OIG) is required to submit a report of the annual MAC evaluations to congress. The Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) for this year’s evaluations.

The OIG report to congress shows a total of 149 security gaps were discovered to exist in the financial year 2015; a marked increase from the previous year. In 2014, the same 9 MACs were evaluated and 16% fewer security gaps were discovered.

A security gap is defined as an incomplete implementation of FISMA or CMS core security requirements. The security gaps identified are ranked as high, medium, or low-risk, depending on their severity.

PwC identified 22 high-risk gaps, 46 medium-risk gaps, and 81 low-risk gaps. According to the OIG report, 9 percent of the high and medium-risk gaps were identified in the previous year’s evaluations and had not yet been addressed. Four out of the six repeat gaps were determined to be high risk in both 2014 and 2015.

While the number of gaps increased by 16%, OIG points out that the scope of the evaluations was greater this year, with additional controls assessed in the 2015 financial year. The average number of gaps per MAC was 17. The highest number of gaps identified at any one MAC was 25 and the lowest was 14.

The biggest FISMA problem areas were ‘policies and procedures to reduce risk’ and ‘periodic testing of information security’, which had 45 and 41 security gaps identified respectively across the 9 MACs. 15 security gaps were identified with ‘system security plans’. Gaps were identified across all the FISMA control areas that were tested.

OIG reports that each MAC had 4-7 gaps related to policies and procedures to reduce risk. The evaluations showed that the most common security gaps were policies and procedures related to mobile device encryption, platform patch management, and external information systems that did not meet CMS requirements.

Each MAC had four to six gaps related to periodic testing of information security controls, including the failure to consistently enforce change management procedures and deficient system security configurations. There were one to three gaps in system security plans, including the failure to consistently enforce access control procedures, the failure to review policies and procedures within 365 days of the previous review date, and having a system security plan that did not reflect the current operating environment.

Each MAC is responsible for developing its own corrective action plan to address the high and medium risk security gaps identified by PwC. Each MAC must ensure that each of the identified gaps is remediated in a timely manner.

OIG has recommended that CMS continue with its oversight of MACs and should ensure that each MAC remediate all the identified high and medium-risk gaps in a timely manner.

The post OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs appeared first on HIPAA Journal.

NIST Publishes Draft of Updated Cybersecurity Framework

Posted by HIPAA Journal

It has been almost three years since the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework. This week, NIST published a new draft – the first since the Framework was published in 2014 – which includes a number of tweaks, clarifications, and additions. However, as NIST points out, the new draft contains relatively minor updates. The Framework has not received a complete overhaul.

According to Matt Barrett, NIST’s program manager for the Cybersecurity Framework, “We wrote this update to refine and enhance the original document and to make it easier to use.” The new version incorporates feedback received following the December request for comments on how the framework is being used for risk management, the sharing of best practices, long term management of the Framework, and the relative value of different elements of the Framework.

The Cybersecurity Framework was originally intended to be used for critical infrastructure to safeguard information assets, although its adoption has been much wider. The Framework is now being used by a wide range of organizations of all types and sizes to reduce cybersecurity risk. The update reflects the wide range of organizations that are now using Framework.

The updated version sees vocabulary added to help organizations use the framework for cyber supply chain risk management and cyber supply chain risk management has been added to the Framework core. In the draft, NIST has also expanded the section on communicating cybersecurity requirements with stakeholders to aid understanding of cyber supply chain risk management.

NIST explains, “A primary objective of cyber SCRM is to identify, assess and mitigate products and services that may contain potentially malicious functionality, are counterfeit or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.”

The access control and identity management definitions have also been updated, clarifying authentication, authorization, and identity proofing. The relationship between implementation tiers and profiles has been explained in detail, and a new section has been added on cybersecurity measurement.

Measuring an organization’s security status over time will enable organizations to convey meaningful risk information. Barret explained that “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”

NIST is seeking comments on “version 1.1” of the Framework by April 10. NIST plans to hold a public workshop on the new version in the fall of this year.

The post NIST Publishes Draft of Updated Cybersecurity Framework appeared first on HIPAA Journal.

Protenus Releases 2016 Healthcare Data Breach Report

Posted by HIPAA Journal

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen.

Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. The total number of breached records may be down year on year, but the total number of incidents has increased. 2016 has been the worst year for healthcare industry breaches since records first started being kept.

The Protenus 2016 healthcare data breach report includes data breaches that have already been reported to the Department of Health and Human Services’ Office for Civil Rights, in addition to those that have been disclosed to the media but not yet uploaded to the OCR breach portal.

In total, there were 27,314,647 individuals affected by healthcare data breaches in 2016, with detailed information available for 380 of the 450 incidents. More than one healthcare data breach was reported every single day, on average, in 2016.

Data breaches fluctuated throughout 2016, with no clear trend emerging. The worst months of the year – in terms of the number of records breached – were June and August. In June, 10,880,605 healthcare records were exposed or stolen. 9,096,515 records were breached in August.

The worst months of 2016 for reported data breaches were November (58 incidents) April (946 incidents) and August (45 incidents). January saw the fewest breaches with 21 incidents reported. January also saw the lowest number of healthcare records exposed, with 104,056 individuals impacted.

Million-record plus data breaches were relatively rare. The largest breach of the year – at Banner Health – saw 3.62 million records exposed.

The 2016 healthcare data breach report shows the majority of security breaches in 2016 involved insiders. Protenus classified insider breaches as those involving accidents caused by human error, data theft by healthcare workers, and snooping on medical records. 43% of the data breaches in 2016 involved insiders, compared to 26.8% of incidents which involved hacking, malware or ransomware.

There were 99 accidental data breaches and 91 breaches caused by insider wrongdoing. Breaches that were the result of insider wrongdoing tended to result in the theft of less data than accidental data breaches. Accidental data breaches exposed three times as many records, on average.

2016 saw an explosion in ransomware attacks with the healthcare industry heavily targeted. The healthcare data breach report indicates only 30 ransomware attacks were reported in 2016. The true figure may be considerably higher. Healthcare organizations are only required to report ransomware attacks if there was a reasonable probability that ePHI was compromised. Covered entities also have up to 60 days to report healthcare data breaches, so a final total for the year will not be available until March 1, 2017. 2016 also saw a rise in other extortion attempts, with hackers gaining access to healthcare data and demanding ransoms not to publish the information.

Hacking may not have been the biggest cause of healthcare data breaches in 2016, but hackers certainly obtained the most records. 120 hacking incidents were included in the report, although the number of records stolen in those attacks was only known for 99 incidents. Even so, the total number of records obtained by hackers was 87% of the annual total – 23,695,069 records.

Healthcare providers were the worst hit in 2016 accounting for 80% of the total breach count. Health plans were second with 10% of attacks, followed by business associate breaches which accounted for 6.3% of the total. 4% of breaches affected other entities.

The report shows healthcare organizations are slow to detect breaches. The report indicates the average time to discover data breaches was 233 days, although insider breaches took considerably longer. Cases of insider wrongdoing took an average of 607 days to discover that ePHI had been breached. Protenus reports the average time from the breach to reporting the incident to HHS was 344 days.

The post Protenus Releases 2016 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.

Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

 

Summary of 2016 HIPAA Settlements

 

Covered Entity Date Amount Breach that triggered OCR investigation Individuals impacted
University of Massachusetts Amherst (UMass) November, 2016 $650,000 Malware infection 1,670
St. Joseph Health October, 2016 $2,140,500 PHI made available through search engines 31,800
Care New England Health System September, 2016 $400,000 Loss of two unencrypted backup tapes 14,000
Advocate Health Care Network August, 2016 $5,550,000 Theft of desktop computers, loss of laptop, improper access of data at business associate 3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center July, 2016 $2,750,000 Unprotected network drive 10.,000
Oregon Health & Science University July, 2016 $2,700,000 Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia June, 2016 $650,000

 

 Theft of mobile device 412 (Combined total)
New York Presbyterian Hospital

 

 April, 2016 $2,200,000 Filming of patients by TV crew Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina April, 2016 $750,000 Improper disclosure to business associate 17,300
Feinstein Institute for Medical Research March, 2016 $3,900,000 Improper disclosure of research participants’ PHI 13,000
North Memorial Health Care of Minnesota March, 2016 $1,550,000 Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) 299,401
Complete P.T., Pool & Land Physical Therapy, Inc. February, 2016 $25,000 Improper disclosure of PHI (website testimonials) Unconfirmed
Lincare, Inc.

 

 February, 2016* $239,800 Improper disclosure (unprotected documents) 278

*Civil monetary penalty confirmed as lawful by an administrative law judge

 

The largest HIPAA settlement of 2016 –  and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.

The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.

The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.

Warning for Healthcare Organizations that use MongoDB Databases

Posted by HIPAA Journal

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing.

Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175).

The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare.

Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which operates the website militarysleep.org – has also been left exposed.

The database, which contains 2GB of information, includes details of 1,200 veterans who suffer from sleep disorders and have registered with the Sleep Clinic. The database contains sensitive information such as veterans’ names, email addresses, home addresses, former rank in the military, and their history of use of the site. The database also contains chat logs of conversations between doctors and veterans. Those logs contain highly sensitive details of patients’ medical conditions.

As with other organizations that have left their MongoDB databases in the default configuration, information can be accessed by anyone who knows where to look. No login credentials are required. Databases can be accessed without the need for usernames or passwords or any authentication.

The problem affects organizations that are using older versions of MongoDB. MongoDB had, in previous versions, been set with unrestricted remote access turned on as default. While later versions of the database platform had this changed with remote access set to off in the default configuration, many organizations are still using older versions and not changed the configuration settings to prevent unrestricted data access.

Unfortunately, many individuals have started to access unprotected MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware gang has also got involved and is attempting to extort money from 21,000+ organizations.

While some of these ‘hackers’ have exfiltrated data prior to deleting databases, others have not. Ransom demands are being issued nonetheless, although since no copy of the data has been taken, recovery will be impossible even if a ransom payment is made.

Healthcare organizations that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized individuals. Given the number of organizations already attacked, failure to do so is likely to result in data being hijacked, or worse, permanently deleted. Gevers suggests there are more than 99,000 organizations that have misconfigured MongoDB databases and are therefore at risk.

The post Warning for Healthcare Organizations that use MongoDB Databases appeared first on HIPAA Journal.

Warning for Healthcare Organizations that use MongoDB Databases

Posted by HIPAA Journal

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing.

Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175).

The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare.

Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which operates the website militarysleep.org – has also been left exposed.

The database, which contains 2GB of information, includes details of 1,200 veterans who suffer from sleep disorders and have registered with the Sleep Clinic. The database contains sensitive information such as veterans’ names, email addresses, home addresses, former rank in the military, and their history of use of the site. The database also contains chat logs of conversations between doctors and veterans. Those logs contain highly sensitive details of patients’ medical conditions.

As with other organizations that have left their MongoDB databases in the default configuration, information can be accessed by anyone who knows where to look. No login credentials are required. Databases can be accessed without the need for usernames or passwords or any authentication.

The problem affects organizations that are using older versions of MongoDB. MongoDB had, in previous versions, been set with unrestricted remote access turned on as default. While later versions of the database platform had this changed with remote access set to off in the default configuration, many organizations are still using older versions and not changed the configuration settings to prevent unrestricted data access.

Unfortunately, many individuals have started to access unprotected MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware gang has also got involved and is attempting to extort money from 21,000+ organizations.

While some of these ‘hackers’ have exfiltrated data prior to deleting databases, others have not. Ransom demands are being issued nonetheless, although since no copy of the data has been taken, recovery will be impossible even if a ransom payment is made.

Healthcare organizations that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized individuals. Given the number of organizations already attacked, failure to do so is likely to result in data being hijacked, or worse, permanently deleted. Gevers suggests there are more than 99,000 organizations that have misconfigured MongoDB databases and are therefore at risk.

The post Warning for Healthcare Organizations that use MongoDB Databases appeared first on HIPAA Journal.

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals.

The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” potentially causing patients to be harmed. The flaws would allow an attacker to deplete the battery on implanted devices, alter pacing, or trigger shocks.

The FDA confirmed that there have been no reported instances of the cybersecurity flaws being exploited to cause harm to patients to date and patients have been advised to continue using the devices as instructed by their healthcare providers.

A patch to address the flaws has been developed and will be automatically applied this week. However, in order for the Merlin@home device to receive the update it must be left plugged in and connected to the Merlin Network.

The cybersecurity vulnerabilities were discovered by researchers at MedSec as part of a study into cybersecurity measures used to protect implantable medical devices. MedSec passed on details of the research to Muddy Waters last summer. In August 2016, Muddy Waters published a report criticizing St. Jude Medical for allowing ‘stunning cybersecurity flaws’ to remain unaddressed in its Merlin@home system and its associated defibrillators and pacemakers. St. Jude Medical denied the claims and sued Muddy Waters for disseminating ‘false and misleading’ information.

However, since the revelations were made in August, Abbott Laboratories, which recently acquired St. Jude Medical in a $25 billion deal, has been conducting its own investigations into device security. Abbott Laboratories has worked closely with both the FDA and the Department of Homeland Security to ensure that its pacemakers, defibrillator devices, and their associated systems are adequately protected and access by unauthorized individuals is blocked. The FDA has reviewed the software patch and has confirmed that it addresses the “greatest risks” and reduces the potential for exploitation and patient harm.

Carson Block, founder of Muddy Waters, issued a statement about the FDA announcement saying it “reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.” However, while critical security vulnerabilities have been addressed, Block said “the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”

In the safety communication, the FDA reminded consumers that “any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users.” The FDA went on to say “the increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”

Cybersecurity Guidance for Medical Device Manufacturers

In December 2016, the FDA published its final cybersecurity guidance for medical device manufacturers. The document details measures that medical device manufacturers should adopt to ensure post-market devices are routinely assessed for vulnerabilities that could be exploited by hackers. The FDA released guidance in 2014 covering pre-market submissions for the management of cybersecurity in medical devices.

The post FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked appeared first on HIPAA Journal.

Patients Holding Back Health Information Over Fears of Data Privacy

Posted by HIPAA Journal

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers.

However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited.

Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider.

Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data.

Important Medical Information is Being Withheld by Patients

The extent to which patients are withholding information has recently been highlighted by a Black Book survey. Between September and December 2016, Black Book conducted a national poll on 12,090 adult consumers to assess patients’ confidence in healthIT and the extent to which they have been willing to share their health information.

The results of the survey clearly show that patients are extremely concerned about the privacy of their data and believe that sensitive health information is being shared without their knowledge. There are also serious concerns about healthcare organizations’ abilities to protect health information and ensure that it remains private.

For the Black Book survey, consumers were asked about the contact they had had with technology used by their physician, hospital, and other healthcare organizations over the past 12 months, including mobile apps, patient portals, and electronic health records.

57% of respondents who had experience of these health technologies said they were concerned about the privacy protections put in place and whether their data could be kept private.

87% of Patients Unwilling to Share their Full Medical Histories

Consumer confidence in privacy and security measures put in place by healthcare providers appears to be at an all time low. In the last quarter of 2016, Black Book reports that 87% of patients were unwilling to comprehensively share all of their health information with their providers. 89% of consumers who had visited a healthcare provider in 2016 said they had withheld some information during their visits.

While certain types of information are openly shared, healthcare patients are particularly concerned about sharing highly sensitive data. Many feel that those data are being shared without their knowledge.

90% of respondents said they were concerned about details of their pharmacy prescriptions being shared beyond their chosen provider and payer, and that information was being shared with the government, retailers, and employers. 81% were concerned that information about chronic conditions was being shared without their knowledge, and 99% were concerned about the sharing of mental health notes. 93% of respondents said they were concerned about their personal financial information being shared.

According to Black Book Managing Partner Doug Brown, “Incomplete medical histories and undisclosed conditions, treatment or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk based analytics, care plans, modeling, payment reforms, and population health programming.” In a statement issued about the findings of the survey he said, “This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability.”

Providers’ Expertise with Technology Inspires Trust

Providers can do more to improve patients’ confidence in technology by demonstrating that they know how to use it. Patients do not appear to have an issue with the technology itself. Only 5% of respondents said they mistrusted the technology. However, 69% of respondents said their current primary care physician did not display enough technology prowess for them to be able to trust that individual with all of their data. 84% of respondents said their level of trust in their provider was influenced by how that provider used technology.

Patients are also having trouble using technology. 96% of consumers said they had left physicians’ offices “with poorly communicated or miscommunicated instructions on patient portal use,” and 83% reported having difficulty using the portal at home. Only 40% of patients said they had tried to use the portal in their physician’s office.

The survey also revealed that patients believe the data they are collecting via personal wearable devices is important. 91% of consumers said their physician practice’s medical record system should store any health-related data they request. However, most physicians do not want access to so much information. 94% of physicians that responded to this section of the survey said much of the personally collected health information is redundant and would be unlikely to make a clinical difference. Furthermore, so much information is now being collected that they are becoming overwhelmed by data.

The post Patients Holding Back Health Information Over Fears of Data Privacy appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2016

Posted by HIPAA Journal

 

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 15,936,849 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year.

As 2017 begins, there have been 313 reported breaches of more than 500 records that have been uploaded to the OCR breach portal.

2016 Healthcare Data Breaches of 500 or More Records

 

Year Number of Breaches Number of Records Exposed
2016 313 15,936,849
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1785 170,519,503

 

While the above figures appear to suggest a significant reduction in large healthcare data breaches year on year, the figures are somewhat misleading.

In 2015 there were three massive data breaches reported by covered entities: Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.

More records may have been exposed in 2015 as a result of those major cyberattacks, although in each size category, 2016 ranked worse than 2015. Many healthcare organizations will be happy to put 2016 behind them.

 

Year 2016 Healthcare Data Breaches
500 to 1000 Records 1,000 to 10,000 Records 10,000 to 100,000 Records 100,001+ Records
2016 13 62 151 86
2015 12 37 142 76

 

Aside from one major breach at a business associate, all of the largest healthcare data breaches of 2016 – those that resulted in the exposure or theft of more than 100,000 healthcare records – affected healthcare providers. The largest data breach experienced by a health plan was the 91,187-record breach reported by Washington State Health Care Authority in September.

Largest Healthcare Data Breaches of 2016

 

Rank Covered Entity Entity Type Cause of Breach Records Exposed
1 Banner Health Healthcare Provider Hacking/IT Incident 3,62,0000
2 Newkirk Products, Inc. Business Associate Hacking/IT Incident 3,466,120
3 21st Century Oncology Healthcare Provider Hacking/IT Incident 2,213,597
4 Valley Anesthesiology Consultants Healthcare Provider Hacking/IT Incident 882,590
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider Hacking/IT Incident 749,017
6 Bon Secours Health System Incorporated Healthcare Provider Unauthorized Access/Disclosure 651,971
7 Peachtree Orthopaedic Clinic Healthcare Provider Hacking/IT Incident 531,000
8 Radiology Regional Center, PA Healthcare Provider Loss 483,063
9 California Correctional Health Care Services Healthcare Provider Theft 400,000
10 Central Ohio Urology Group, Inc. Healthcare Provider Hacking/IT Incident 300,000
11 Premier Healthcare, LLC Healthcare Provider Theft 205,748
12 Athens Orthopedic Clinic, P.A. Healthcare Provider Unauthorized Access/Disclosure 201,000
13 Community Mercy Health Partners Healthcare Provider Improper Disposal 113,528

 

Main Causes of Healthcare Data Breaches in 2016

Insider breaches continue to plague the healthcare industry in the United States. As in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of those at Anthem, Premera, and Excellus were not repeated in 2016, but 2016 saw a major increase in healthcare hacks.

The loss and theft of unencrypted devices used to store PHI fell considerably year on year, although the use of data encryption technology could have prevented all 76 of those data breaches and the exposure of 1,459,816 healthcare records.

Main Cause of Breach 2016 2015
Unauthorized Access/Disclosure 127 102
Hacking/IT Incident 102 57
Theft 60 81
Loss 16 23
Improper Disposal 7 6

 

2016 Healthcare Data Breaches by Covered Entity

Healthcare data breaches in 2016 followed a similar pattern to 2015, with healthcare providers the main entities breached, although the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.

 

Breached Entity 2016 2015
Healthcare Provider 247 196
Health Plan 46 62
Business Associate 19 19

Data Source: Department of Health and Human Services’ Office for Civil Rights

The post Largest Healthcare Data Breaches of 2016 appeared first on HIPAA Journal.