Healthcare Information Technology

KLAS Research: Clinical Communication Platforms Improve Efficiency in Healthcare

The recently published 2021 KLAS Clinical Communication Platform Report has confirmed clinical communication platforms improve efficiency in healthcare, streamline communication across most areas of hospitals, and lead to concrete outcomes, with improvements to clinical communication the biggest benefit.

KLAS Research is a Utah-based company that provides data and insights into health information technology (HIT) that helps healthcare organizations identify HIT solutions that will provide important benefits and a good ROI. KLAS collects data on HIT solutions, including from healthcare industry reports, websites, and feedback from healthcare professionals that are using HIT in the workplace. KLAS analyzes the data, identifies key trends and insights, and produces reports on the findings of its research. The researchers also work with leadership teams at vendors to help them improve their HIT solutions based on user feedback to help them deliver better outcomes.

For its latest Clinical Communication Platform Report, KLAS researchers profiled some of the most innovative and cutting-edge vendors in the field whose solutions are delivering invaluable benefits in healthcare and users of clinical communication platforms were surveyed and asked for their feedback on the solutions they have adopted.

TigerConnect, the leading clinical communication platform provider in the United States, was recognized as having the largest base of acute care customers and for the value its clinical communication platform delivered. Feedback from healthcare professionals that use the platform confirmed it has led to improved efficiency for clinical support staff and improved nurse satisfaction and patient satisfaction and care through timely, efficient communication.

The top outcomes healthcare delivery organizations have achieved by implementing the TigerConnect platform are improved clinician response times, increased transparency into patient teams and schedules, and increased clinician workflow satisfaction with fewer call interruptions and much easier access to communication. TigerConnect customers confirmed the solution has helped improve patient team collaboration in terms of patient transport, bed management and environmental services, increased access to and the secure sharing of patient data, more efficient clinics and outpatient care, and a reduction in readmissions, fewer errors, and a faster crash team response.

“Our administration uses TigerConnect’s solution. If people ask for TigerConnect accounts, we can give them accounts. I don’t know how we would have been able to get through the COVID-19 pandemic without this solution,” said one TigerConnect user.

The solution was highly praised for ease of use coupled with enterprise contracting, which allows simple rollouts by many different user groups to achieve organization-wide efficient communication.

“One outcome that we have achieved with TigerConnect’s solution has been improved communication between our nurses, providers and administration. We can just text someone in administration rather than having to know their personal phone number.,” said one TigerConnect user. “The value of adding two-way asynchronous communication in our clinical areas has been huge. They can always put themselves on ‘do not disturb’ if they don’t want people to text them. When nurses or providers are actively engaged with patients, they can get the information they need with the system, and then return that information.”

This year has seen TigerConnect roll out significant feature enhancements based on customer feedback, and the company has also made key acquisitions of on-call physician scheduling and advanced middleware solutions, deepening the capabilities of its platform considerably.

“2021 has proven a tipping point as healthcare systems evolve their requirements from secure messaging to the most contextual, advanced clinical collaboration experiences. Clinicians are demanding an all-in-one mobile collaboration experience that helps them raise the standard of care and improve patient outcomes,” said Will O’Connor, MD, TigerConnect Chief Medical Information Officer. “The KLAS report validates TigerConnect in our vision to make hospitals and care delivery more agile.”

The post KLAS Research: Clinical Communication Platforms Improve Efficiency in Healthcare appeared first on HIPAA Journal.

NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued new guidance on selecting and improving the security of Virtual Private Networks (VPN) solutions.

VPN solutions allow remote workers to securely connect to business networks. Data traffic is routed through an encrypted virtual tunnel to prevent the interception of sensitive data and to block external attacks. VPNs are an attractive targeted for hackers, and vulnerabilities in VPN solutions have been targeted by several Advanced Persistent Threat (APT) groups. APT actors have been observed exploiting vulnerabilities in VPN solutions to remotely gain access to business networks, harvest credentials, remotely execute code on the VPN devices, hijack encrypted traffic sessions, and obtain sensitive data from the devices.

Several common vulnerabilities and exposures (CVEs) have been weaponized to gain access to the vulnerable devices, including Pulse Connect Secure SSL VPN (CVE-2019-11510), Fortinet FortiOS SSL VPN (CVE-2018-13379), and Palo Alto Networks PAN-OS (CVE_2020-2050). In some cases, threat actors have been observed exploiting vulnerabilities in VPN solutions within 24 hours of patches being made available.

Earlier this year, the NSA and CISA issued a warning that APT groups linked to the Russian Foreign Intelligence Service (SVR) had successfully exploited vulnerabilities in Fortinet and Pulse Secure VPN solutions to gain a foothold in the networks of U.S. companies and government agencies. Chinese nation state threat actors are believed to have exploited a Pulse Connect Secure vulnerability to gain access to the networks of the U.S. Defense Industrial Base Sector. Ransomware gangs have similarly been targeting vulnerabilities in VPNs to gain an initial foothold in networks to conduct double-extortion ransomware attacks.

The guidance document is intended to help organizations select secure VPN solutions from reputable vendors that comply with industry security standards who have a proven track record of remediating known vulnerabilities quickly. The guidance recommends only using VPN products that have been tested, validated and included in the National Information Assurance Partnership (NIAP) Product Compliant List. The guidance recommends against using Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, which use non-standard features to tunnel traffic via TLS as this creates additional risk exposure.

The guidance document also details best practices for hardening security and reducing the attack surface, such as configuring strong cryptography and authentication, only activating features that are strictly necessary, protecting and monitoring access to and from the VPN, implementing multi-factor authentication, and ensuring patches and updates are implemented promptly.

The post NSA/CISA Issue Guidance on Selecting Secure VPN Solutions and Hardening Security appeared first on HIPAA Journal.

FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches

Developers of health apps and wearable devices such as fitness trackers that collect health data have been warned by the Federal Trade Commission (FTC) that they are required to comply with the FTC Health Breach Notification Rule and must notify consumers about data breaches.

The FTC Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009, and requires individuals to be notified if there is a breach of their health data. The Health Breach Notification Rule applies to vendors of personal health records and associated companies, but in a policy statement issued on September 16, 2021, the FTC said health apps and other connected devices that collect or use the health information of U.S. consumers are also covered by Rule. The policy statement was approved during an open meeting on Wednesday by a vote of 3-2.

The FTC Health Breach Notification Rule applies to health apps and wearable devices that collect health information from a consumer and can draw information from multiple sources, such as through an API that allows synching with a device such as a fitness tracker. Compliance will be enforced by the FTC, which has the authority to impose financial penalties. Those penalties can be as high as $43,792 for each day that notifications have not been issued.

Health apps can collect a wide range of sensitive personal and health data, either by directly recording the information through paired sensors, or by individuals entering the data into the apps manually. Health apps have been growing in popularity and usage has increased during the pandemic. Given the wide range of sensitive data stored by the apps, they are an attractive target for cybercriminals.

“As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever,” said the FTC in the policy statement.

A lot of the data collected by health apps would be considered protected health information if collected by a healthcare provider, which would mean the information would be subject to the restrictions on uses and disclosures stipulated by the HIPAA Privacy Rule. Safeguards would need to be implemented to secure the data, in accordance with the HIPAA Security Rule, and a breach of health data would require notifications per the HIPAA Breach Notification Rule. However, unless a health app is developed for use by a HIPAA-covered entity, it falls outside of HIPAA protections.

Health apps often have security features to protect the privacy of users, but they are often limited. There have been calls for HIPAA to be extended to cover health app developers to improve privacy protections for users, or to implement new legislation covering these apps that requires certain standards of privacy and security to be adopted.

The FTC policy statement will at least help to ensure that users of health apps and wearable devices will be notified should a data breach occur, which will allow them to take steps to protect their identities and prevent fraud.

“While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”

The post FTC Tells Developers of Health Apps and Wearable Devices to Notify Individuals About Data Breaches appeared first on HIPAA Journal.

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA?

It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today.

It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially initially due to the considerable administrative burden it placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives.

The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes that have helped to reduce waste and healthcare fraud. The improvements have generally been made for relatively little cost.

HIPAA certainly has its strengths, but there are also limitations that have become increasingly apparent in recent years and even now, 25 years after the legislation was first introduced, there is still confusion about what compliance entails.

In this article we will explore the strengths and limitations of HIPAA, assess how effective HIPAA has been, and will explore the future of HIPAA and what can be expected in terms of updates to the legislation. First, however, it is useful to provide a brief recap of the history of HIPAA and how the legislation has evolved over the years.

A Brief History of HIPAA

HIPAA was initially introduced to improve the portability of health insurance coverage for employees between jobs, to combat waste, fraud and abuse in health insurance and healthcare delivery, to promote the use of medical savings accounts by introducing tax breaks, and to simplify the administration of health insurance. The legislation was later augmented with new Rules covering the privacy and security of healthcare data.

Initially, HIPAA only applied to a limited number of entities in the healthcare industry – healthcare providers, health plans, and healthcare clearinghouses, and only those that transmit healthcare data in electronic form for certain transactions for which the HHS maintains standards. The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the scope of HIPAA to cover business associates of HIPAA covered entities – third-party firms that require access to protected health information (PHI) to provide services or products to covered entities.

Important updates to HIPAA are detailed below:

  • HIPAA Signed into Law by President Bill Clinton – August 1996
  • Effective Date of the HIPAA Privacy Rule – April 2003
  • Effective Date of the HIPAA Security Rule – April 2005
  • Effective Date of the HIPAA Enforcement Rule – March 2006
  • Effective date of HITECH and the Breach Notification Rule – September 2009
  • Effective Date of the Final Omnibus Rule – March 2013

HIPAA’s Strengths and Weaknesses

There are many positives that have come from HIPAA, the best known of which are improving privacy protections for patients and improving the security of healthcare data. HIPAA limits the uses and disclosures of patient data to those related to treatment, payment, or healthcare operations and all covered entities and business associates must implement appropriate administrative, physical, and technical safeguards to ensure patient data are appropriately protected from internal and external threats.

Importantly, HIPAA gave individuals new rights with respect to their healthcare data. Prior to the introduction of the HIPAA Privacy Rule, patients were not even permitted to see their medical files. HIPAA gave individuals the right to obtain and inspect a copy of their healthcare data and request errors be corrected. HIPAA made sure patients are informed about how their healthcare data will be used and disclosed, gave patients the right to further limit disclosures of their health data, and also allowed them to view an “accounting of disclosures” to see who has been provided with their healthcare data.

HIPAA has improved the portability of health insurance for employees between jobs and has helped to prevent discrimination against people with pre-existing conditions when receiving health insurance coverage. Efficiency in healthcare has been improved by standardizing transactions through the use of standard code sets and has helped to significantly reduce waste and fraud in healthcare.

However, it has not all been plain sailing. One of the initial requirements of HIPAA was to create a national patient identifier system, but 25 years on and that requirement has still failed to be implemented. Without a national patient identifier system, it can be difficult identifying patients which can result in medical record mismatching. One ONC study in 2014 suggested between 50% and 60% of records are mismatched when shared between different healthcare providers.

Another weakness of HIPAA is its coverage of healthcare data, which is limited to healthcare data collected, held, processed, stored, or transmitted by HIPAA-covered entities and business associates. If a non-HIPAA-covered entity or non-business associate collects the exact same data, HIPAA protections do not apply.

The HIPAA Rules are not clear in places due to the flexibility built into the legislation, so there is potential for misinterpretation of the requirements and there is still confusion among some HIPAA covered entities and business associates when it comes to compliance.

One criticism often made by patients is the lack of a private cause of action. It is not possible to sue for a HIPAA violation, even if the HIPAA Rules have clearly been violated and harm has been suffered. Legal action can only be taken under state laws.

Has HIPAA Been Effective?

In the early years following the introduction of the HIPAA Privacy and Security Rules, questions were asked about how effective the legislation has been. HIPAA certainly looked good on paper but was less effective in practice and noncompliance was widespread. Even the introduction of the HIPAA Enforcement Rule in 2006, which gave the HHS’ Office for Civil Rights the authority to impose financial penalties and sanctions for noncompliance, failed to have a major effect at spurring covered entities into compliance. Enforcement was also very slow at first. It took until 2008 for the first enforcement action to result in a financial penalty, then there was only one financial penalty in 2009 and just two in 2010.

The first phase of HIPAA compliance audits conducted in 2011/2012 highlighted just how many covered entities had ineffective HIPAA compliance programs. The audits uncovered many violations of both the HIPAA Privacy and Security Rules. Even those violations, some of which were serious, did not result in any financial penalties. Some of the fiercest criticism of HIPAA in the early years was it was all bark and no bite.

The introduction of the HITECH Act was a major turning point in the history of HIPAA. Prior to the HITECH Act, business associates were not covered to a large extent by HIPAA, even though they were frequently provided with PHI. The HITECH Act made the HIPAA Rules directly applicable to business associates, which could then be fined directly if they did not also comply with the HIPAA Rules. Business associates include a huge range of third-party companies such as accountants, attorneys, billing companies, collection agencies, consultants, data analysts, and IT firms, so the HITECH Act, and subsequent Omnibus Rule, addressed that major gap.

The introduction of the HITECH Act also saw the penalties for noncompliance significantly increased and OCR also increased its HIPAA enforcement activities. With major fines issued for HIPAA violations, HIPAA compliance became a major focus for HIPAA-covered entities and business associates.

Enforcement of compliance has been critical to the success of HIPAA and while there are still many cases each year of noncompliance, on the whole the requirements of HIPAA have been largely implemented and the benefits of HIPAA are being realized.

Issues with Patient Access to PHI

Since the 2000 HIPAA Privacy Rule was introduced, patients have been given the right to obtain a copy of their own healthcare data, or to have that data sent to their nominated representative. The HITECH Act updated that right and helped individuals obtain a copy of their health data in electronic form, due to the increasing use of electronic health record systems.

While healthcare organizations have implemented policies that allow patients to exercise their access rights, many patients have experienced problems obtaining a copy of their healthcare data. They have either been refused access, requests have been delayed, and patients have been charged excessive fees for exercising their access rights – HIPAA only permits covered entities to charge a reasonable, cost-based fee for providing records.

One of the requirements of the 21st Century Cures Act, introduced in 2016, was to call on the Government Accountability Office to report on the barriers to patient medical record access and following assessments the HHS’ Office for Civil Rights launched a new HIPAA enforcement initiative targeting violations of the HIPAA Right of Access of the HIPAA Privacy Rule in the fall of 2019. That enforcement initiative is still active and, up until the end of July 2021, OCR has imposed 19 financial penalties on healthcare providers found to have been in violation of the HIPAA Right of Access.

Prior to the OCR enforcement initiative, only one financial penalty had been imposed for violations of this important right and that was the $4,300,000 financial penalty imposed on Cignet Health of Prince George’s County in 2011 for denying 741 patients access to their medical records.

HIPAA has Improved Healthcare Data Security

Prior to the introduction of the HIPAA Security Rule, healthcare organizations only had to comply with state laws covering data security. The Security Rule set new minimum standards for data security to ensure the confidentiality, integrity, and availability of electronic PHI. The Security Rule requires risk analyses to be conducted and risks reduced to a reasonable and acceptable level. Access controls are required to prevent unauthorized access to healthcare data, logs must be maintained and checked to identify unauthorized access, backups of data must be made, measures must be implemented to protect against reasonably anticipated, impermissible uses or disclosures, and staff must be provided with security awareness training.

Data security has improved, but data breaches are now occurring at records levels. For the past 5 months, data breaches have been reported by healthcare organizations and business associates at a rate of over 2 per day, but without the Security Rule requirements, far more breaches would be likely to occur.

The HIPAA Security Rule does have weaknesses. To remain relevant the HIPAA Security Rule had to be technology agnostic, so specific measures for security are generally not stipulated. It is left to the discretion of each entity to determine what constitutes “reasonable” protections. If the Security Rule was more specific with regard to required security protections, many more data breaches could be prevented.

The Security Rule also only applies to HIPAA covered entities and business associates, not to any other entity. It therefore has limited reach, and does not cover health data collected by health apps, or the huge volumes of data collected and sold by data brokers. There is therefore considerable scope for improvement to better protect all health data.

The HIPAA Security Rule also calls for security awareness training for staff but does not stipulate how frequently it should be provided. With the threat landscape constantly changing, regular training must be provided to the workforce to ensure employees are kept aware of the latest threats and are taught how to avoid them. Many covered entities and business associates are compliant with this requirement yet fail to provide training regularly enough to prevent cyberattacks and the associated privacy violations.

How Has HIPAA Fared with Changing Technology?

No legislative act will be able to maintain pace with the pace at which technology has evolved, especially one covering the healthcare industry. This is why HIPAA provided a framework rather than specifics and incorporated flexibility to accommodate for changes to healthcare technology and evolving privacy and security best practices.

Updates have been made over the years which have amended HIPAA to maintain relevance, such as the 2008 Genetic Information Non-discrimination Act (GINA) which restricts the use of individuals’ genetic data by health insurers and employers and the American Recovery and Reinvestment Act, of which the HITECH Act was part, which strengthened HIPAA in relation to the adoption of EHRs.

However, many new technologies have emerged over the years that are not covered by HIPAA. Personal electronic devices are extensively used which can collect huge amounts of personal and health data, such as fitness trackers and other wearable devices and smartphones have made it much easier for individuals to obtain, use, and share healthcare data.

Many of these devices collect data that would fall under the category of PHI if created or collected by a HIPAA-covered entity but are not within the scope of HIPAA, even though the same data are often collected by those devices. The extent to which these devices are now being used, and the sheer volume of digital health and wellness data being generated outside the healthcare system by individuals, is a growing cause of concern. Without the protections of HIPAA, healthcare data may not be properly protected and could be shared extensively or sold on with ease.

The HIPAA Privacy Rule does not adequately cover the collection of healthcare data, as it only covers uses and disclosures by certain entities. It does not apply to health data itself, and this could be argued is one of the biggest failures of HIPAA. The same is true of the HIPAA Security Rule, which also has a restrictive scope and only calls for administrative, physical, and technical safeguards for the healthcare data held, received, or transmitted by HIPAA-covered entities and their business associates.

Healthcare data is extremely valuable, and not only to bad actors such as cybercriminals. Cybercriminals can use healthcare data for fraud and identity theft, but it also has tremendous value to a wide range of businesses. Healthcare and wellness data can be used by insurers to gauge risk – which can affect insurance premiums. Employers can use health data to make decisions about potential new hires, and all manner of other businesses can use the data to make decisions about individuals that could have significant consequences for the data subjects.

The question about whether HIPAA should be updated to cover all healthcare data has yet to be fully answered. Many attempts have been made to introduce legislation to cover all healthcare data, but each has failed to make it through the Senate.

The scope of HIPAA could be expanded to include individually identifiable health information collected, used, transmitted, or maintained by non-HIPAA covered entities and non-business associates. Alternatively, new separate legislation is required to cover healthcare data not currently regulated by HIPAA. The solution could well be to leave HIPAA as it is and to instead introduce a national privacy law akin to the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

HIPAA Training and Education Need to Improve

HIPAA is not perfect and there are still significant gaps in the legislation, something that the coronavirus pandemic has highlighted. HIPAA doesn’t extend to the army of contact tracers and the data they collect, nor does it adequately cover exposure notification apps and may disclosures of COVID-19 related data. This is an area, like personal health apps, that needs to be addressed as there is considerable potential for privacy violations.

Vaccination programs have highlighted several areas where education needs to be improved. There have been many cases of HIPAA being cited as a reason not to disclose or share vaccination data, when HIPAA does not place restrictions on disclosures of vaccination information by individuals to employers or others.

Training remains a key issue with HIPAA and is often a much bigger weakness than technology or the HIPAA text itself. It is often uninformed people, and not healthcare technology and privacy and security controls, that are the reason for security breaches and privacy violations. While updates to HIPAA are needed, improvements need to be made to training programs to ensure all individuals with access to PHI or systems containing PHI are aware of their responsibilities and are trained how to be HIPAA-compliant employees.

Training needs to be appropriate to the role of each individual and training needs to be reinforced. Regular training sessions need to be provided to the workforce to make sure that the requirements of HIPAA are fully understood and are not forgotten over time. At many covered entities and business associates, employee training on HIPAA is not provided frequently enough.

Proposed Updates to the HIPAA Privacy Rule

Ahead of the 25-year anniversary of the HIPAA Privacy Rule, a significant update was proposed by the HHS. The proposed update published by the HHS in 2020 is intended to address several aspects of the Privacy Rule that are hampering care coordination and adding an unnecessary administrative burden on healthcare providers.

One of the main reasons for the update, according to then HHS Secretary Alex Azar, was to “break down barriers that have stood in the way of common sense care coordination and value-based arrangements for far too long.” The proposed update will improve care coordination and case management for patients, allow families and caregivers to become more involved in the provision of care to individuals, improve patients’ access to their health data, and will introduce new flexibilities covering disclosures of PHI in emergency and threatening situations, while also reducing the administrative burden on healthcare organizations. These updates have been long overdue but there has been criticism that the updates do not go far enough, and that some of the suggested updates are ill-advised.

One of the aspects addressed in the update will make it easier for patients to obtain a copy of their electronic healthcare data, but there are potential privacy and security risks with the change. Patients will be given the “right to direct the transmission of certain protected health information in an electronic format to a third party.” This right will help patients share their healthcare data with research organizations, but there are concerns that this change could have a negative impact on patients. Patients could request their health data be sent to anyone they choose, when the transmission of data to an entity not covered by the protections of HIPAA carries a security risk. The new right will certainly give patients much greater access and control over their personal data, but potentially it increases the risks that PHI may fall into the hands of bad actors.

The Future of HIPAA

HIPAA has been a great success, but it is far from perfect. There are still areas that require tweaking to improve usability and remove some of the administrative burden placed on HIPAA-covered entities. Proposed updates to the HIPAA Privacy Rule go some way to addressing some of the issues, but for many, the new HIPAA regulations that have been proposed do not go nearly far enough and some of the proposed changes have potential to cause privacy issues.

Overall, for legislation that is 25 years old, HIPAA has, with its various amendments, survived the test of time and is even more relevant and useful now than it was when it was first signed into law in 1996. HIPAA should be viewed as a work in progress though, and as far as the Future of HIPAA is concerned, there are likely to need to be further updates to ensure it remains relevant and effective.

Future of HIPAA FAQs

Does HIPAA cover all healthcare data?

HIPAA covers identifiable healthcare data, which is any healthcare data created, collected, transmitted, or maintained by a HIPAA-covered entity or business associate for treatment, payment for healthcare, or healthcare operations relating to the past, present, or future health status of an individual. Health data is not covered by HIPAA if it is created, stored, or transmitted by a non-HIPAA-covered entity or non-business associate.

Who does HIPAA apply to?

HIPAA applies to HIPAA-covered entities and their business associates. HIPAA-covered entities are healthcare providers, health plans, and healthcare clearinghouses that conduct electronic transactions involving PHI for which the HHS has developed standards. Business associates are vendors that provide products or services to HIPAA-covered entities that requires contact with PHI. HIPAA does not apply to other entities such as reporters, senators, individuals, and most employers.

Are there privacy risks associated with health apps?

Health apps, fitness trackers, and other wearable devices are not generally covered by HIPAA, nor are the data they collect or transmit. Without the protection of HIPAA, health app developers may use, disclose, or sell health data collected through the apps, and the security measures implemented may not meet HIPAA standards. There may be privacy and security risks associated with the use of these apps and devices.

Does HIPAA prevent disclosures of COVID-19 vaccination information?

Many people hide behind HIPAA and use the regulation as an excuse not to answer questions. One of the most notable recent examples, of which there are many, came from Marjorie Taylor Greene when asked about her vaccination status and cited HIPAA as the reason she could not disclose the information. HIPAA does not prevent such discloses. It only places restrictions on uses and disclosures by healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities.

How often does HIPAA training need to be provided?

HIPAA training must be provided to all healthcare employees within a reasonable period of time after the person joins the covered entity’s workforce, as well as when functions are affected by a material change in policies or procedures and following any updates to the HIPAA Rules. HIPAA refresher training should also be provided at least annually, and no later than every two years. Annual training is the best practice.

The post Future of HIPAA: Reflections at the 25th Anniversary of HIPAA appeared first on HIPAA Journal.

The Average Cost of a Healthcare Data Breach is Now $9.42 Million

IBM Security has published its 2021 Cost of a Data Breach Report, which shows data breach costs have risen once again and are now at the highest level since IBM started publishing the reports 17 years ago. There was a 10% year-over-year increase in data breach costs, with the average cost rising to $4.24 million per incident. Healthcare data breaches are the costliest, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident.

Source: IBM Security

The large year-over-year increase in data breach costs has been attributed to the drastic operational shifts due to the pandemic. With employees forced to work remotely during the pandemic, organizations had to rapidly adapt their technology. The pandemic forced 60% of organizations to move further into the cloud. Such a rapid change resulted in vulnerabilities being introduced and security often lagged behind the rapid IT changes. Remote working also hindered organizations’ ability to quickly respond to security incidents and data breaches.

According to IBM, data breaches costs were more than $1 million higher when remote work was indicated as a factor in the data breach. When remote work was a factor, the average data breach cost was $4.96 million compared to $3.89 million when remote work was not a factor. Almost 20% of organizations that reported data breaches in 2020 cited remote work as a factor, with the cost of a data breach around 15% higher when remote work was a factor.

To compile the report, IBM conducted an in-depth analysis of data breaches involving fewer than 100,000 records at 500 organizations between May 2020 and March 2021, with the survey conducted by the Ponemon Institute.

The most common root cause of data breaches in the past year were compromised credentials, which accounted for 20% of data breaches. These breaches took longer to detect and contain, with an average of 250 days compared to an overall average of 212 days.

The most common types of data exposed in data breaches were customers’ personal data such as names, email addresses, passwords, and healthcare data. 44% of all data breaches included those types of data. A data breach involving email addresses, usernames, and passwords can easily have a spiral effect, as hackers can use the compromised data in further attacks. According to the Ponemon Institute survey, 82% of individuals reuse passwords across multiple accounts.

Breaches involving customers’ personally identifiable information (PII) were more expensive than breaches involving other types of data, with a cost per record of $180 when PII was involved compared to $161 per record for other types of data.

Data breach costs were lower at companies that had implemented encryption, security analytics, and artificial intelligence-based security solutions, with these three mitigating factors resulting in data breach cost savings of between $1.25 million and $1.49 million per data breach.

Adopting a zero-trust approach to security makes it easier for organizations to deal with data breaches. Organizations with a mature zero trust strategy had an average data breach cost of $3.28 million, which was $1.76 million lower than those who had not deployed this approach at all.

“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, Vice President and General Manager, IBM Security. “While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero-trust approach – which may pay off in reducing the cost of these incidents further down the line.”

Security automation greatly reduces data breach costs. Organizations with a “fully deployed” security automation strategy had average breach costs of $2.90 million per incident, compared to $6.71 million at organizations that had no security automation.

Companies with an incident response team that had tested their incident response plan had 54.9% lower breach costs than those that had neither. The average data breach cost was $3.25 million compared to $5.71 million when neither were in place.

The cost of a data breach was $750,000 (16.6%) higher for companies that had not undergone any digital transformation due to COVID-19. Cloud-based data breach costs were lower for organizations that had adopted a hybrid cloud approach, with an average cost of $3.61 million at organizations with hybrid cloud infrastructure compared to $4.80 million for organizations with a primarily public cloud and $4.55 million for those that had adopted a private cloud approach. Data breach costs were 18.8% higher when a breach was experienced during a cloud migration project.

Organizations that were further into their cloud migration plan were able to detect and respond to data breaches far more quickly – on average 77 days more quickly for organizations that were at a mature state of their cloud modernization plan than those in the early stages.

Mega data breaches – those involving between 50 million and 65 million records – cost an average of $401 million per incident, which is more than 100 times the cost of breaches involving between 1,000 and 100,0000 records.

The post The Average Cost of a Healthcare Data Breach is Now $9.42 Million appeared first on HIPAA Journal.

NIST Publishes Critical Software Definition for U.S. Agencies

President Biden’s Cybersecurity Executive Order requires all federal agencies to reevaluate their approach to cybersecurity, develop new methods of evaluating software, and implement modern security approaches to reduce risk, such as encryption for data at rest and in transit, multi-factor authentication, and using a zero-trust approach to security.

One of the first requirements of the Executive Order was for the National Institute of Standards and Technology (NIST) to publish a definition of critical software, which the Cybersecurity and Infrastructure Security Agency (CISA) will use to create a list of all software covered by the Executive Order and for creating security rules that federal agencies will be required to follow when purchasing and deploying the software. These measures will help to prevent cyberattacks such as the SolarWinds Orion supply chain attack that saw the systems of several federal agencies infiltrated by state-sponsored Russian hackers.

The Executive Order required NIST to publish its critical software definition within 45 days. NIST sought input from the public and private sector and multiple government agencies when defining what critical software actually is.

“One of the goals of the EO is to assist in developing a security baseline for critical software products used across the Federal Government,” explained NIST. “The designation of software as EO-critical will then drive additional activities, including how the Federal Government purchases and manages deployed critical software.”

NIST’s critical software definition is software or software dependencies that contain one or more of the following attributes:

  • Software designed to run with elevated privileges or used to manage privileges.
  • Software with direct or privileged access to networking or computer resources.
  • Software designed to control access to data or operational technology.
  • Software that performs a function critical to trust.
  • Software that operates outside of normal trust boundaries with privileged access.

The above definition applies to all software, whether it is integral to devices or hardware components, stand-alone software, or cloud-based software used for or deployed in production systems or used for operational purposes. That definition covers a broad range of software, including operating systems, hypervisors, security tools, access management applications, web browsers, network monitoring tools, and other software created by private companies and sold to federal agencies, or software developed internally by federal agencies for use within federal networks, including government off-the-shelf software.

NIST has recommended federal agencies should initially focus on implementing the requirements of the Executive Order on standalone, on-premises software that has critical security functions or has significant potential to cause harm if compromised. Next, federal agencies should move onto other categories of software, such as cloud-based software, software that controls access to data, and software components in operational technology and boot-level firmware.

NIST has published a list of EO-critical software, although CISA will publish a more comprehensive finalized list in the coming weeks.

The post NIST Publishes Critical Software Definition for U.S. Agencies appeared first on HIPAA Journal.

Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity

The Government Accountability Office has published a report following a review of the organizational approach to cybersecurity of the U.S. Department of Health and Human Services (HHS).

The study was conducted because both the HHS and the healthcare and public health sector are heavily reliant on information systems to fulfil their missions, which include providing healthcare services and responding to national health emergencies. Should any information systems be disrupted, it could have major implications for the HHS and healthcare sector organizations and could be catastrophic for Americans who rely on their services.

“A cyberattack resulting in the disruption of IT systems supporting pharmacies, hospitals, and physicians’ offices would interfere with the approval and distribution of the life-saving medications and other products needed by patients and healthcare facilities,” said the GAO in the report.

The HHS must implement safeguards in place to protect its computer systems from cyber threat actors looking to obtain sensitive data to commit fraud and identity theft, conduct attacks that aim to disrupt operations, or gain access to networks to launch attacks on other computer systems.  Throughout the pandemic, many threat actors and APT groups have targeted the healthcare sector, with the GAO pointing out that the FBI and CISA have issued multiple alerts over the past 12 months warning about cyber threats specifically targeting healthcare and public health entities.

The GAO reports that the HHS has clearly defined roles and responsibilities, which is essential for effective collaboration; however, there were several areas where improvements could be made, mostly concerning collaboration with its partners.

HHS working groups were assessed on the extent to which they demonstrated Leading Practices for Collaboration. All seven of the HHS working groups met the Leading Practices: Bridge organizational cultures, identify leadership, include relevant participants in the group, identity resources. 6 working groups met the Leading Practices: Clarify roles and responsibilities and document and regularly update written guidance and agreements, and five groups met the Leading Practice: Define and track outcomes and accountability.

The GAO made seven recommendations on how the HHS can improve collaboration and coordination within the HHS and with the healthcare sector.

  1. The HHS Secretary should order the CIO coordinate cybersecurity threat information sharing between the Health Sector Cybersecurity Coordination Center (HC3) and the Healthcare Threat Operations Center (HTOC).
  2. The HHS Secretary should order the CIO to monitor, evaluate, and report on the progress and performance of the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group.
  3. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to monitor, evaluate, and report on the progress and performance of the Government Coordinating Council’s Cybersecurity Working Group and HHS Cybersecurity Working Group.
  4. The HHS Secretary should order the CIO to regularly monitor and update written agreements describing how the HHS Chief Information Security Officer Council, Continuous Monitoring and Risk Scoring Working Group, and Cloud Security Working Group will facilitate collaboration, and ensure that authorizing officials review and approve the updated agreements.
  5. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to ensure that authorizing officials review and approve the charter describing how the HHS Cybersecurity Working Group will facilitate collaboration.
  6. The HHS Secretary should direct the Assistant Secretary for Preparedness and Response to finalize written agreements that include a description of how the Government Coordinating Council’s Cybersecurity Working Group will collaborate; identify the roles and responsibilities of the working group; monitor and update the written agreements on a regular basis; and ensure that authorizing officials leading the working group approve the finalized agreements.
  7. The HHS Secretary should order the Assistant Secretary for Preparedness and Response to update the charter for the Joint Healthcare and Public Health Cybersecurity Working Group for the current fiscal year and ensure that authorizing officials leading the working group review and approve the updated charter.

The HHS concurred with six of the recommendations and disagreed with one. The HHS is currently taking action to address the 6 recommendations it concurred with. The HHS did not concur with the recommendation to coordinate cybersecurity information sharing between HC3 and HTOC.

The post Government Watchdog Makes 7 Recommendations to HSS to Improve Cybersecurity appeared first on HIPAA Journal.

NIST Publishes Guidance for First Responders on the Use of Biometric Authentication for Mobile Devices

The National Institute of Standards and Technology (NIST) has published a new report on the use of biometric authentication on mobile devices to allow first responders to gain rapid access to sensitive data, while ensuring that information can only be accessed by authorized individuals.

Many public safety organizations (PSOs) are now using mobile devices to access sensitive data from any location, but ensuring access is secure and only authorized individuals can use the devices to view that information has previously relied on the use of passwords.

Passwords can be secure; however, passwords need to be complex to resist brute force attempts to guess passwords. Having to type in a long and complex password can hinder access to essential data. Oftentimes, access to sensitive data needs to be provided immediately. It is not practical for first responders to have to type in a password. Any delay, even one that lasts just a few seconds, has potential to exacerbate an emergency.

Biometrics offers a more secure authentication option than passwords and could allow access to data much more quickly. Biometric authentication such as face, fingerprint, and iris scanning solutions have been incorporated into many smartphones and Apple devices, but while the use of biometric identifiers can improve identity, credential, and access management (ICAM) capabilities and speed up access to critical data, there can be many challenges implementing mobile device biometric authentication and specific challenges for first responders.

The report, developed in joint partnership between the National Cybersecurity Center of Excellence (NCCoE) and the Public Safety Communications Research (PSCR), explores the authentication challenges faced by first responders and provides advice on how authentication solutions can be implemented.

Typically, biometric authentication is achieved through the use of wearable sensors and scanners built into devices; however, there is potential for verification errors. Scanners may fail to capture fingerprints or even grant access for false matches.

“To use biometrics in authentication, reasonable confidence is needed that the biometric system will correctly verify authorized persons and will not verify unauthorized persons,” explained NIST in its report. “The combination of these errors defines the overall accuracy of the biometric system.”

The guidance document provides insights into the efficacy of biometric authentication solutions, explains how verification errors can arise with capture, extraction, and enrolment, as the potential for false matches. The report also provides insights to allow administrators to implement biometric authentication on shared mobile devices and explains the potential privacy issues and how to mitigate those issues.

The aim of the report is to provide first responders with further information on the use of biometric device authentication and the challenges they may experience switching from passwords to allow them to make better-informed decisions about the best method of authentication to meet their needs.

NIST is seeking feedback on the report. Comments should be submitted By July 19, 2021.

The post NIST Publishes Guidance for First Responders on the Use of Biometric Authentication for Mobile Devices appeared first on HIPAA Journal.

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule.

There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks.

Another area of concern relates to personal health applications (PHA). The HHS has defined PHAs, but many groups and organizations have voiced concern about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps. PHAs fall outside the scope of HIPAA, so any PHI that a covered entity sends to a PHA at the request of a patient could result in a patient’s PHI being used in ways not intended by the patient. A patient’s PHI could also easily be accessed and used by third parties.

PHAs may not have robust privacy and security controls since compliance with the HIPAA Security Rule would not be required. There is no requirement for covered entities to enter into business associate agreements with PHA vendors, and secondary disclosures of PHI would not be restricted by the HIPAA Privacy Rule.

“Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records,” suggested the American Hospital Association in its feedback to the HHS.

The College of Healthcare Information Management Executives (CHIME) has voiced concerns about the proposal for covered entities to require PHAs to register before providing patient data, and how covered entities would be required to respond when a patient requested their health information to be sent to a PHA that does not have appropriate privacy and security protections. For instance, if a patient requested their PHI be sent to a PHA developed by nation state actor, whether providers would still be required to send PHI at the request of a patient. Concern has also been raised about the growing number of platforms that exchange PHI that fall outside the scope of HIPAA.

One of the proposed changes relates to improving patients’ access to their health data and shortening the time to provide that information from 30 to 15 days. The Association for Behavioral Health and Wellness (ABHW) and CHIME have both voiced concerns about the shortening of the timeframe for honoring patient requests for their healthcare data, as this will place a further administrative burden on healthcare providers, especially during the pandemic. CHIME said it may not be possible to provide PHI within this shortened time frame and doing so may well add costs to the healthcare system. CHIME has requested the HHS document when exceptions are allowed, such as in cases of legal disputes and custody cases. ABHW believes the time frame should not be changed and should remain as 30 days.

It is likely that if the final rule is issued this year, it will be necessary for organizations to ensure compliance during the pandemic, which could prove to be extremely challenging. ABHW has recommended delaying the proposed rule for an additional year to ease the burden on covered entities. CHIME has suggested the HHS should not issue a final rule based on the feedback received, but instead reissue the questions raised in the proposed rule as a request for information and to host a listening session to obtain more granular feedback and then enter into a dialogue about the proposed changes.

The post Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes appeared first on HIPAA Journal.