Healthcare Information Technology

CMS Eases Quality Payment Program Reporting Requirements in Response to COVID-19

On March 22, 2020, the HHS’ Centers for Medicare and Medicaid Services (CMS) announced it is easing the burden on clinicians, healthcare providers, and facilities that are participating in the Quality Payment Program and other reporting programs due to the 2019 Novel Coronavirus (COVID-19) pandemic.

The CMS is granting exceptions and extensions to reporting requirements for the 1.2 million clinicians that are participating in the Quality Payment Program and are on the front lines fighting against the virus and COVID-19 respiratory disease.

“The Trump Administration is cutting bureaucratic red tape so the healthcare delivery system can direct its time and resources toward caring for patients,” explained CMS Administrator Seema Verma.

The CMS has recognized that quality measure data collection and reporting for services during the COVID-19 crisis may not reflect the true level of performance in areas such as cost, readmissions, and the patient experience. The move will also ease the burden on clinicians during these exceptional circumstances.

Policy exceptions and extensions are being provided for 2019 and 2020 data submission deadlines for the quality reporting programs listed below:

Provider Programs

  • Quality Payment Program – Merit-based Incentive Payment System (MIPS)
  • Medicare Shared Savings Program Accountable Care Organizations (ACOs)

Hospital Programs

  • Ambulatory Surgical Center Quality Reporting Program
  • CrownWeb National ESRD Patient Registry and Quality Measure Reporting System
  • End-Stage Renal Disease (ESRD) Quality Incentive Program
  • Hospital-Acquired Condition Reduction Program
  • Hospital Inpatient Quality Reporting Program
  • Hospital Outpatient Quality Reporting Program
  • Hospital Readmissions Reduction Program
  • Hospital Value-Based Purchasing Program
  • Inpatient Psychiatric Facility Quality Reporting Program
  • PPS-Exempt Cancer Hospital Quality Reporting Program
  • Promoting Interoperability Program for Eligible Hospitals and Critical Access Hospitals

PAC Programs

  • Home Health Quality Reporting Program
  • Hospice Quality Reporting Program
  • Inpatient Rehabilitation Facility Quality Reporting Program
  • Long Term Care Hospital Quality Reporting Program
  • Skilled Nursing Facility Quality Reporting Program
  • Skilled Nursing Facility Value-Based Purchasing Program

Further information on the new reporting deadlines, exceptions, and extensions can be found on the CMS website.

The post CMS Eases Quality Payment Program Reporting Requirements in Response to COVID-19 appeared first on HIPAA Journal.

TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic

TigerConnect, the provider of the most widely used secure healthcare communications platform in the United States, has announced that U.S. health systems and hospitals can use its platform free of charge to help support COVID-19 related communications during the novel coronavirus pandemic.

TigerConnect has been tracking COVID-19 and the impact it is having on the U.S. healthcare system. Unsurprisingly given the rapid spread of the virus, use of its secure communications platform has surged. The company also reports that it is receiving an increasing number of calls from customers looking to expand licenses to make sure all staff have access to the platform to expedite internal and external communication and support isolation workflows.

The TigerConnect platform can be used to create dedicated channels for COVID-19 communications to provide support for patients and staff members. The platform ensures instant and immediate communication of preparedness plans, staff schedules, guidelines on infection control and isolation protocols, and other critical information. Users of the platform can contact any person within a healthcare system instantly, without knowing their number or extension.

“As part of the healthcare community, we harbor a sense of duty to do everything we can to keep the flow of information moving as quickly as possible,” explained TigerConnect. “This is the time to remove any barriers that might keep organizations from having every tool they need to fight COVID-19.”

Hospitals and health systems that have not yet adopted the TigerConnect platform are being offered complimentary use of the TigerConnect secure texting network for up to 6 months to support COVID-19 communications. Existing customers will be provided with complimentary expansion of TigerText Essentials licenses for up to 6 months. TigerConnect has also announced that it will be extending support hours and publishing resources and conducting webinars to help current and new users of the platform optimize communications.

As has been seen in Europe, which is now the epicenter of the COVID-19 pandemic, hospitals and health systems are stretched and struggling to cope with the number of cases. Immediate, enterprise-wide communication is critical for preventing the spread of the disease.

In Singapore, stringent measures have been implemented to prevent the spread of the novel coronavirus. As of March 14, there have been 200 cases of COVID-19 in Singapore but no COVID-19 deaths. Coordinating the response to COVID-19 and ensuring resources are correctly allocated has been a major challenge, but one that has been helped by having an efficient communications system in place. 55,000 healthcare professionals in Singapore are using the TigerConnect platform and usage has increased fivefold in the past three weeks. Being prepared and having the systems in place to deal with outbreaks of disease that support fast and efficient communication has been invaluable.

“It is clear that identifying new cases quickly and sharing that information among key stakeholders is crucial to containment and treatment,” explained TigerConnect co-founder and CEO, Brad Brooks. “Our mission is to help organizations remove the barriers that might slow down those responses as we continue to partner with the organizations on the front lines of this crisis.”

The post TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic appeared first on HIPAA Journal.

HHS Releases Final Interoperability and Information Blocking Rules

On March 6, 2020, the Office of Information and Regulatory Affairs’ Office of Management and Budget announced it has completed its review of the rules proposed by two HHS agencies in February 2019 to tackle interoperability and information blocking.

On March 9, 2020 the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator of Health Information Technology (ONC) released their final rules which change how healthcare delivery organizations, health insurers, and patients exchange health data.

The interoperability and information blocking rules were required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016. They are intended to make it easier for healthcare data to be exchanged between providers, insurers, and patients and are a key part of creating a patient-centric healthcare system and put patients in control of their own health records.

“These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination,” explained HHS Secretary, Alex Azar.

Easy Access to Patient Records Through APIs

One of the ways that patients are given easy access to their health data is through the use of application programming interfaces (APIs). APIs can be leveraged to connect different IT systems and software solutions to allow data to be easily transferred from one to the other. The use of APIs has driven innovation in many sectors, but they have not been adopted in healthcare to give patients easy access to their medical records. The final rules will ensure that changes.

The use of APIs will allow healthcare providers to easily share a patients’ electronic health records with other healthcare organizations with different EHR systems. It will also allow patients to have their healthcare data, including medical records, sent to a third-party health app if thy so wish. The rules also include provisions to ensure that patient data contained in electronic health records is provided to patients at no additional cost when it is accessed electronically.

Improving Interoperability of Health Data

The CMS Interoperability and Patient Access final rule, part of the Trump Administration’s MyHealthEData initiative, is aimed at improving interoperability and patient access to healthcare data. “[The] final rule is focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs),” explained CMS in the Interoperability and Patient Fact Sheet, published on March 9, 2020.

The lack of effective exchange of healthcare data has had a negative effect on patient outcomes and is also contributing to high healthcare costs. The CMS final rule removes barriers to information sharing to give patients easy access to their healthcare data, it will improve interoperability, drive innovation, and reduce the burden on payers and providers. When patient health information moves freely, patient care can be coordinated easily, costs can be reduced, and patient outcomes are likely to improve.

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives. This requires using modern computing standards and APIs that give patients access to their health information and gives them the ability to use the tools they want to shop for and coordinate their own care on their smartphones,” said Don Rucker, M.D., national coordinator for health information technology.

Final Rules Will Drive Innovation

In addition to requiring healthcare providers to share medical records with third party apps at the request of patients, the CMS rule also calls for health insurers to share cost information with third-party apps. This will give patients information about the out-of-pocket expenses they are likely to incur. This will allow patients to plan and budget for medical bills.

“The days of patients being kept in the dark are over,” said CMS Administrator Seema Verma. “These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice. We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost.”

The CMS final rule also requires CMS-regulated payers to make provider directory information available publicly via a standards-based API. This will encourage innovation and will allow third-party app developers to create services that allow patients to find providers that can offer care and treatment. These apps could also be used by clinicians to find other providers to help with care coordination.

The CMS rule also calls for payer-to-payer clinical health data exchange to allow patients to take their data with them when they change payers and to create a cumulative health record with their current payer. “Having a patient’s health information in one place will facilitate informed decision-making, efficient care, and ultimately can lead to better health outcomes,” explained the CMS.

Preventing Information Blocking

The ONC’s 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule details information blocking practices such as anti-competitive behavior which are prohibited and reasonable and necessary activities that are not classed as information blocking and are permitted. One area where problems will be eased is the sharing of screenshots and videos related to EHR use. Many EHR providers prohibit the use screenshots and videos, when these are important for communicating about usability, the user experience, and interoperability.

The CMS has confirmed that starting in late 2020, using data collected for the 2019 performance year data, the CMS will be reporting clinicians, hospitals, and critical access hospitals that are believed to be engaging in information blocking practices based on how they attested to certain Promoting Interoperability Program requirements.

Patient Privacy and Data Security

The proposed rules will improve interoperability and reduce information blocking, but there has been fierce criticism of the rules by some groups, mostly in relation to patient privacy. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have been vocal critics of the rules criticized the rules, with one of the main issues related to the sharing of health records with third-party apps.

Healthcare providers are required to comply with HIPAA and must ensure safeguards are implemented to ensure patient data is protected. Health app developers and other entities not required to comply with HIPAA, may not have appropriate privacy protections in place. There is also considerable potential for secondary uses of patient health information without the knowledge of patients.

The AHA and AMA are not alone. Many privacy advocates and health systems have expressed concern about the proposed rules and patient privacy. Last year, Epic wrote to the HHS Secretary voicing concern and even threatened legal action if patient privacy was not protected. The letter was signed by 60 healthcare systems.

The CMS and ONC have made patient privacy a key priority. Both the CMS and ONC want to ensure patient data flows freely, but also that patient privacy is protected. To ensure the privacy and security of patient data in transit, the ONC and CMS have adopted the Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 as the standard to support data exchange via APIs.

That standard ensures patient privacy and security for the transfer of health data but does not cover patient data once it has been transferred to a third party. To address risks after data has been transferred, healthcare organizations are permitted to ask third-party app developers to attest to certain privacy provisions, such as whether there will be any secondary uses of patient data and to make sure patients are informed about what those secondary uses will be.

The post HHS Releases Final Interoperability and Information Blocking Rules appeared first on HIPAA Journal.

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

A group of 12 vulnerabilities dubbed SweynTooth have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) chips manufactured by at least 7 companies.

BLE chips are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. BLE chips with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors.

It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their BLE chips from several sources. Some security researchers believe millions of medical devices could be vulnerable. BLE chips are used in around 500 different products. Hundreds of millions of devices could be affected.

The vulnerabilities are present in BLE chips manufactured by Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor. The vulnerabilities have been assigned CVSS v3 base scores ranging from 6.1-6.9 out of 10.

7 of the vulnerabilities could be exploited to crash vulnerable devices, which would stop the devices communicating and may cause them to stop working entirely. 4 vulnerabilities could be exploited to deadlock devices, causing them to freeze and stop functioning correctly. One vulnerability could result in a security bypass which would allow an attacker to gain access to device functions that are usually only accessible by an authorized device administrator. The flaws can be exploited remotely by an attacker, although only if the attacker is within radio range of a vulnerable device. The range of BLE varies from device to device, with a maximum range of less than 100 m (328 ft).

Both the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about the vulnerabilities this week. The FDA explained that affected device manufacturers have been notified about the flaws and are assessing which devices are affected. Mitigations are being developed that can be implemented to reduce the risk of exploitation until patches are released to correct the flaws.

Cypress, NXP, Texas Instruments, and Telelink have already released patches to correct the flaws. Dialog has issued two patches, with the remaining patches scheduled to be released by the end of March 2020. Currently, patches have yet to be released by Microchip and STMicroelectronics.

The FDA has advised BLE chip and device manufacturers to conduct risk assessments to determine the potential impact of the flaws. Healthcare providers have been advised to contact the manufacturers of their devices to find out if they are affected, and the actions they need to take to reduce the risk of exploitation. Patients have been advised to monitor their devices for abnormal behavior and to seek medical help immediately if they feel their medical devices are not functioning correctly.

The post ‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices appeared first on HIPAA Journal.

Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices

The medical device manufacturer Medtronic has issued patches to correct flaws in its CareLink 2090 and CareLink Encore 29901 programmers, implantable cardioverter defibrillators (ICDs), and cardiac resynchronization therapy defibrillators (CRT-Ds).

The vulnerabilities were first identified by security researchers in 2018 and 2019. When Medtronic was informed about the vulnerabilities, mitigations were quickly published to reduce the risk of exploitation of the vulnerabilities and allow customers to continue to use the affected products safely. The development and release of patches for these complex and safety-critical devices has taken a long time due to the required regulatory approval process.

“Development and validation can take a significant amount of time and also includes a required regulatory review process before we can distribute updates to products. Medtronic worked to develop security remediations quickly while also ensuring the patches continue to maintain comprehensive safety and functionality,” explained Medtronic.

In 2018, Security researchers Billy Rios and Jonathan Butts identified three vulnerabilities in Medtronic’s CareLink 2090 and CareLink Encore 29901 devices, prompting an advisory to be issued in February 2018. The devices are used to program and manage implanted cardiac devices. The vulnerabilities would allow an attacker to alter the firmware via a man-in-the-middle attack, access files contained in the system, obtain device usernames and passwords, and remotely control implanted Medtronic devices.

Several researchers were credited with the discovered two further vulnerabilities in 2019 in the Medtronic Conexus telemetry protocol, prompting a second Medtronic advisory in March 2019. The vulnerabilities concern the lack of encryption, authentication, and authorization. If exploited, an attacker could intercept, replay, and modify data, and change the configuration of implanted devices, programmers, and home monitors. One of the vulnerabilities, CVE-2019-6538, was rated critical and was assigned a CVSS v3 base score of 9.3 out of 10.

The latest patches correct the flaws in CareLink monitors and programmers and MyCareLink monitors. Patches have also been released for approximately half of the affected Medtronic implantable devices impacted by the Conexus vulnerabilities:

  • Brava™ CRT-D, all models
  • Evera MRI™ ICD, all models
  • Evera™ ICD, all models
  • Mirro MRI™ ICD, all models
  • Primo MRI™ ICD, all models
  • Viva™ CRT-D, all models

Patches for all the remaining vulnerable devices will be released later this year.

To prevent exploitation of the flaws, Medtronic disabled the software development network (SDN) that was used to deliver device updates, so software needed to be updated manually via a secured USB. Now that patches have been released, the SDN has been reactivated and it can be used by customers to update their devices.

Medtronic has been monitoring for exploitation of the vulnerabilities and says there have been no cyberattacks or privacy breaches as a result of the vulnerabilities and no patients have been harmed.

The post Medtronic Issues Patches for CareLink Programmers and Implanted Cardiac Devices appeared first on HIPAA Journal.

Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products

Critical vulnerabilities have been identified in GE Healthcare patient monitoring products by a security researcher at CyberMDX.

Elad Luz, Head of Research at CyberMDX, identified six vulnerabilities, five of which have been rated critical and one high severity. The five critical vulnerabilities have been assigned the maximum CVSS v3 score of 10 out of 10. The other vulnerability has a CVSS v3 score of 8.5 out of 10.

Exploitation of the flaws could render the affected products unusable. Remote attackers could also alter the functionality of vulnerable devices, including changing or disabling alarm settings, and steal protected health information stored on the devices.

CyberMDX initially investigated the CARESCAPE Clinical Information Center (CIC) Pro product, but discovered the flaws affected patient monitors, servers, and telemetry systems. The vulnerabilities have been collectively named MDHex and are tracked under the CVEs: CVE-2020-6961, CVE-2020-6962, CVE-2020-6963, CVE-2020-6964, CVE-2020- 6965, and CVE-2020-6966. GE Healthcare has confirmed that the vulnerabilities could have serious consequences for patients and hundreds of thousands of devices may be affected.

CVE-2020-6961 (CVSS 10.0) is due to unprotected storage of credentials (CWE-256). The flaw could allow an attacker to obtain the SSH private key from configuration files via a SSH connection and remotely execute arbitrary code on vulnerable devices. The same SSH key is shared across all vulnerable products.

CVE-2020-6962 (CVSS 10.0) is an input validation vulnerability (CWE-20) in the configuration utility of the web-based system. If exploited, an attacker could remotely execute arbitrary code.

CVE-2020-6963 (CVSS 10.0) concerns the use of hard-coded Server Message Block (SMB) credentials (CWE-798). An attacker could establish an SMB connection and read or write files on the system. The credentials could be obtained through the password recovery utility of the Windows XP Embedded operating system.

CVE-2020-6964 (CVSS 10.0) is due to missing authentication for critical function (CWE-306) concerning the integrated Kavoom! Keyboard/mouse software. If exploited, an attacker could remotely input keystrokes and alter device settings on all vulnerable devices on the network without authentication.

CVE-2020- 6965 (CVSS 8.5) is due to the failure to restrict the upload of dangerous file types (CWE-434). An attacker could upload arbitrary files through the software update facility.

CVE-2020-6966 (CVSS 10.0) is due to inadequate encryption strength (CWE-326). Weak encryption is used for remote desktop control through VNC software, which cloud lead to remote code execution on vulnerable networked devices. The necessary credentials could also be obtained from publicly available product documentation.

According to a recent ICS-CERT Advisory, the following GE Healthcare products are affected:

  • ApexPro Telemetry Server, Versions 4.2 and prior
  • CARESCAPE Telemetry Server, Versions 4.2 and prior
  • Clinical Information Center (CIC), Versions 4.X and 5.X
  • CARESCAPE Telemetry Server, Version 4.3
  • CARESCAPE Central Station (CSCS), Versions 1.X; Versions 2.X
  • B450, Version 2.X
  • B650, Version 1.X; Version 2.X
  • B850, Version 1.X; Version 2.X

GE Healthcare is currently developing patches for the vulnerable products which are expected to be released in Q2, 2020. In the meantime, GE Healthcare has published a series of mitigations to reduce the risk of exploitation of the vulnerabilities.

Healthcare providers should follow standard network security best practices and ensure mission critical (MC) and information exchange (IX) networks have been configured correctly and meet the requirements outlined in the Patient Monitoring Network Configuration Guide, CARESCAPE Network Configuration Guide, and product technical and service manuals.

If connectivity is required outside the MC and/or IX networks, a router/firewall should be used. GE Healthcare recommends blocking all incoming traffic from outside the network at the MC and IX router firewall, except when required for clinical data flows.

The following ports should be blocked for traffic initiated from outside the MC and IX network: TCP Port 22 for SSH and TCP and UDP Ports 137, 138, 139, and 445 for NetBIOS and SMB as well as TCP Ports 10000, 5225, 5800, 5900, and 10001.

Physical access to Central Stations, Telemetry Servers, and the MC and IX networks should be restricted, password management best practices should be followed, and default passwords for Webmin should be changed.

Exploits for the vulnerabilities are not believed to have been made public and GE Healthcare is unaware of any attempted cyberattacks or injuries to patients as a result of the flaws.

The post Critical ‘MDHex’ Vulnerabilities Identified in GE Healthcare Patient Monitoring Products appeared first on HIPAA Journal.

Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018

Cyberattacks on healthcare organizations have increased in frequency and severity in the past year, according to recently published research from Malwarebytes.

In its latest report – Cybercrime Tactics and Techniques: The 2019 State of Healthcare – Malwarebytes offers insights into the main threats that have plagued the healthcare industry over the past year and explains how hackers are penetrating the defenses of healthcare organizations to gain access to sensitive healthcare data.

Cyberattacks on healthcare organizations can have severe consequences. As we have seen on several occasions this year, attacks can cause severe disruption to day to day operations at hospitals often resulting in delays in healthcare provision. In at least two cases, cyberattacks have resulted in healthcare organizations permanently closing their doors and a recent study has shown that cyberattacks contribute to an increase in heart attack mortality rates. Even though the attacks can cause considerable harm to patients, attacks are increasing in frequency and severity.

Malwarebytes data shows the healthcare industry was the seventh most targeted industry sector from October 2018 to September 2019, but if the current attack trends continue, it is likely to be placed even higher next year.

Healthcare organizations are an attractive target for cybercriminals as they store a large volume of valuable data in EHRs which is combined, in many cases, with the lack of a sophisticated security model. Healthcare organizations also have a large attack surface to defend, with large numbers of endpoints and other vulnerable networked devices. Given the relatively poor defenses and high value of healthcare data on the black market it is no surprise that the industry is so heavily targeted.

Detection of threats on healthcare endpoints were up 45% in Q3, 2019, increasing from 14,000 detections in Q2 to 20,000 in Q3. Threat detections are also up 60% in the first three quarters of 2019 compared to all of 2018.

Many of the detections in 2019 were Trojans, notably Emotet in early 2019 followed by TrickBot in Q3. TrickBot is currently the biggest malware threat in the healthcare industry. Overall, Trojan detections were up 82% in Q3 from Q2, 2019. These Trojans give attackers access to sensitive data but also download secondary malware payloads such as Ryuk ransomware. Once data has been stolen, ransomware is often deployed.

Trojan attacks tend to be concentrated on industry sectors with large numbers of endpoints and less sophisticated security models, such as education, the government, and healthcare.  Trojans are primarily spread through phishing and social engineering attacks, exploits of vulnerabilities on unpatched systems, and as a result of system misconfigurations. Trojans are by far the biggest threat, but there have also been increases in detections of hijackers, which are up  98% in Q3, riskware detections increased by 85%, adware detections were up 34%, and ransomware detections increased by 15%.

Malwarebytes identified three key attack vectors that have been exploited in the majority of attacks on the healthcare industry in the past year: Phishing, negligence, and third-party supplier vulnerabilities.

Due to the high volume of email communications between healthcare organizations, doctors, and other healthcare staff, email is one of the main attack vectors and phishing attacks are rife. Email accounts also contain a considerable amount of sensitive data, all of which can be accessed following a response to a phishing email. These attacks are easy to perform as they require no code or hacking skills. Preventing phishing attacks is one of the key challenges faced by healthcare organizations.

The continued use of legacy systems, that are often unsupported, is also making attacks far too easy. Unfortunately, upgrading those systems is difficult and expensive and some machines and devices cannot be upgraded. The problem is likely to get worse with support for Windows 7 coming to an end in January 2020. The sow rate of patching is why Malwarebytes is still detecting WannaCry ransomware infections in the healthcare industry. Many organizations have still not patched the SMB vulnerability that WannaCry exploits, even though a patch was released in March 2017.

Negligence is also a key problem, often caused by the failure to prioritize cybersecurity at all levels of the organization and provide appropriate cybersecurity training to employees. Malwarebytes notes that investment in cybersecurity is increasing, but it often doesn’t extend to brining in new IT staff and providing security awareness training.

As long as unsupported legacy systems remain unpatched and IT departments lack the appropriate resources to address vulnerabilities and provide end user cybersecurity training, cyberattacks will continue and the healthcare industry will continue to experience high numbers of data breaches.

The situation could also get a lot worse before it gets better. Malwarebytes warns that new innovations such as cloud-based biometrics, genetic research, advances in prosthetics, and a proliferation in the use of IoT devices for collecting healthcare information will broaden the attack surface even further. That will make it even harder for healthcare organizations to prevent cyberattacks. It is essential for these new technologies to have security baked into the design and implementation or vulnerabilities will be found and exploited.

The post Healthcare Threat Detections Up 45% in Q3 and 60% Higher Than 2018 appeared first on HIPAA Journal.

Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data

The Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act, has been introduced by Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada). The new legislation will ensure that health data collected through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent.

The Health Insurance Portability and Accountability Act (HIPAA) applies to health data collected, received, stored, maintained, or transmitted by HIPAA-covered entities and their business associates. Some of the same information is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps. That information can be used, shared, or sold, without consent. Consumers have no control over who can access their health data. The new legislation aims to address that privacy gap.

The bill prohibits the transfer, sale, sharing, or access to any non-anonymized consumer health information or other individually identifiable health information that is collected, recorded, or derived from personal consumer devices to domestic information brokers, other domestic entities, or entities based outside the United States unless consent has been obtained from the consumer.

Consumer devices are defined as “equipment, application software, or mechanism that has the primary function or capability to collect, store, or transmit consumer health information.”

The Smartwatch Data Act applies to information about the health status of an individual, personal biometric information, and kinesthetic information collected directly through sensors or inputted manually into apps by consumers. The Smartwatch Data Act would treat all health data collected through apps, wearable devices, and trackers as protected health information.

There have been calls for HIPAA to be extended to cover app developers and wearable device manufacturers that collect, store, maintain, process, or transmit consumer health information. The Smartwatch Data Act does not extend HIPAA to cover these companies, instead the legislation applies to the data itself. The bill proposes the HHS’ Office for Civil Rights, the main enforcer of compliance with HIPAA, would also be responsible for enforcing compliance with the Smartwatch Data Act. The penalties for noncompliance with the Smartwatch Data Act would be the same as the penalties for HIPAA violations.

“The introduction of technology to our healthcare system in the form of apps and wearable health devices has brought up a number of important questions regarding data collection and privacy,” said Sen. Rosen “This commonsense, bipartisan legislation will extend existing health care privacy protections to personal health data collected by apps and wearables, preventing this data from being sold or used commercially without the consumer’s consent.”

The legislation was introduced following the news that Google has partnered with Ascension, the second largest healthcare provider in the United States, and has been given access to the health information of 50 million Americans. That partnership has raised a number of questions about the privacy of health information.

The Ascension data passed to Google is covered by HIPAA, but currently fitness tracker data is not. Google intends to acquire fitness tracker manufacturer Fitbit in 2020 and concern has been raised about how Google will use personal health data collected through Fitbit devices. The Smartwatch Data Act would help to ensure that consumers are given a say in how their health data is used.

The post Smartwatch Data Act Introduced to Improve Privacy Protections for Consumer Health Data appeared first on HIPAA Journal.

House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership

Leaders of the House Committee on Energy and Commerce are seeking answers from Google and Ascension on Project Nightingale. The Department of Health and Human Services’ Office for Civil Rights has also confirmed that an investigation has been launched to determine if HIPAA Rules have been followed.

The collaboration between Google and Ascension was revealed to the public last week. The Wall Street Journal reported that Ascension was transferring millions of patient health records to Google as part of an initiative called Project Nightingale.

A whistleblower at Google had contacted the WSJ to raise concerns about patient privacy. A variety of internal documents were shared with reporters on the extent of the partnership and the number of Google employees who had access to Ascension patients’ data. Under the partnership, the records of approximately 50 million patients will be provided to Google, 10 million of which have already been transferred.

According to the WSJ report, 150 Google employees are involved with the project and have access to patient data. The whistleblower stated that those individuals are able to access and download sensitive patient information and that patients had not been informed about the transfer of their data in advance. Understandably, the partnership has raised concerns about patient privacy.

Both Google and Ascension released statements about the partnership after the WSJ story was published, confirming that Google was acting as a business associate of Ascension, had signed a business associate agreement, and that it was in full compliance with HIPAA regulations. Under the terms of the BAA, which has not been made public, Google is permitted access to patient data in order to perform services on behalf of Ascension for the purpose of treatment, payment, and healthcare operations.

Google will be analyzing patient data and using its artificial intelligence and machine learning systems to develop tools to assist with the development of patient treatment plans. Google will also be helping Ascension modernize its infrastructure, electronic health record system, and improve collaboration and communication. Google has confirmed in a blog post that it is only permitted to use patient data for purposes outlined in the BAA and has stated that it will not be combining patient data with any consumer data it holds and that patient data will not be used for advertising purposes.

Democratic leaders of the House Committee on Energy and Commerce wrote to Google and Ascension on November 18, 2019 requesting further information on the partnership. The inquiry is being led by House Energy Committee Chairman, Frank Pallone Jr. (D-New Jersey). The letters have also been signed by Chairwoman of the Subcommittee on Health, Anna Eshoo (D-California), Subcommittee on Consumer Protection and Commerce Chair, Jan Schakowsky (D-Illinois), and Subcommittee on Oversight and Investigations Chair, Diana DeGette (D-Colorado).

In the letters, the Committee leaders have requested information on the “disturbing initiative” known as Project Nightingale.

“While we appreciate your efforts to provide the public with further information about Project Nightingale, this initiative raises serious privacy concerns. For example, longstanding questions related to Google’s commitment to protecting the privacy of its own users’ data raise serious concerns about whether Google can be a good steward of patients’ protected health information.”

Ascension’s decision not to inform patients prior to the transfer of protected health information has also raised privacy concerns, as has the number of Google employees given access to the data. Further, employees of Google’s parent company Alphabet also have access to Ascension data.

The Committee leaders have requested a briefing by no later than December 6, 2019 about the types of data being used, including the data being fed into its artificial intelligence tools, and the extent to which Google and Alphabet employees have access to the data. The Committee leaders also want to know what steps have been taken to protect patient information and the extent to which patients have been informed.

The Department of Health and Human Services’ Office for Civil Rights has also confirmed that it has launched an investigation into the partnership. Its investigation is primarily focused on how data is being transferred, the protections put in place to safeguard the confidentiality, integrity, and availability of protected health information, and whether HIPAA Rules are being followed. Google has stated it will be cooperating fully with the OCR investigation.

The post House Committee Leaders Demand Answers from Google and Ascension on Project Nightingale Partnership appeared first on HIPAA Journal.