Healthcare Information Technology

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

Posted by HIPAA Journal

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization.

The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas.

The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months.

While these results are encouraging, there is still considerable room for improvement. 15% of organizations are not conducting annual risk assessments and 25% do not have an insider threat management program, even though insiders are the biggest cause of healthcare data breaches.

HIMSS says, “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program.”

A majority of respondents have adopted at least one cybersecurity framework, the most popular being the NIST CSF (62%) followed by HITRUST CSF (25%) and ISO (25%). Organizations that have hired a CISO are much more likely to implement a cybersecurity framework. Only 5% of organizations with a CISO have not adopted the NIST CSF.

Healthcare organizations now appreciate the importance of conducting regular security awareness training for the workforce, such as training employees how to recognize phishing emails and social engineering attacks and the importance of reporting potential security incidents to the IT department. 87% of respondents said they run security awareness training sessions for the workforce at least once a year.

60% of respondents said they now employee a senior information security leader such as a CISO to oversee their cybersecurity programs and 80% have dedicated cybersecurity staff.

71% of respondents said they divert some of their budget to cybersecurity, with 60% allocating 3% or more of their budget to their cybersecurity program.

When asked about the biggest threats, the greatest concerns were medical device security, patient safety – especially in relation to attacks on medical devices – PHI breaches, and malware.

Rod Piechowski, senior director, health information systems, HIMSS said, “This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement. Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”

Full details of the findings of the HIMSS 2017 Cybersecurity Survey are available on this link.

The post HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs appeared first on HIPAA Journal.

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

Posted by HIPAA Journal

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management.

The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks.

HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry.

HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the identification of unique IOCs.

HITRUST has been trying to improve its threat information sharing program to better serve the healthcare industry. HITRUST has identified a number of key areas where improvements can be made, including speeding up the collection, analysis and delivery of threat information, advancing its threat hunting capabilities and improving reporting, integration, education and collaboration.

After assessing costs, skill sets, available resources and current capabilities, HITRUST determined the best way to improve its service was through a partnership with an established and well-qualified cyber research lab. Trend Micro was the natural choice.

One of the key areas where the Cyber Threat Management and Response Center will be able to help is ensuring threat information is shared in a format that can be easily consumed and leveraged by all healthcare organizations to mitigate risk.

HITRUST points out that through the HITRUST CTX, threat information was shared with healthcare organizations about both the WannaCry and NotPetya attacks. The outreach to organizations occurred soon after the threat was detected, with threat indicators shared 14 days before the first organization reported it had experienced an attack. The information allowed many healthcare organizations to take proactive steps to mitigate risk. However, HITRUST found that some healthcare organizations were unable to consume the information it shared.

Through the Cyber Threat Management and Response Center HITRUST “will deliver capabilities to address cyber threat management, defense, and response based on an organization’s cyber maturity level.”

“The HITRUST CTX has established itself as a leader in the collection of threat indicators. Now the focus needs to be ensuring organizations of any cyber maturity can leverage this information in a timely manner,” said Kevin Charest, DSVP and CISO, Health Care Service Corp. He explained that “Information sharing has no value if people can’t quickly act upon it, making the HITRUST CTX transition to cyber threat management a crucial step for industry.”

HITRUST has outlined the first phase of expanding its resources through the Cyber Threat Management and Response Center and says the new partnership with Trend Micro will allow it to offer:

  • Access to the world’s best threat research lab will enable HITRUST to collect and distribute a much broader range of IOCs
  • Analyses and research will be disseminated much more rapidly and geared to organizations at all levels of maturity
  • The center will have access to more healthcare industry specific vulnerabilities and threat information
  • Vulnerability information and IOC and TTP linkage with the HITRUST Threat Catalogue will be expanded
  • The center will have the resources to enable more responsive community engagement and assistance, including inquiry response and IOC submission analysis
  • HITRUST will improve tracking and monthly reporting of cyber threats targeting healthcare data and healthcare organizations

HITRUST has confirmed that it will continue to provide basic access to the HITRUST CTX and the new HITRUST Cyber Threat Management and Response Center at no cost, with the new center to be made available from October 1, 2017.

The post HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management appeared first on HIPAA Journal.

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

Posted by HIPAA Journal

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks.

The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS).

Recent ransomware and malware attacks and hacks have demonstrated how vulnerable some medical devices are. Ransomware incidents have resulted in medical devices being taken out of action, causing major disruptions at hospitals and delaying the treatment of patients. There is no sign of these incidents slowing or stopping. In all likelihood, they will increase.

While healthcare organizations are working hard to improve their defenses against cyberattacks, medical device manufacturers are not doing enough to ensure their devices are secure and remain so for the lifespan of the products. Many medical devices have been found to contain a slew of vulnerabilities that could be exploited by cybercriminals.

Yesterday, The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning about vulnerabilities in Siemens CT and PET scanner systems. The four vulnerabilities could all be exploited remotely and ICS-CERT said attacks would require a low skill level.

In March last year, the Department of Homeland Security issued an alert about the Pyxis Supply Station from CareFusion. The drug cabinet system was found to have 1,418 vulnerabilities.

Last year flaws were discovered in St. Jude Medical devices that if exploited, would cause the devices to malfunction.

Medical devices are coming to market that have not been adequately tested for security flaws. The problem is widespread. Earlier this year, researchers from security firm WhiteScope conducted an analysis of implantable cardiac devices and programmers. The researchers discovered more than 8,000 security flaws in multiple devices.

A new form of MedJack malware was discovered earlier this year. The malware was developed specifically to attack medical devices such as heart monitors and MRI machines. An earlier version of the malware was used to attack medical devices at three hospitals in 2016.

As Blumenthal correctly points out, “The security of medical devices is in critical condition.” The new bill seeks to address the problem and improve the security of medical devices and increase transparency. If passed, the Medical Device Cybersecurity Act would make healthcare organizations aware of the cyber capabilities of devices and the extent to which those devices have been tested.

Blumenthal points out in a recent blog post, “My bill will strengthen the entire healthcare network against the ubiquitous threat of cyberattacks. Without this legislation, insecure and easily-exploitable medical devices will continue to put Americans’ health and confidential personal information at risk.”

The Medical Device Cybersecurity Act of 2017 would amend the Federal Food, Drug and Cosmetic Act. Some of the key changes detailed in the Medical Device Cybersecurity Act of 2017 are:

Require all medical devices to be thoroughly tested for vulnerabilities before sale. A cyber report card would be created for devices that would detail the tests that have been performed.

Remote access protections would need to be incorporated into devices to prevent unauthorized access from inside and outside of hospitals.

The bill would require crucial cybersecurity fixes and updates to remain free and not require FDA recertification.

Manufacturers would be required to issue guidance for end-of-life of the devices, detailing how the devices should be disposed of to avoid the exposure of sensitive data. Blumenthal also proposes that ICS-CERT’s responsibilities are expanded to include medical devices.

The post Medical Device Cybersecurity Act Takes Aim at Medical Device Security appeared first on HIPAA Journal.

Warning Issued Over Vulnerabilities in Siemens CT and PET Scanners: Exploits Publicly Available

Posted by HIPAA Journal

Warnings have been issued about four vulnerabilities in Siemens CT and PET scanner systems following the discovery of four publicly available exploits. Siemens is currently developing patches to address the vulnerabilities.

The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7.

The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied. Siemens rated the flaws as highly critical, giving them a CVSS score of 9.8 out of 10 and suggests the devices should be run in standalone mode until the patches are applied.

To protect the systems from attack, healthcare organizations should ensure the systems are not be accessible over the Internet and are isolated from other networks and located behind firewalls.

If remote access is required, Virtual Private Networks (VPNs) should be used, although the use of VPNs is not without risks. Many VPNs also have vulnerabilities that could be remotely exploited. ICS-CERT says if remote access is unavoidable, the latest versions of VPNs should be used.

One of the vulnerabilities concerns improper restriction of operations within the bounds of a memory buffer, two are code injection vulnerabilities with one exploiting permissions, privileges and access controls. All the vulnerabilities are remotely exploitable.  The code injection vulnerabilities can be exploited by sending a specially crafted HTTP request to over port 80 and 443 to the Microsoft IIS webserver. The remaining two vulnerabilities could be exploited by sending a specially crafted request to the HP Client automation service.

ICS-CERT says exploiting the vulnerabilities would only require a low skill level.

The post Warning Issued Over Vulnerabilities in Siemens CT and PET Scanners: Exploits Publicly Available appeared first on HIPAA Journal.

Only One Third of Patients Use Patient Portals to View Health Data

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals.

The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information.

GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource.

Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information online, yet only 15% of hospital patients and 30% of other providers’ patients accessed their data online.

When patient portals are used to access health data it is usually preceding a medical appointment or soon afterwards to view medical test results. Information is also commonly accessed in order to share health data with a new healthcare provider. However, mostly, patients were using the portals to schedule appointments, set reminders or order medication refills.

The problem does not appear to be a lack of interest in viewing or obtaining health information, rather it is one of frustration. The process of setting up access to patient portals and viewing health data is time consuming. Patients usually have multiple healthcare providers and must repeat the process for each provider. In order to view all their health information, they must use a different portal for each provider and manage separate login information for each. Further, patient portals are not standardized. Each requires patients to learn how to access their information and familiarize themselves with the portal.

When the patient portals have been set up, patients often discover incomplete or inaccurate information, with information inconsistent among different providers. It would make life easier if all information could be transferred electronically between each provider or aggregated in one place, yet patients were confused by the process and were unaware if this was possible, and if so, how it could be done. Many patients did not even know if their health information could be downloaded or transmitted.

GAO pointed out that while the HHS has been encouraging healthcare providers to give patients access to health data via patient portals, there does not appear to have been any follow up. GAO says the HHS appears to be unaware of how effective its program has been. GAO has recommended HHS set up some performance measures to determine whether its efforts are actually working.

The post Only One Third of Patients Use Patient Portals to View Health Data appeared first on HIPAA Journal.

Survey Shows Only a Quarter of Hospitals Have Implemented a Secure Text Messaging Platforms

Posted by HIPAA Journal

The use of secure text messaging platforms in healthcare has grown over the past few years, although a recent survey published in the Journal of Hospital Medicine suggests adoption of HIPAA-compliant messaging systems remains relatively low, with only a quarter of hospitals using a secure platform for sending messages to clinicians.

The survey was conducted on 620 hospital-based clinicians identified from the Society of Hospital Medicine database.

Secure text messaging platforms comply with HIPAA Rules and feature end-to-end encryption to prevent messages from being intercepted. Access controls are also incorporated to ensure only the intended recipient can view messages. Since messages cannot be sent outside the system, the platforms prevent accidental disclosures of PHI. Multi-media messages can also be sent, including test results and images.

Secure text messaging platforms are a natural replacement for outdated pagers, allowing much more meaningful communication, although the survey suggests only 26.6% of hospitals have introduced the systems. Even when secure messaging systems have been implemented, they were not widely used by clinicians. Only 7.3% of respondents said a secure messaging system was being used by most clinicians.

Pagers remain the most commonly used communication systems and are still used by 79.8% of hospitals to communicate with clinicians. 49% of respondents said they use pagers for patient care–related (PCR) communications.

The survey also revealed that standard text messages are being extensively used, often to communication PHI, even though sending PHI over the SMS network is a violation of HIPAA Rules. Standard text messages are not encrypted, do not have access controls and can easily result in the accidental disclosure of PHI to unauthorized individuals.

52.9% of clinicians said they received standard text messages for PCR communications at least once a day and 21.5% of respondents said they received standard text messages including the individually identifiable information of patients. 41.3% said they received some identifiable information such as patients initials along with health care related information. 21% said text messages regarding urgent healthcare information were received at least once a day.

Text messages are a convenient method of communication for use in hospitals. The majority of physicians carry mobile phones at work, although without a secure messaging platform, there is considerable potential for a HIPAA violation.

The HHS’ Office of the National Coordinator for Health IT has made it clear that standard text messaging is not secure and should not be used to communicate PHI since there is no encryption or access controls.

ONC suggests, “Implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.”

The post Survey Shows Only a Quarter of Hospitals Have Implemented a Secure Text Messaging Platforms appeared first on HIPAA Journal.

Is Google Drive HIPAA Compliant?

Posted by HIPAA Journal

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant?

Is Google Drive HIPAA Compliant?

The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules.

G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users.

G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.

The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) prior to the service being used with any PHI. Google offers a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid users only.

Prior to use of any Google service with PHI, it is essential for a covered entity to review, sign and accept the business associate agreement (BAA) with Google. It should be noted that PHI can only be shared or used via a Google service that is specifically covered by the BAA. The BAA does not cover any third-party apps that are used in conjunction with G Suite. These must be avoided unless a separate BAA is obtained from the provider/developer of that app.

The BAA does not mean a HIPAA covered entity is then clear to use the service with PHI. Google will accept no responsibility for any misconfiguration of G Suite. It is down to the covered entity to make sure the services are configured correctly.

Covered entities should note that Google encrypts all data uploaded to Google Drive, but encryption is only server side. If files are downloaded or synced, additional controls will be required to protect data on devices. HIPAA-compliant syncing is beyond the scope of this article and it is recommended syncing is turned off.

To avoid a HIPAA violation, covered entities should:

  • Obtain a BAA from Google prior to using G Suite with PHI
  • Configure access controls carefully
  • Use 2-factor authentication for access
  • Use strong passwords
  • Turn off file syncing
  • Set link sharing to off
  • Restrict sharing of files outside the domain (Google offers advice if external access is required)
  • Set the visibility of documents to private
  • Disable third-party apps and add-ons
  • Disable offline storage for Google Drive
  • Disable access to apps and add-ons
  • Audit access and account logs and shared file reports regularly
  • Configure ‘manage alerts’ to ensure the administrator is notified of any changes to settings
  • Back up all data uploaded to Google Drive
  • Ensure staff are training on the use of Google Drive and other G Suite apps
  • Never put PHI in the titles of files

To help HIPAA-covered entities use G Suite and Google Drive correctly, Google has released a Guide for HIPAA Compliance with G Suite to assist with implementation.

The post Is Google Drive HIPAA Compliant? appeared first on HIPAA Journal.

ONC Offers Help for Covered Entities on Medical Record Access for Patients

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request.

Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case.

Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other healthcare providers, they can find it difficult to find the information they need.

The Office of the National Coordinator for Health Information Technology (ONC) has recently published a report detailing some of the problems faced by healthcare providers when providing medical record access for patients. The report offers useful tips for healthcare organizations to help them provide medical record access for patients quickly and easily.

For the report- Improving the Health Records Request Process for PatientsONC spoke to 17 consumers to find out about the challenges they faced when attempting to gain access to their medical records. The report includes three examples of patients and caregivers that have experienced difficulties when attempting to exercise their right to access medical data. The personas are fictional, although the challenges faced by those personas were taken from real world examples.

ONC also looked at the medical record release forms used by 50 large healthcare systems across 32 states and spoke to stakeholders and health system professionals about the challenges faced when trying to provide patients with copies of their health records. ONC discovered the process of providing electronic copies of health records is often hampered by inefficient systems and limited resources.

The research has allowed ONC to develop tips to help healthcare providers create a streamlined, transparent, and electronic records request process. Making the suggested changes will allow health systems to improve the process of providing access to health data. Patients will then suffer less frustration and be able to obtain their records faster, allowing them to coordinate their care more effectively and have greater control over their health and wellbeing.

The post ONC Offers Help for Covered Entities on Medical Record Access for Patients appeared first on HIPAA Journal.

AMIA Urges HHS to Provide More Information on Common Rule Updates

Posted by HIPAA Journal

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated.

The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use.

The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified.

Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented.

The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication to stakeholders on the status of the Common Rule updates. It is unclear whether the proposed effective date of January 19, 2018 will be met.

The American Medical Informatics Association (AMIA) is concerned over the lack of progress and has recently voiced its concerns in a letter to the Department of Health and Human Services and the Office of Management and Budget.

In its letter, AMIA strongly encourages federal officials to keep the original effective date due to the pressing need for changes to the Common Rule, although AMIA has recommended moving the compliance date forward to June 19, 2018 to give researchers more time “to harmonize old and new provisions”.

The lack of any further information is a concern. AMIA suggests an official announcement should be made about the Common Rule updates immediately.

In the letter, AMIA says, “Over the last several years, a paradigm shift has occurred in the nature, scope and frequency of research involving human subjects, their biospecimens, and their data. Combined with rapid adoption of electronic health records (EHRs) by care providers and dramatic improvements in computing technology, we believe the final revisions to the Common Rule are necessary to improve discovery of new health insights and advance healthcare transformation.”

The Common Rule updates include new protections for individuals who choose to take part in research studies, but the updates will also reduce administrative burdens, particularly for low-risk research studies. For example, exemptions have been included when low risk studies are conducted by HIPAA-covered entities. This would also allow more secondary research of EHR data. The administrative burden is further reduced by eliminating the need for a continuous review for many studies.

The changes also allow researchers to obtain broad consent which will greatly improve availability of biospecimens and patient-reported data for secondary research. Important changes are also made to consent, requiring the most important information to be communicated to participants clearly and concisely in a way that a reasonable person would understand.

The changes will also mean potential research participants are screened more effectively, which will help identify patients who qualify for new treatments and ensure those individuals learn about their options.

AMIA President and CEO Douglas B. Fridsma, said, “Patients expect researchers to leverage their data for improved care in responsible ways. The updated Common Rule enables and encourages better transparency so that new discoveries are possible.”

Peter J. Embi, MD, MS, President and CEO Regenstrief Institute, Inc., said, “It is critical that we adopt these changes for the sake of our national research enterprise,” Embi went on to explain, “We need to know that important aspects of the finalized Common Rule will proceed as planned. Without such a clear signal, the revised Common Rule’s new benefits will be delayed, leaving in place a 26-year old rule that doesn’t serve the needs of research participants or the research community.”

The post AMIA Urges HHS to Provide More Information on Common Rule Updates appeared first on HIPAA Journal.