Healthcare Information Technology

Guidance on Securing Wireless Infusion Pumps Issued by NIST

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access.

Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved functionality and now the devices can interact with a much wider range of healthcare systems and networks.  The additional functionality of the devices has allowed vulnerabilities to be introduced that could be easily exploited to cause patients to come to harm.

Wireless infusion pumps are of particular concern. Vulnerabilities could be exploited by malicious actors allowing drug doses to be altered, the functioning of the infusion pumps to be changed or patients’ protected health information to be accessed.  Typically, the devices have poor cybersecurity protections in place to prevent unauthorized access.

The risks introduced by the devices have been widely reported in recent years. While no cyberattacks are known to have resulted in patients coming to harm, there is considerable potential for malicious actors to hack the devices unless action is taken to improve device security.

The 246-page guidance on securing wireless infusion pumps was written following collaboration with a wide range of security companies following a January 2016 request submitted in the federal register.

NIST and NCCoE conducted questionnaire-based risk assessments to analyze risk factors and signed a Cooperative Research and Development Agreement with B. Braun Medical Inc, Baxter Healthcare Corporation, Becton, Dickinson and Company, Cisco, Clearwater Compliance, DigiCert, Hospira Inc., Intercede, MDISS, PFP Cybersecurity, Ramparts, Smiths Medical, Symantec Corporation, TDi Technologies, Inc., and The MITRE Corporation, all of which helped to develop an example solution.

The guidance offers best practices that can be adopted to improve the security of wireless infusion pumps, mitigate vulnerabilities and protect against threats. The document includes a list of potential vulnerabilities and a questionnaire-based risk assessment that can be used by healthcare organizations to identify risks. The risk assessment maps security characteristics to HIPAA Security Rule requirements and available cybersecurity standards.

“Based on our risk assessment findings, we apply security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors,” explained NIST in the guidance.

Several commercially available technologies and tools are available to healthcare organizations that allow them to plug vulnerabilities and make it harder for unauthorized individuals to gain access to the devices, some of which have been detailed in the report along with product installation guides and suggested configurations.

NIST says, “Ultimately, we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.”

The guidance on securing wireless infusion pumps (NIST Special Publication 1800-8) can be downloaded on this link.

The post Guidance on Securing Wireless Infusion Pumps Issued by NIST appeared first on HIPAA Journal.

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

Posted by HIPAA Journal

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk.

Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks.

According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred.

The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices.

94% of respondents said cyberattacks on mobile devices will become more frequent while 79% said the already difficult task of securing mobile devices will become harder.

A broad range of attack methods are used to gain access to mobile devices and the networks and accounts to which they connect. Malware infections are most common cause of mobile device security breaches, being involved in 58% of attacks. Text message phishing attacks were reported by 54% of organizations as were man-in-the-middle attacks and connections to malicious Wi-Fi networks. Intercepted calls and text messages (43%) and keylogging and credential theft (41%) made up the top five attack methods.

Even though mobile device security breaches are occurring with increasing frequency, 38% of companies have yet to implement a dedicated mobile device security solution.

Virtually all staff members carry mobile phones at work. Many employees use them for work communications and to access sensitive data. While laptop computers are frequently lost or stolen and are often protected, the risk of mobile devices being lost or stolen is greater yet the devices are poorly protected.

When asked about the reasons why a mobile device security solution was not used, a lack of budget (53%) and shortage of resources (41%) were the primary reasons. For 37% of respondents, the perceived risk of a data breach or security incident did not justify the cost a dedicated security solution. However, 62% of companies are aware of the increasing risk of mobile device security breaches and are dedicating more funds to securing mobile devices.

Since the devices are likely to store far less data than desktops, the perceived cost of a mobile device breach may be lower. However, the survey revealed that IT security professionals did not believe that to be the case. 37% of respondents said a mobile data breach would likely cost the company more than $100,000 to resolve, with 23% expecting the cost to be in excess of $500,000.

David Gehringer, Principal at Dimensional Research said, “The research consistently revealed that the overall focus and preparedness of security for mobile devices is severely lacking,” and pointed out that “security professionals identified the risk of mobile devices, but focus and resources assignment seem to be waiting for actual catastrophes to validate the need to properly prepare their defenses.”

As we have already seen on countless occasions, such a strategy can prove costly. That cost is likely to be much higher than the cost of implementing a security solution to protect mobile devices.

The post Majority of Organizations Failing to Protect Against Mobile Device Security Breaches appeared first on HIPAA Journal.

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

Posted by HIPAA Journal

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and the impact of healthcare data breaches on consumers.

The survey revealed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust.

Trust in Healthcare Providers and Insurers is High

In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents.

Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%) and tech companies that provide wearables and health apps (43%). As a comparison, 56% said they somewhat trusted or trusted the government a great deal with respect to health data security. 32% didn’t trust the government very much and 13% didn’t trust the government at all.

80% of consumers were very confident or somewhat confident in their healthcare providers’ data security measures, with trust in health insurers’ data security measures a fraction lower at 79%. The measures put in place by health app and device companies only received the highest two ratings by 63% of consumers.

Trust may be fairly high, but a quarter of U.S. consumers have experienced a breach of their healthcare data and half of those individuals have been a victim of medical identity theft as a direct result. Consumers have been forced to cover costs as a result of the exposure of their data, with 88% of individuals spending an average of $2,528.

More than a third of those individuals said their hospital had experienced the breach. 22% said their pharmacy or urgent care clinic had been breached with health insurers’ and physicians’ offices the next worst affected, with 21% of consumers saying they were the source of the breach.

Even with HIPAA Rules requiring breach notifications to be sent to patients, half of those impacted by a health data breach said they found out about it on their own. Only 36% of respondents said their company told them about the breach, although 91% said action was taken by that company in response to the breach.

The breach response was rated as being handled very well by 25% of respondents and somewhat well by 51% of respondents. 18% said the breach response was not handled very well and 6% said it was not handled well at all.

Trust in Healthcare Organizations May Improve After a Data Breach

While healthcare data breaches have the potential to destroy patients’ and health plan members’ trust in their providers, the survey showed that is not always the case. In fact, in 41% of cases, consumers’ trust in their healthcare organizations increased after a data breach.

12% of respondents said they ended up trusting their providers much more, 29% said they trusted their providers a little more and 24% said the breach response made no difference to trust levels.

The results show just how important it is for the breach response to be handled well. 34% of respondents said they lost trust in their healthcare organization after a breach was experienced.

Getting the breach response right is essential if healthcare organizations want to ensure trust is not negatively affected. For that to happen, organizations must be prepared for the worst and have policies and procedures that can be rapidly implemented when a breach is discovered.

Fast notifications are important for consumers as they need to take action to secure their accounts and protect their identities. 91% of respondents said they personally took action when they discovered their health data had been stolen. The faster that process can take place, the less likely consumers are to experience losses.

Getting breach notifications right is also important. If trust is to be built, consumers need to be reassured that privacy and security is taken seriously. Consumers should also be informed about the actions that are being taken in response to the breach to ensure a similar incident will not occur in the future. However, this is an area that could be improved.

Only 27% of companies explained the cause of the breach and just 26% the breach has prompted them to add new security protocols. Only 22% explained how future breaches would be prevented.

Fewer than a quarter of companies (24%) explained the potential consequences of the breach to consumers and only 23% offered identity theft protection services.

The post Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure appeared first on HIPAA Journal.

HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape

Posted by HIPAA Journal

Next week, the HIMSS Privacy and Security Forum will be taking place in San Francisco. The two-day conference provides an opportunity for CISOs, CIOs and other healthcare leaders to obtain valuable information from security experts on the latest cybersecurity threats, along with practical advice on how to mitigate risk.

More than 30 speakers will be attending the event and providing information on a broad range of healthcare cybersecurity topics, including securing IoT devices, preventing phishing and ransomware attacks, creating compliant security relationships and effective strategic communication and risk management.

The conference will include keynote speeches from George Decesare, Senior VP and Chief Technology Risk Officer at Kaiser Permanente, Jane Harper, Director of Privacy & Security Risk Management at the Henry Ford Health System, CERT’s Matt Trevors, and M.K. Palmore, FBI San Francisco’s Assistant Special Agent in Charge of the SF Cyber Branch.

George Decesare leads Kaiser Permanente’s cybersecurity, technology risk and compliance programs and identity and access management initiatives and ensures Kaiser Permanente continues to protect the ePHi of its 10.2 million members. Decesare will be explain the current healthcare threat landscape and will be offering invaluable advice to attendees on how they can secure their own networks from attack. He will also be offering an overview of how Kaiser Permanente operates its cybersecurity programs and manages risk.

While patients were previously tied to a healthcare organization, now they are able to easily change providers. Many do following a cybersecurity breach that exposes their health information. Jane Harper will be explaining the importance of including consumerism in risk management probability models and will cover techniques for risk management and how changes in healthcare have affected the risk environment.

Matt Trevors will be explaining how healthcare organizations can develop security controls that meet the requirements of the HIPAA Security Rule. In his speech, Trevors will explain whether simply meeting HIPAA Security Rule requirements will be sufficient to prevent data breaches. Trevors will also explain how healthcare organizations can use the Center for Internet Security’s Critical Security Controls (CIS CSC) to help them meet HIPAA Security Rule requirements and will offer advice on the Cyber Resilience Review (CRR) – A free tool that can be used by healthcare organizations to assess their security programs.

M.K. Palmore will be providing an invaluable insight into the current healthcare cybersecurity threat landscape, including an up-to-the-minute overview of the latest threats, including phishing attacks, insider threats, and business email compromise scams. Palmore will be covering some of the recent FBI investigations and will explain how breaches occurred and how they could have been prevented.  Palmore will also explain how healthcare organizations can access the FBI’s considerable resources and use its data to prevent data breaches.

The HIMSS Privacy and Security Forum will be taking place at the Grand Hyatt Union Square, on May 11-12, 2017. Further information can be found on this link.

The post HIMSS Privacy and Security Forum Offers Insight into Healthcare Cyber Threat Landscape appeared first on HIPAA Journal.

WebRoot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined

Posted by HIPAA Journal

A Webroot AV update failure has caused havoc for thousands of customers. The antivirus solution identifies potentially malicious files and moves them to a quarantine folder where they can do no harm. However, an April 24 update saw swathes of critical files miscategorized as malicious. While the occasional false positives can be expected on occasion, in this case the error was severe.

The Webroot AV update failure resulted in hundreds of Windows system files being miscategorized, resulting in serious stability issues. Many users’ servers and PCs were crippled after the automatic update occurred. The problem did not only affect Windows files. Scores of signed executables and third-party apps were blocked and prevented from running.

The error affected all Windows versions and saw critical system files categorized as W32.Trojan.Gen. Those files were moved to Webroot’s quarantine folder after the April 24 update. Once the files were moved, users’ computers started to experience severe problems with many displaying errors. In some cases, the moving of system files to the quarantine folder caused computers to crash. In other cases, apps were prevented from running causing major disruption to businesses.

Webroot AV also started miscategorizing websites as malicious, preventing them from being accessed. One notable example was Facebook, which was categorized as a phishing website and was blocked. Bloomberg also had its website miscategorized as a phishing website.

The Webroot AV update failure was quickly identified and corrected. The problem occurred between 7PM and 9PM UTC, with the update live for just 13 minutes according to SwiftonSecurity. While the update was only available for under 15 minutes, many thousands of customers downloaded the update.

The extent of the problem became rapidly apparent. The company’s forum was swamped with complaints from customers and social media was awash with comments from frantic IT admins and MSPs that had started receiving huge numbers of support calls. Webroot worked rapidly to fix the issue and while the Facebook blocking problem has been fixed, many users are still experiencing problems.

Webroot issued a set of instructions that will allow customers to restore the quarantined files and prevent those files from being quarantined again, although the instructions will only help home edition users. Businesses using Webroot AV have yet to be provided with a fix to restore system files. Webroot is currently working to correct the problem on business clients’ systems and develop a universal fix for all of its clients.

Instructions to repair the issue on Webroot home editions was published on the Webroot community forums:

Customers Turn to Twitter to Express Their Frustration About Webroot AV Update Failure

Many users took to Twitter to express their frustration about the Webroot AV update failure. Bob Ripley (@M5_Driver) said “I seem to have installed a nasty Ransomware app. It’s called Webroot. They already have my money, should I contact the FBI?”

While many used humor, the frustration caused by the update was clear. @Limbaughnomicon said “This false positive issue is driving me insane. As an MSP, a true nightmare. No quarantine restores work. HELP!”

While many users were complaining that essential Windows system files had been nuked, that was far from the only problem. Many other files were also miscategorised. The update took many business apps out of action, causing considerable headaches and loss of revenue. @Davedevery said, “I work for a small software company, Webroot has targeted our EXE and is removing it from pcs. Is there anyway to do like a blanket exclusion.”

iSupportU tweeted, “@Webroot everything is breaking, money is flying out the window… where are you? I have been on hold 20+min.”

Splumlee said “This is taking out all of the MSPs. Specifically we are losing almost all .EXE files across all of our clients.”

The post WebRoot AV Update Failure Causes Havoc: Windows System Files and EXE Files Quarantined appeared first on HIPAA Journal.

Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA

Posted by HIPAA Journal

Abbot Labs, which acquired St. Jude Medical in January 2017, has been warned by the Food and Drug Administration (FDA) that previously identified cybersecurity vulnerabilities in some of its products may not have been corrected. Those vulnerabilities have potential to jeopardize the safety of patients.

The investigation of Abbot Labs was conducted February 7-14 at St. Jude Medical facilities in Sylmar, CA, following the public disclosure of potential vulnerabilities in certain St. Jude Medical devices. Those vulnerabilities could potentially be exploited by malicious actors to cause the devices to malfunction and patients to come to harm.  Flaws in the devices were uncovered by MedSec Holdings and were passed to Muddy Waters Capital, which announced the findings in a research report published in August last year.

Multiple vulnerabilities were discovered in certain implantable pacemakers and defibrillators manufactured by St. Jude Medical, including the susceptibility to man-in-the-middle attacks that could cause the batteries in the products to be prematurely drained and the devices to malfunction.

The pacemakers and defibrillators are classed as medical devices under section 201(h) of the Federal Food, Drug, and Cosmetic Act (the Act), 21 U.S.C. § 321(h). The specific devices investigated were the Fortify, Unify, Assura (including Quadra) implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, and the accompanying Merlin@home monitor.

The FDA confirmed that a variety of cybersecurity vulnerabilities existed with the products and alerted Abbot Labs in a letter dated March 13, 2017. Abbot Labs was informed that “the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System (QS) regulation found at Title 21, Code of Federal Regulations (CFR), Part 820.”

During the investigation, the FDA reviewed Product Analysis Reports from 2011 to 2014 and determined that the supplier’s analysis contained information showing “lithium cluster bridging had prematurely drained the battery,” yet the company “repeatedly concluded that the cause of premature depletion of Greatbatch QHR2850 batteries “could not be determined.” The firm performed a risk analysis, but only on devices from confirmed cases of premature battery depletion. The unconfirmed cases of premature battery depletion were not included in the risk analysis, potentially leading the firm to underestimate risk.

There was also a “Failure to ensure that design validation shall include risk analysis, where appropriate.” While an independent third-party report was commissioned on April 2, 2014, Abbot Labs failed to accurately incorporate its findings into security risk ratings, leading to risk mitigations to be viewed as acceptable when several risks had not been effectively controlled. That report also determined that the universal unlock code on high voltage devices was an exploitable hazard, yet the firm failed to identify it as such.

Abbot Labs responded to the FDA’s findings, although in the letter the FDA said it “reviewed your response and conclude that it is not adequate.” Abbot Labs provided the FDA with a summary and dates for corrective actions, yet did not include “evidence of implementation for your firm’s corrections, corrective actions, and systemic corrective actions.”

The FDA required Abbot Labs to conduct “a full root cause investigation and the identification of actions to correct and prevent recurrence of potential cybersecurity vulnerabilities, as required by your CAPA procedures,” however, the FDA said while Abbot Labs did perform a risk assessment and take corrective actions, they were performed outside its CAPA system. Also, Abbot Labs “did not confirm all required corrective and preventive actions were completed,” and the firm “failed to consider systemic corrective actions.”

Abbot Labs performed a product recall on Fortify, Unify, and Assura Implantable Cardioverter Defibrillators (ICDs) and Cardiac Resynchronization Therapy Defibrillators (CRT-Ds), yet during the recall period, 10 ICDs were shipped to St. Jude US Field Representatives and an additional seven devices were fitted into patients.

The above and other violations of FDA regulations covered in the letter must be corrected by Abbot Labs promptly.

If prompt action is not taken by Abbot Labs to address all of the issues outlined in the FDA letter, it could result in seizure, injunction and a civil monetary penalty. While the FDA confirmed there were cybersecurity issues with some of its products, Abbot Labs was warned that there may be serious problems with its manufacturing and quality management systems. The FDA therefore advised Abbot Labs to conduct an investigation into the root causes of the violations and ensure they are corrected to ensure all products comply with FDA regulations.

Abbot Labs is required to respond to the letter within 15 days and supply an action plan that addresses all of the vulnerabilities and safety issues with its products that have previously been identified.

The post Abbot Labs Warned of Medical Device Cybersecurity Issues by FDA appeared first on HIPAA Journal.

Healthcare Providers Are Wasting Millions on Cloud Hosting

Posted by HIPAA Journal

A study by Communications for Research showed that healthcare organizations are now spending $40 billion a year on IT programs, while MarketsandMarkets research indicates $3.73 billion of that budget is spent on cloud services. By 2020, cloud spending is expected to triple and reach $9.5 billion. MedGadget healthcare market research suggests there will be a 21.95 percent CAGR for spending on cloud computing by the healthcare industry by 2019.

More and more healthcare organizations are seeing the benefits that can be gained from switching to cloud computing, especially as a way of reducing IT spending. The public cloud is elastic and capacity can be increased or decreased on demand, but the reality is most organizations use of the cloud involves considerable wastage.

Organizations are paying for the public cloud and are ensuring their instances have sufficient capacity, yet for a lot of the time much of the capacity that is paid for is redundant.

The 2017 Rightscale State of the Cloud Report suggests 46% of enterprises are carefully monitoring cloud use and are rightsizing their resources appropriately, yet 54% of companies are doing nothing to reduce cloud wastage.

The report shows that only 31% of companies are monitoring their use of the cloud for unused storage volumes, while cloud services are left running for non-production workloads when they are not needed, not only during the weekend and on public holidays but also during the working week. Rightscale’s figures indicate between 30% and 45% of cloud spending is being wasted.

Gartner calculates the size of the public cloud used for infrastructure-as-a-service (IaaS) to be $23 billion a year, while figures from ParkMyCloud, a provider of automated scheduling software for cloud compute resources, suggests $6 billion is being lost each year on cloud waste.

Healthcare organizations are looking for areas where costs can be cut, yet many are failing to consider the amount that is being lost on unnecessary cloud spending. Use of the cloud can be seen as a cost saving measure, yet if cloud resources are not carefully monitored and managed, a considerable amount of money is spent unnecessarily.

Using MarketsandMarkets figures together with average figures for cloud wastage, the healthcare industry is currently losing almost $1.4 billion a year on cloud waste. By 2020, cloud waste will be costing the healthcare industry $3.56 billion a year – money that could be put to much better use.

Healthcare organizations must think carefully about the capacity they really need to avoid unnecessary spending on oversized resources, while use of the cloud should be carefully monitored – to reduce orphaned volume storage for instance.

However, one of the easiest ways to make huge savings is to turn of cloud services when they are not required. While turning off cloud services when they are not in use makes a great deal of sense, many healthcare organizations are failing to address the issue. They are essentially leaving the tap running and failing to turn off the lights when leaving the house, except, the unnecessary expenditure on cloud wastage is considerably higher.

The biggest savings to be gained come from turning off non-production resources. Typically, 44% of spending goes on non-production resources (staging, testing, and development work), yet those resources are used for just under a quarter of the work week and all too often are left running when they are not needed. With charges by the hour, it makes financial sense to only pay for what is needed.

Preventing cloud waste can result in considerable savings, but for that to happen there needs to be a change in thinking. Organizations need to get into the habit of good housekeeping and should removing old machine images, snapshots and old volumes that are no longer needed and ensure what is paid for is actually needed.

One of the biggest elements on any public cloud bill is compute instances and VMs. Typically, these make up around 70% of an average bill, yet this is an area where there are huge savings to be made. Figures from ParkMyCloud indicate savings of around 65% on compute spend are possible, while around 15% is lost on large scale inventory waste.

One way of tackling the compute overspending issue is for DevOps personnel to write scripts to turn off cloud instances when they are not needed; however, while this has potential to result in considerable savings, the cost of writing and maintaining scripts can be more that the costs that those scripts can save.  A better solution would be to use a software solution to automate and schedule cloud instances to reduce cloud wastage. The time spent by DevOps personnel on writing and managing scripts could then be devoted to more productive tasks such as those related to application delivery.

Reducing cloud wastage has potential to save healthcare organizations tens of thousands of dollars, and with IT budgets already stretched, that money could be put to much better use elsewhere.

The post Healthcare Providers Are Wasting Millions on Cloud Hosting appeared first on HIPAA Journal.

AMIA Suggests it’s Time for a HIPAA Update

Posted by HIPAA Journal

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world.

The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology.

HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are.

The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access.

Healthcare providers often provide access to a limited range of patients’ health information via patient portals – information such as prescribed medications, allergies and lab test results; however, AMIA suggests the HIPAA Privacy Rule should be clarified so patients are aware they have the right to access all health data held by a covered entity in a designated record set or to obtain a digital copy of their legal health record. In the paper it is suggested this could be clarified in guidance from the Office for Civil Rights rather than a HIPAA legislation update.

However, an update to the legislation has been suggested to cover mHealth apps and related technologies. Currently, health data is collected, stored, and transmitted by a wide range of non-HIPAA-covered entities, yet non-covered entities are not required to provide users with access to their data.

If HIPAA is not extended to include these non-covered entities, AMIA suggests there should at least be HIPAA-like requirements for non-covered entities that would allow users of mHealth apps to gain access to their data. An alternative would be for industry stakeholders to develop codes of conduct that could be followed to ensure patients are able to access their data, if required.

Currently, non-covered entities are able to collect, use, and share ‘PHI’ in ways that may place patients’ data at risk of exposure or could result in data being shared improperly. The researchers suggest “HIPAA should be strengthened and extended, in particular to accommodate the broader set of data and stakeholders that are relevant to patient health, such as data from the use of Fitbit and Apple Watch.”

AMIA also suggests more needs to be done to make it easier not only for patients to access their data, but to pass on the information to other healthcare organizations. “EHR certification and health care system accreditation should be tied to making it easy for patients not only to obtain their data, but to obtain the data in a manner that preserves “computability” and standardization such that the data can be readily transferred to and consumed by other health IT systems with little or no need for further processing.”

AMIA also recommends federal officials and private sector stakeholders develop a process for vetting mHealth applications to ensure they have a minimum level of privacy, security, and safety protections.

Federal agencies should also collaborate to create a policy framework for research and innovation; “a framework that includes “common rule” updates to facilitate secondary use of data for research, common Data Use and Reciprocal Support Agreements, common enforced technical functionalities and specifications based on standard APIs, and data portability from HIPAA-covered entities.”

In total,  17 policy recommendations were made. The paper was recently published in JAMIA.

The post AMIA Suggests it’s Time for a HIPAA Update appeared first on HIPAA Journal.

Small Business Cybersecurity Bill Heads to Senate

Posted by HIPAA Journal

New legislation to help small businesses protect their data and digital assets has been approved by the Senate Commerce, Science and Transportation Committee this week. The new bill, which was introduced by Sen. Brian Schatz (D-Hawaii) last week, will now head to the U.S Senate.

The legislation – the MAIN STREET (Making Information Available Now to Strengthen Trust and Resilience and Enhance Enterprise Technology) Cybersecurity Act will require the National Institute of Standards and Technology (NIST) to develop new guidance specifically for small businesses to help them protect themselves against cyberattacks.

New NIST guidance should include basic cybersecurity measures that can be adopted to improve resilience against cyberattacks and mitigate basic security risks.

Guidance and security frameworks have been developed by NIST to help larger organizations protect their assets and data, although for smaller businesses with limited knowledge of cybersecurity and a lack of trained staff and resources they can be difficult to adopt.

What is needed is specific guidance for small businesses that can easily be adopted to improve cybersecurity defences. If the new legislation is passed, NIST would be required to develop simplified guidance specifically tailored to the needs of small businesses.

Many small business owners do not believe they are at risk because of the size of their organization. Yet, breaches at small to mid-sized businesses are all too common. In the past two years, cyberattacks on small businesses have significantly increased.

A 2016 survey conducted by Keeper Security – 2016 State of SMB Cybersecurity – suggests half of small businesses experienced a breach in the past 12 months. The main threats are phishing and social engineering attacks on employees, although the survey revealed numerous vulnerabilities exist which could all too easily be exploited by cybercriminals.  The survey, which was conducted on 600 SMB IT leaders revealed only 14% of those businesses had cybersecurity defenses that were considered to be very effective.

When it comes to preventing cyberattacks and improving cybersecurity defenses many small businesses – including small healthcare organization – do not know where to start. Many small businesses do not have a dedicated IT person and are unaware of what is required to prevent cyberattacks. Cybersecurity guidance is sorely needed.

If passed, the new legislation would require NIST to suggest commonly used, off-the-shelf products that can be easily implemented in a cost-effective manner to mitigate common cybersecurity risks.

Sen. Maria Cantwell, D-Wash, one of the bill’s five sponsors, said “By creating a simple, voluntary cybersecurity framework for small businesses, the Main Street Cybersecurity Act will help them protect their data.”

The post Small Business Cybersecurity Bill Heads to Senate appeared first on HIPAA Journal.