Healthcare Technology News

OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.

A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.

A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.

In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google

Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.

“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

The post OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies appeared first on HIPAA Journal.

Vulnerabilities Identified in Popular Telemedicine Software Development Kit

Posted by Steve Alder

Security flaws have been identified in the QuickBlox software development kit (SDK) and application programming interface (API) that supports the real-time chat and video applications used by many telemedicine providers.

The vulnerabilities were identified by security researchers from Claroty’s Team82 and Check Point Research who collaborated to look into the security of the popular QuickBlox SDK and API, which support applications used in telemedicine, finance, and smart IoT device applications. The SDK and API are provided to mobile and web application developers to deliver user management, real-time public and private chats, and incorporate security features to support HIPAA and GDPR compliance.

The researchers identified two vulnerabilities that put sensitive data at risk, including protected health information (PHI). Given the extent to which the QuickBlox chat and video framework is used, the sensitive information of millions of individuals was at risk of exposure. CVE-2023-311847 is a high-severity flaw with a CVSS 3.1 base score of 7.8 and is due to the creation of hard-coded credentials. The second vulnerability, tracked as CVE-2023-31185, is a high-severity flaw with a CVSS 3.1 base score of 7.5 and allows information disclosure via an unspecified request.

The vulnerabilities make it possible to log in to QuickBlox on behalf of any user – doctor or patient – and view all of their data, including personal information, medical histories, chat histories, and medical record files. The researchers say full impersonation is also possible, so a malicious actor could log in as any doctor, modify information, and communicate in real-time via chat and video with real patients. The patient would be unaware that they were not chatting with a real physician. The researchers developed proof-of-concept exploits for the vulnerabilities against multiple applications and demonstrated how secret tokens and passwords embedded in applications along with the use of an insecure QuickBlox API would allow malicious actors to gain access to the PHI of millions of users.

The researchers looked at a popular telemedicine application that integrates with the QuickBlox SDK and provides chat and video services allowing patients to communicate with doctors. The researchers were able to exploit the QuickBlox vulnerabilities alongside specific telemedicine app vulnerabilities, and gain access to the entire user database, along with related medical records and medical histories stored in the application. They were also able to log in as any user, making it possible to impersonate a doctor. At the time of publication, the telemedicine application was still running the vulnerable versions of the framework.

Team82 and CPR worked closely with QuickBlox to resolve the identified vulnerabilities. QuickBlox has now designed a new, secure architecture and API to eliminate the vulnerabilities. All users should ensure they migrate to the latest version as soon as possible to the flaws being exploited.

The post Vulnerabilities Identified in Popular Telemedicine Software Development Kit appeared first on HIPAA Journal.

Médecins Sans Frontières/Doctors Without Borders Deploys Celo Health Secure Messaging Solution to Support its Humanitarian Efforts in 87 Countries

Posted by Steve Alder

Securely sharing patient information is vital in the United States where healthcare organizations and their business associates are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) and state laws governing health information privacy. In Europe, all personal data must be secured to comply with the General Data Protection Regulation (GDPR), and many countries have regulations covering personally identifiable health. In order to comply with these regulations, organizations that operate globally must ensure that medical information is fully protected when it is transmitted electronically and access controls are in place to ensure that only authorized individuals can view that information.

Médecins Sans Frontières (MSF), aka Doctors Without Borders, is a non-governmental organization that provides emergency humanitarian medical care in conflict zones and countries affected by natural disasters, endemic diseases, and exclusion. MSF was formed in 1971 and has grown into an international movement of 63,000 people in more than 70 countries. MSF operates in extremely challenging environments and its clinicians must rely on smartphones for sharing critical patient information with their coordination teams, peers, and remote specialists. Any information shared electronically must be kept private and confidential and needs to be rapidly communicated to support clinical decisions that save lives.

There are many instant messaging platforms for mobile devices that allow rapid communication of information but they often lack the necessary privacy protections and security safeguards for communicating medical information to ensure global compliance. MSF conducted an in-depth review of messaging apps that could meet its unique communication needs and chose Celo Health’s secure messaging technology. Celo Health’s cloud communications platform was chosen due to its ease of use, global compliance, affordability, and reliability in challenging network environments. The platform was easy to implement on iOS and Android phones and desktop computers, required no training, and allowed instant onboarding of employees. The platform’s built-in directory enables MSF healthcare teams to reach the right person instantly, and the time saved communicating helps MSF to save lives.

“Due to the sensitive nature of information discussed and shared in MSF projects globally, providing secure messaging services is a top priority for the Telemedicine program,” said Clara Mazon, director of Telemedicine at MSF. “We look forward to working with Celo to improve access to secure messaging for MSF projects worldwide.” MSF has now confirmed that it has successfully implemented the Celo Health platform across the organization and is being used to support its operations in 87 countries. The collaboration between MSF and Celo Health has transformed communication within MSF teams, facilitating the instant secure exchange of patient-related clinical information even in the most challenging environments.

“We’re excited to partner with such a prestigious humanitarian organization and to help them transform their communications so it can deliver healthcare in crisis zones and underserved areas throughout the world. Celo is also committed to supporting MSF’s noble mission of providing free medical care to people who need it,” said Steve Vlok, CEO and founder of Celo. “MSF was also impressed by Celo’s simple yet comprehensive interface and onboarding process. Our team’s due diligence and transparency around privacy and security measures also made Celo stand out among our global competitors.”

The post Médecins Sans Frontières/Doctors Without Borders Deploys Celo Health Secure Messaging Solution to Support its Humanitarian Efforts in 87 Countries appeared first on HIPAA Journal.