Healthcare Technology Vendor News

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Six new HIPAA compliant Alexa skills have been launched by Amazon that allow protected health information to be transmitted without violating HIPAA Rules.

The new HIPAA compliant Alexa skills were developed by six different companies that have participated in the Amazon Alexa healthcare program. The new skills allow patients to schedule appointments, find urgent care centers, receive updates from their care providers, receive their latest blood sugar reading, and check the status of their prescriptions.

This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of the HIPAA Privacy Rule, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can now be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.

Amazon has stated that it plans to work with many other developers through an invite-only program to develop new skills to use within its HIPAA-eligible environment. Amazon is offering those organizations business associate agreements to meet HIPAA requirements. The initial roll-out has been limited to six new HIPAA compliant Alexa skills as detailed below:

New HIPAA Compliant Alexa Skills

The purpose of the new skills is to allow patients, caregivers, and health plan members to use Amazon Alexa to manage their healthcare at home through voice commands. The skills make it easier for patients to perform healthcare-related tasks, access their health data, and interact with their providers.

The six new HIPAA compliant Alexa skills are:

Express Scripts

Members of the Express Scripts pharmacy services organization can check the status of a home delivery prescription and can ask Alexa to send notifications when prescriptions have been shipped and when they arrive at their door.

Cigna Health Today

Employees who have been enrolled in a Cigna health plan can use this Alexa skill to check wellness program goals, receive health tips, and access further information on rewards.

My Children’s Enhanced Recovery After Surgery (ERAS)

Parents and caregivers of children enrolled in Boston Children’s Hospital’s ERAS program can send updates to their care teams on recovery progress. Care teams can also send information on post-op appointments and pre- and post-op guidance. Initially, the skill is being used in relation to cardiac surgery patients, although the program will be expanded in the near future.

Livongo Blood Sugar Lookup

Participants in Livongo’s Diabetes Program can query their latest blood sugar reading from their device, check blood sugar monitoring trends such as their weekly average reading, and receive personalized health tips through their Alexa device.

Atrium Health

Atrium Health’s new Alexa skill allows patients to find urgent care locations near them and schedule same-day appointments, find out about opening hours, and current waiting times. Initially the Alexa skill is being offered to customers in North and South Carolina.

Swedish Health Connect

Providence St. Joseph Health has created an Alexa skill that allows patients to find Swedish Express Care Clinics in their vicinity and schedule same day appointments at 37 of its locations on the west coast.

The post Amazon Announces 6 New HIPAA Compliant Alexa Skills appeared first on HIPAA Journal.

Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing

The healthcare industry is particularly vulnerable to phishing attacks and successful attacks commonly result in significant data breaches. It is now something of a rarity for a week to pass without a healthcare phishing attack being reported.

While healthcare organizations are providing security awareness training to staff and are using email security solutions, those defenses are not always effective.

To improve understanding of why advanced attacks are managing to evade detection by traditional email security solutions, email security solution provider TitanHQ is hosting a webinar.

During the webinar TitanHQ will explain about the threat from phishing and how organizations can protect themselves and their customers/patients. The webinar will also explain how two new features of TitanHQ’s SpamTitan email security solution – DMARC authentication and sandboxing – can protect against advanced email threats, zero-day attacks, malware, phishing, and spoofing.

Webinar Details:

Date : Thursday, April 4th, 2019

Time: 12pm EST

Duration: 30 minutes

Sign up to the Webinar here.

Disclaimer

This is not a sponsored event.  HIPAA Journal has no business relationship with the event holder.  HIPAA Journal promotes events that might be of interest to its readers. You may submit your event information on our contact page. HIPAA Journal does not accept payment for promoting events.

The post Webinar: April 4, 2019: Email Security, DMARC, and Sandboxing appeared first on HIPAA Journal.

Amazon Launches New System for De-identifying Medical Images

Amazon has announced that it has developed a new system that allows identifying protected health information contained in medical images to be automatically removed to prevent patients from being identified from the images.

Medical images often have patients’ protected health information stored as text within the image, including the patient’s name, date of birth, age, and other metrics. Prior to the images being used for research, authorization must be obtained from the patient or all identifying data must be permanently removed.  Removing PHI from images requires a manual check and alteration of the image to redact the PHI and that can be an expensive and time-consuming process, especially when large number of images must be de-identified.

The new system uses Amazon’s Rekognition machine-learning service, which can detect and extract text from images. The text is then fed through Amazon Comprehend Medical to identify any PHI. In combination with Python code it is possible to quickly redact any PHI in the images. The system works on PNG, JPEG, and DICOM images.

A confidence score is provided by the service which indicates the level of confidence in the accuracy of the detected entity, which can form the basis of reviews to make sure that information has been correctly identified. The desired confidence level – from 0.00 to 1.00 – can be set by the user. A confidence level of 0.00 will see all text identified by the service be redacted.

Amazon says the system allows healthcare organizations to de-identify large numbers of images quickly and inexpensively. Amazon notes that the system can be used to batch process thousands or millions of images. Also, once an image has been processed and the location of PHI has been identified, it is possible to associate a Lambda function to automatically redact PHI from any new images when they are uploaded to an Amazon S3 bucket.

The post Amazon Launches New System for De-identifying Medical Images appeared first on HIPAA Journal.

Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices

Earlier this month, the eHealth Initiative Foundation and Manatt Health issued a brief that calls for the introduction of a values framework to better protect health information collected, stored, and used by organizations that are not required by law to comply with Health Insurance Portability and Accountability Act (HIPAA) Rules.

Health information is increasingly being collected by a wide range of apps and consumer devices. In many cases, the types of data collected by these apps and devices are the same as those collected and used by healthcare organizations. While healthcare organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of health information and uses and disclosures of that information are restricted, the same rules do not cover the data if the information is collected by other entities.

It doesn’t matter what type of organization stores or uses the data. If that information is exposed it can cause considerable harm, yet this is currently something of a gray area that current regulations do not cover properly.

At the time when HIPAA and the subsequent Privacy and Security Rules were enacted, the extent to which health information would be collected and used by apps and consumer devices could not have been known. Now, new rules are required to ensure that health information is not exposed and remains private and confidential when collected by non-HIPAA covered entities.

Laws have been introduced that do extend to health data collected by apps and consumer devices, including the California Consumer Privacy Act (CCPA), but these laws only apply at the state level and protections for consumers can vary greatly from state to state.

HIPAA was updated by the HITECH Act of 2009, which does cover electronic medical records and health IT, but does not extend to apps and consumer devices. GDPR covers consumer data collected by apps and consumer devices, but only for companies doing business with EU residents.

The Brief, entitled, Risky Business? Sharing Data with Entities Not Covered by HIPAA explores the problem, the extent of data now being shared, and aims to clear up some of the confusion about when HIPAA applies to apps and consumer devices and when it does not and explores other federal guidance and regulations that has been issued by the FDA, FTC, and CMS covering mobile apps and consumer devices.

HIPAA does apply to business associates of HIPAA covered entities that provide apps and devices on behalf of the covered entity. However, if the app or device is not provided by a vendor acting as a business associate of a HIPAA covered entity, HIPAA Rules do not apply. Many healthcare organizations struggle to make the determination about whether a vendor is a business associate and if devices and apps are offered on behalf of the covered entity. The brief attempts to explain the often-complex process.

One area of particular concern is the growing number of people who are using genealogy services and are supplying companies with their DNA. Individuals are voluntarily providing this information, yet many are unaware of the implications of doing so and are unaware of the lucrative DNA market and the potential sale of their DNA profiles.

“Privacy and security in healthcare are at a critical juncture, with rapidly changing technology and laws that are struggling to keep pace,” explained Jennifer Covich Bordenick, Chief Executive Officer, eHealth Initiative Foundation. “Even as new laws like CCPA and GDPR emerge, many gray areas for the use and protection of consumer data need to be resolved. We hope the insights from papers like this help industry and lawmakers to better understand and address the world’s changing privacy challenges.”

The post Concerns Raised About the Sharing of Health Data with Non-HIPAA Covered Entities via Apps and Consumer Devices appeared first on HIPAA Journal.

Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs

Two vulnerabilities have been identified in the Conexus telemetry protocol used by Medtronic MyCarelink monitors, CareLink monitors, CareLink 2090 programmers, and 17 implanted cardiac devices. Both vulnerabilities require a low level of skill to exploit, although adjacent access to a vulnerable device would be required to exploit either vulnerability.

The most serious vulnerability, rated critical, is a lack of authentication and authorization controls in the Conexus telemetry protocol which would allow an attacker with adjacent short-range access to a vulnerable device to inject, replay, modify, and/or intercept data within the telemetry communication when the product’s radio is turned on.

An attacker could potentially change memory in a vulnerable implanted cardiac device which could affect the functionality of the device.

The vulnerability is being tracked as CVE-2019-6538 and has been assigned a CVSS v3 base score of 9.3.

A second, medium severity vulnerability concerns the transmission of sensitive information in cleartext. Since the Conexus telemetry protocol does not use encryption, an attacker with adjacent short-range access to a vulnerable product could intercept communications and obtain sensitive patient data.

The vulnerability is being tracked as CVE-2019-6540 and has been assigned a CVSS v3 base score of 6.5.

The vulnerabilities affect the following Medtronic devices:

  • Versions 24950 and 24952 of MyCareLink Monitor
  • Version 2490C of CareLink Monitor
  • CareLink 2090 Programmer

All models of the following implanted cardiac devices are affected:

  • Amplia CRT-D
  • Claria CRT-D
  • Compia CRT-D
  • Concerto CRT-D
  • Concerto II CRT-D
  • Consulta CRT-D
  • Evera ICD
  • Maximo II CRT-D and ICD
  • Mirro ICD
  • Nayamed ND ICD
  • Primo ICD
  • Protecta ICD and CRT-D
  • Secura ICD
  • Virtuoso ICD
  • Virtuoso II ICD
  • Visia AF ICD
  • Viva CRT-D

Medtronic has implemented additional controls for monitoring and responding to any cases of improper use of the telemetry protocol used by affected ICDs. Further mitigations will be applied to vulnerable devices through future updates.

In the meantime, users of the devices should ensure home monitors and programmers cannot be accessed by unauthorized individuals and home monitors should only be used in private environments. Only home monitors, programmers, and ICDs that have been supplied by healthcare providers or Medtronic representatives should be used.

Unapproved devices should not be connected to monitors through USB ports and physical connections and programmers should only be used to connect with ICDs in hospital and clinical environments.

The vulnerabilities were identified by multiple security researchers who reported them to NCCIC. (Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; former KU Leuven researcher Eduard Marin; Flavio D. Garcia; Tom Chothia; and Rik Willems.

The post Critical Vulnerability Affects Medtronic CareLink Monitors, Programmers, and ICDs appeared first on HIPAA Journal.

Is DocuSign HIPAA Compliant?

Can DocuSign be used by healthcare organizations in connection with electronic protected health information (ePHI) without violating HIPAA Rules? Is DocuSign HIPAA compliant?

DocuSign is a San Francisco-based provider of electronic signature technology and transaction management services. Via DocuSign, companies can send documents such as contracts to customers and business associates and obtain their electronic signatures to confirm that they have read the document and agree to any terms and conditions contained therein.

In healthcare, eSignature services can streamline administrative tasks and save many hours of chasing up paperwork. The DocuSign solution can be used by healthcare providers for a range of different purposes, including obtaining eSignatures on SLAs, business associate agreements, credentialing forms, and patient consent forms.

However, if the service is used in connection with any electronic protected health information, DocuSign would be classed as a business associate. HIPAA requires all business associates to enter into a HIPAA-compliant business associate agreement with covered entities prior to being provided with or given access to ePHI.

Is DocuSign HIPAA Compliant?

When considering if DocuSign is HIPAA compliant, a key test is whether the company is willing to sign a BAA with a HIPAA-covered entity. On the DocuSign website, the company states that it is prepared to sign a BAA and has already done so with many healthcare providers and life science customers.

DocuSign also confirms that while the company does not access ePHI, any ePHI that passes through its service is secured. DocuSign also confirms that it is in full compliance with the privacy and security requirements of HIPAA and its service meets HHS standards for digital signatures.

In order to obtain a BAA, customers must first sign up for an Enterprise account with DocuSign and they must ensure the signed BAA is obtained prior to using the service with any ePHI.

Provided a BAA is obtained, DocuSign can be considered a HIPAA compliant eSignature service.

The post Is DocuSign HIPAA Compliant? appeared first on HIPAA Journal.

Is Calendly HIPAA Compliant?

Calendly is a popular tool that is used by many businesses to schedule meetings and appointments, but can Calendly be used by healthcare organizations? Is Calendly HIPAA compliant?

Businesses can waste a considerable amount of time scheduling appointments and meetings. Lengthy email exchanges and phone tag are commonplace. Calendly aims to eliminate the time wasted attempting to connect with others and the platform can reduce no-show rates through automated email and text reminders. The solution integrates with Google Calendar, iCloud calendar, Office 365, Salesforce, and GoToMeeting and other popular software platforms and can also be integrated directly into business websites to allow customers to schedule appointments directly.

The platform is used by healthcare organizations for scheduling internal meetings, but in order to use Calendly with any electronic protected health information, healthcare organizations would first need to enter into a HIPAA-compliant business associate agreement with Calendly.

Is Calendly HIPAA Compliant?

Calendly explains on its website that the platform is secure and all data uploaded is protected. Data sent to and stored by the scheduling tool is protected by 256-bit encryption and Calendly is hosted on Amazon Web Services, which is a HIPAA-compliant hosting solution. Calendly cannot read medical charts and other private information as it only reads the busy/free status of calendar events to avoid double bookings.

While secure, Calendly explains in the help section of its website that “Calendly should not be used for collecting Protected Health Information” and that the solution should not be used for asking “any personal or medical questions in the question form invitees complete when scheduling.” Calendly also does not sign business associates with HIPAA covered entities.

As such, Calendly is not a HIPAA-compliant scheduling tool. The tool can be used by healthcare organizations, just not in connection with any ePHI. Healthcare organizations should ensure that only HIPAA-compliant scheduling tools are used for booking patient appointments.

The post Is Calendly HIPAA Compliant? appeared first on HIPAA Journal.

Is Evernote HIPAA Compliant?

Evernote is a useful cloud-based service that allows users to take notes, create to do lists, plan projects, and collaborate with teams, but is Evernote HIPAA compliant? Can Evernote be used in healthcare by physicians and other healthcare professionals without violating HIPAA Rules?

Evernote serves as an easily accessible repository for a wide range of information, including documents, audio files, images, and video files. One of the key features of Evernote which makes it so useful is the ability to automatically synch files and notes across multiple devices.

Evernote is available as a free app or a paid service for businesses and does incorporate access controls and security features such as single sign-on (SSO) and two-factor authentication to prevent unauthorized use of the applications.  Evernote stores data on the Google Cloud platform, which can be HIPAA compliant. Encryption is also supported by Evernote for Mac and Evernote for Windows Desktop. In-note encryption uses an AES 128-bit key.

Evernote is designed to make data sharing as easy as possible, which should raise a red flag if you are thinking about using Evernote with protected health information or files containing protected health information – patients documents or dictated notes for instance.

Is Evernote HIPAA Compliant?

So, with the above security controls, is Evernote HIPAA compliant? While the security controls mentioned above do offer some protection against unauthorized access, they are not currently sufficient to meet the requirements of the HIPAA Security Rule. Further, Evernote does not sign business associate agreements with HIPAA covered entities.

Therefore, Evernote is not a HIPAA compliant note taking app and it should therefore not be used in connection with any protected health information.

There are alternatives that can be used in its place.  You can read more about these on the links below:

Is Google Keep HIPAA Compliant?

Is Microsoft OneNote HIPAA Compliant?

The post Is Evernote HIPAA Compliant? appeared first on HIPAA Journal.

Sandboxing and DMARC Authentication Added to SpamTitan to Improve Email Threat Detection

Despite increased investment in cybersecurity, healthcare organizations still struggle to protect against advanced phishing threats and email impersonation attacks. Detection of new malware threats can also be a major challenge for small to medium sized healthcare organizations and managed service providers.

To better serve the healthcare market and improve protection against sophisticated phishing attacks and zero-day malware, TitanHQ has announced it has added two new features to its SpamTitan spam filtering solution: DMARC email authentication and sandboxing.

Due to the increase in email impersonation attacks, the Department of Homeland Security issued a binding operational directive in 2017 that required all executive branch agencies to fully adopt Domain-based Message Authentication, Reporting and Conformance (DMARC) to protect against email impersonation attacks and domain spoofing. DMARC authentication has now been incorporated into SpamTitan to improve detection of domain spoofing phishing attacks and prevent these phishing emails from reaching end users’ inboxes.

New malware and ransomware variants are now being released at unprecedented levels. Detecting these new malware threats require more than AV solutions. To better protect users against these new email-based malware threats, TitanHQ has added a new Bitdefender-powered sandboxing feature to SpamTitan.

Suspicious file attachments are now sent to the sandbox where they can be detonated and analyzed for malicious actions. Within this secure environment, files can be assessed safely to identify obfuscated malware, new malware threats, attempts to download malicious payloads, and calls to c2 servers. A broad range of file types are sent to the sandbox, including applications, executable files, and office documents.

“The sandbox service analyzes files by leveraging purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis,” explained TitanHQ. “All results are checked across known threats in an extensive array of online repositories, and all in just a few minutes.” If files are confirmed as malicious, they are reported to the Bitdefender’s Global Protective Network and the threat is blocked globally.

“I’m delighted to launch both features today and we will continue with our commitment to continually invest in, develop and improve SpamTitan email security,” explained TitanHQ CEO Ronan Kavanagh. “These new features will help healthcare clients improve their defences against advanced malware and sophisticated phishing attacks.”

The post Sandboxing and DMARC Authentication Added to SpamTitan to Improve Email Threat Detection appeared first on HIPAA Journal.