HIPAA Communication News

Microsoft Issues Advice on Defending Against Spear Phishing Attacks

Cybercriminals conduct phishing attacks by sending millions of messages randomly in the hope of getting a few responses, but more targeted attacks can be far more profitable.

There has been an increase in these targeted attacks, which are often referred to as spear phishing. Spear phishing attacks have doubled in the past year according to figures from Microsoft. Between September 2018 and September 2019, spear phishing attacks increased from 0.31% of email volume to 0.62%.

The volume may seem low, but these campaigns are laser-focused on specific employees and they are often very affective. The emails are difficult even for security conscious employees to recognize and many executives, and even IT and cybersecurity staff, fall for these campaigns. The emails are tailored to a specific individual or small group of individuals in a company, they are often addressed to that individual by name, appear to come from a trusted individual, and often lack the signs of a phishing emails present in more general phishing campaigns.

These attacks are more profitable as some credentials are more valuable than others. Spear phishing campaigns often target Office 365 admins. Their accounts can allow an attacker to gain access to the entire email system and huge quantities of sensitive data. New accounts can be set up on a domain with admin credentials, and those accounts can be used to send further phishing emails. New accounts are only used by the attacker, so there is a lower chance of the malicious email activities being discovered.

Spear phishers also seek the credentials of executives, as they can be used in business email compromise attacks in which employees with access to company bank accounts to tricked into making fraudulent wire transfers. Fraudulent wire transfers of tens of thousands, hundreds of thousands, or even millions may be made, malware can be installed, or the attacker can gain access to large quantities of highly sensitive data.

Spear phishers spend time researching their targets on social media networks and corporate websites. They learn about relationships between employees and different departments and impersonate other individuals in the company. They may even already have compromised one or more company email accounts in past phishing campaigns before going for the big phish on a big fish in the company. This is often referred to as a whaling attack. Spear phishing emails are often professional, credible, and are difficult to identify by end users.

As difficult as these spear phishing emails are to spot, there are steps that healthcare organizations can take to reduce risk. Many of these measures are the same as the steps that need to be taken to detect and block more general phishing campaigns.

The best place to start is with employee education. Security awareness training should be provided to everyone in the organization who uses email. Many of these spear phishing attacks start with a more general phishing campaign to gain a foothold in the email system.

The CEO and executives must also be trained, as they are the big fish that the spear phishing campaigns most commonly target. Any individual with access to corporate bank accounts or highly sensitive information should be given more training, and the training should be role-specific and cover the threats they are most likely to encounter.

Employees should be taught not just to check the true sender of an email, but specifically look at the email address to see if something is not quite right. Phishing emails usually have a sense of urgency and usually a “threat” if no action is taken (account will be closed/suspended).

They often contain out-of-band requests that go against company policy such as fast-tracking payments, sending unusual data via email, or bypassing usual checks or procedures. The messages often contain unusual language or inconsistent wording.

When suspicious emails are received, there should be an easy mechanism for employees to report them to their security teams. A one-click email add-on for reporting messages is useful. Spear phishing campaigns are often sent to key people in a department simultaneously, so speaking to peers about messages is also useful. Policies should also be implemented that require checks to be performed before any large bank transfers are made. It should be company policy to double check atypical requests by phone, for instance.

Technical measures should also be introduced to detect and block attacks. An advanced spam filtering solution is a must. Do not rely on Exchange Online Protection with Office 365. Advanced Threat Protection from Microsoft or a third-party solution for Office 365 should be implemented for greater protection, one which incorporates sandboxing, DMARC, and malicious URL analysis will provide greater protection.

Multi-factor authentication is also essential. MFA blocks more than 99.9% of email account compromise attacks. If credentials are compromised in an attack, MFA can prevent them from being used by the attacker.

Spear phishing is the principle way that cybercriminals attack organizations and it often gives them the foothold they need for more extensive attacks on the organization. Spear phishing is a very real threat. It is therefore critical that organizations take these and other steps to combat attacks.

The post Microsoft Issues Advice on Defending Against Spear Phishing Attacks appeared first on HIPAA Journal.

New Alexa Healthcare Skill Helps Patients Manage Their Medications

Amazon has announced that Alexa has a new healthcare skill that patients can use to manage their medications and order prescription refills.

Earlier this year, Amazon announced that it has developed a HIPAA-eligible environment for skill developers that incorporates the necessary safeguards to comply with the requirements of the HIPAA Privacy and Security Rules. Amazon set up an invite-only program for a select group of skill developers to create new skills that could benefit patients.

The new skill is the result of a collaboration between Amazon and the medication management firm Omnicell. Amazon contacted Omnicell and offered the company the chance to create the new skill after it was noticed that many Alexa users were using their devices to set medication reminders. Amazon had received feedback from several users who requested improvements be made to the reminders feature to allow them to set multiple reminders a day to take their medications.

Initially, the new Alexa capabilities will be available to customers of the Giant Eagle pharmacy chain, which operates over 200 pharmacies throughout the Midwest and Mid-Atlantic. The new skill allows patients to set reminders to take their medications, check their current prescriptions, and order prescription refills at Giant Eagle by issuing voice commands to their Alexa devices.

The new skill incorporates a range of privacy and security protections to prevent unauthorized access and misuse. After enabling the Giant Eagle Pharmacy skill and linking their account, users are required to set up a voice profile and set a PIN. Alexa will recognize a user by their voice profile, but they will be required to provide their PIN before any information will be relayed. Healthcare related information is also redacted in the app to maintain privacy and voice recordings can be reviewed and deleted at any time through the Alexa app, Privacy Settings page, or by issuing voice commands after authentication.

“This new technology is just the beginning, as we continue to identify straightforward and easy-to-use pharmacy tasks that voice–powered devices can perform in the real world to keep the patient at the center of care and streamline pharmacy workflow,” said Danny Sanchez, vice president and general manager, Population Health Solutions, Omnicell.

The initial launch will provide Amazon with valuable data that will be used to improve the customer experience. Amazon will be adding further pharmacy chains in the New Year.

The post New Alexa Healthcare Skill Helps Patients Manage Their Medications appeared first on HIPAA Journal.

Solving the Communication Problems in Healthcare

52% of healthcare organizations experience communications disconnects that negatively impact patients daily or multiple times a week, according to a recent study by TigerConnect.

These communication problems are more than a cause of frustration for healthcare employees. They make care coordination difficult and lead to lapses in care. In fact, the impact of poor communication is far reaching and affects the entire organization.

At best, communication inefficiency causes delays that increase the cost of healthcare provision. At worst, poor communication contributes to preventable medical errors, physician burnout and, in the most extreme cases, it can lead to death.

Many healthcare facilities are still heavily reliant on outdated communication technology such as pagers and fax machines. Groups of healthcare employees use different tools to communicate and, even with a growing mobile workforce, landlines are relied upon far too frequently.

TigerConnect research has shown that communication channels in hospitals are badly fragmented. 89% of hospitals are still using fax machines and 39% are still heavily reliant on pagers for communicating with certain departments, roles or, in the worst cases, organization-wide.

Even when modern communications technology is adopted, it is often implemented in silos. Physicians and nurses may be moved onto modern communications systems, but others are not. Consequently, the full benefits are not realized.

These communication problems are not only a source of frustration for healthcare employees, patients are also noticing. A Harris poll of patients conducted in August 2019 showed patients are frustrated by inefficient communication in healthcare during hospital stays, visits, and by the methods providers are using to communicate with them.

Fixing Broken Communication in Healthcare

TigerConnect will be hosting a webinar in which the extent of the communication problems in the U.S. healthcare industry will be discussed along with the problems that communication disconnects are causing.

Dr. Will O’Connor, CMIO, TigerConnect  and Jorge Jeffery, Data Scientist & Researcher, will talk about these issues and will suggest a solution that will improve communication in healthcare, increase workflow efficiency, reduce common bottlenecks that are slowing patient throughput, and how improvements in communication can ensure more patients are seen in less time and the cost of healthcare provision can be reduced.

Webinar Details:

Topic:    Fixing Broken Communications in Healthcare

Date:     Thursday December 12, 2019

Time:    1.00 PM Eastern Time / 12:00 PM Central Time / 11:00 AM Mountain Time / 10.00 AM Pacific Time

Hosts:   Dr. Will O’Connor, CMIO, TigerConnect / Jorge Jeffery, Data Scientist & Researcher

The Webinar will be followed by a Q&A session

You can sign up for the webinar here.

The post Solving the Communication Problems in Healthcare appeared first on HIPAA Journal.

TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers

TigerConnect has released its 2019 State of Healthcare Communications Report, which shows that continuing reliance on decades-old, inefficient communications technology is negatively impacting patients and is contributing to the increasing cost of healthcare provision.

For the report, TigerConnect surveyed more than 2,000 patients and 200 healthcare employees to assess the current state of communications in healthcare and gain insights into areas where communication inefficiencies are causing problems.

The responses clearly show that communication in healthcare is broken. 52% of healthcare organizations are experiencing communication disconnects that impact patients on a daily basis or several times a week. Those communication inefficiencies are proving frustrating for healthcare employees and patients alike.

The report reveals most hospitals are still heavily reliant on communications technology from the 1970s. 89% of hospitals still use faxes and 39% are still using pagers in some departments, roles, or even across the entire organization. The world may have moved on, but healthcare hasn’t, even though healthcare is the industry that stands to benefit most from the adoption of mobile technology.

The HHS’ Centers for Medicaid and Medicare Services (CMS) is pushing for fax machines to be eliminated by the end of 2020 and for healthcare organizations to instead use more secure, reliable, and efficient communications methods. Given the extensive use of fax machines, that target may be difficult to achieve.

“Adoption of modern communication solutions has occurred in every other industry but healthcare,” said Brad Brooks, chief executive officer and co-founder of TigerConnect. “Despite the fact that quality healthcare is vital to the well-being and functioning of a society, the shocking lack of communication innovation comes at a steep price, resulting in chronic delays, increased operational costs that are often passed down to the public, preventable medical errors, physician burnout, and in the worst cases, can even lead to death.”

The cost of communication inefficiencies in healthcare is considerable. According to NCBI, a 500-bed hospital loses more than $4 million each year as a result of communication inefficiencies and communication errors are the root cause of 70% of all medical error deaths.

The communication problems are certainly felt by healthcare employees, who waste valuable time battling with inefficient systems. The report reveals 55% of healthcare organizations believe the healthcare industry is behind the times in terms of communication technology compared to other consumer industries.

One of the main issues faced by healthcare professionals is not being able to get in touch with members of the care team when they need to. 39% of healthcare professionals said it was difficult or very difficult communicating with one or more groups of care team members.

Fast communication is critical for providing high quality care to patients and improvements are being made, albeit slowly. Secure messaging is now the primary method of communication overall for nurses (45%) and physicians (39%), although landlines are the main form of communication for allied health professionals (32%) and staff outside hospitals (37%), even though secure messaging platforms can be used by all groups in all locations.

Even though there is an increasing mobile workforce in healthcare, healthcare organizations are still heavily reliant on landlines. Landlines are still the top method of communication when secure messaging is not available. Landlines are also used 25% of the time at organizations that have implemented secure messaging.

Healthcare organizations that have taken steps to improve communication and have implemented secure messaging platforms are failing to get the full benefits of the technology. All too often, secure messaging technology is implemented in silos, with different groups using different methods and tools to communicate with each other. When secure messaging is not used, such as when the platform is only used by certain roles, communication is much more difficult.

The communications problems are also felt by patients. Nearly three quarters (74%) of surveyed patients who had spent at least some time in hospital in the past two years, either receiving treatment or visiting an immediate family member, said they were frustrated by inefficient processes.

The most common complaints were slow discharge/transfer times (31%), ED time with doctors (22%), long waiting room times (22%), the ability to communicate with a doctor (22%), and the length of time it takes to get lab test results back (15%). Many of these issues could be eased through improved communication between members of the care team. The survey also revealed hospital staff tend to underestimate the level of frustration that patients experience.

Communication problems play a large part in the bottlenecks that often occur in healthcare. Communication problems were cited as causing delayed discharges (50%), consult delays (40%), long ED wait times (38%), transport delays (33%) and slow inter-facility transfers (30%). There is a 50% greater chance of daily communication disconnects negatively impacting patients when secure messaging is not used.

Hospitals that communicate with patients by SMS/text or messaging apps are far more likely to rate their communication methods as effective or extremely effective. 75% of hospitals that use text/SMS and 73% that use messaging apps rate communication with patients as effective or very effective, compared to 62% that primarily use the telephone and 53% whose primary method of communicating with patients is patient portals. The survey also showed that only 20% of patients want to communicate via patient portals.

It has been established that secure messaging can improve communication and the quality of healthcare delivery, but healthcare communication is often not a strategic priority. 69% of surveyed healthcare professionals that are not using a secure messaging platform said this was due to budget constraints, 38% said money was spent on other IT priorities, and 34% cited concerns about patient data security, even though secure messaging platforms offer afar greater security than legacy communications systems.

TigerConnect has made several recommendations on how communication in healthcare needs to be improved.

  • Prioritize communication as a strategy
  • Focus on improving communication to ease major bottlenecks
  • Integrate communication platforms with EHRs to get the greatest value
  • Standardize communication across the entire organization
  • Include clinical leadership in solution design
  • Stop using patient portals to communicate with patients and start using patient messaging in the overall communication strategy.

The survey provides valuable insights into the state of communication in healthcare and clearly shows where improvements need to be made. The full TigerConnect 2019 State of Communication in Healthcare Report is available free of charge on this link (registration required).

The post TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers appeared first on HIPAA Journal.

Speakap Confirmed as HIPAA Compliant by Compliancy Group

The communication platform provider Speakap has announced it has achieved compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules with Compliancy Group.

Speakap has developed a communications platform that helps healthcare organizations communicate quickly and efficiently with their frontline staff, even if they do not have easy access to computers. Through a mobile app, healthcare organizations can maintain contact with deskless workers and communicate with the entire workforce through a desktop version of the app. The app is used by businesses in a wide range of industry sectors; however, in order to offer the communications solution to the healthcare industry, Speakap needed to ensure that its platform, policies, and procedures were in full compliance with HIPAA Rules.

Since the platform can be used to communicate ePHI, Speakap is classed as a business associate under HIPAA and must ensure administrative, physical, and technical safeguards are incorporated into its solution and the company fulfils its responsibilities with respect to HIPAA.

To ensure that the company was fully compliant, Speakap sought assistance from Compliancy Group. Using Compliancy Group’s proprietary software solution, The Guard, and assisted by its compliance coaches, the company successfully completed Compliancy Group’s 6-stage risk analysis and risk remediation process.

Compliancy Group’s HIPAA experts have verified Speakap’s good faith efforts toward HIPAA compliance and have awarded the company its HIPAA Seal of Compliance. The HIPAA Seal of Compliance confirms that Speakap has the safeguards, policies, and procedures in place and has developed and implemented an effective HIPAA compliance program and has met the necessary regulatory standards of the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, HIPAA Omnibus Rule, and the HITECH Act.

“Speakap’s HIPAA compliance builds upon the company’s commitment to offer trusted and secure solutions that comply with the highest industry standards,” said Speakap CEO, Erwin Van Der Vlist. “We’re providing those who require HIPAA compliance the highest levels of trust and the peace of mind they deserve. The platforms we provide are backed by the extraordinary measures we take to deliver industry-leading services.”

The post Speakap Confirmed as HIPAA Compliant by Compliancy Group appeared first on HIPAA Journal.

Common Office 365 Mistakes Made by Healthcare Organizations

An Office 365 phishing campaign has been running over the past few weeks that uses voicemail messages as a lure to get users to disclose their Office 365 credentials. Further information on the campaign is detailed below along with some of the most common Office 365 mistakes that increase the risk of a costly data breach and HIPAA penalty.

Office 365 Voicemail Phishing Scam

The Office 365 voicemail phishing scam was detected by researchers at McAfee. The campaign has been running for several weeks and targets middle management and executives at high profile companies. A wide range of industries have been attacked, including healthcare, although the majority of attacks have been on companies in the service, IT services, and retail sectors.

The emails appear to have been sent by Microsoft and alert users to a new voicemail message. The emails include the caller’s telephone number, the date of the call, the duration of the voicemail message, and a reference number. The emails appear to be automated messages and tell the recipient that immediate attention is required to access the message.

The phishing emails include an HTML attachment which will play a short excerpt from the voicemail message if opened. Users will then be redirected to a spoofed Office 365 web page where they must enter their Office 365 credentials to listen to the full message. If credentials are entered, they will be captured by the attacker. Users are then redirected to the Office.com website. No voicemail message will be played.

This is not the first time that voicemail and missed call notifications have been used as a lure in phishing attacks, but the inclusion of audio recordings in phishing emails is unusual. The partial voicemail recording comes from an embedded .wav file in the HTML attachment.

McAfee reports that three different phishing kits are being used to generate the spoofed Microsoft Office 365 websites, which suggests three different threat groups are using this ploy.

While there are red flags that should alert security-aware employees that this is a scam, unfamiliarity with this type of phishing scam and the inclusion of Microsoft logos and carbon-copy Office 365 login windows may be enough to convince users that the voicemail notifications are genuine.

Common Office 365 Mistakes to Avoid and HIPAA Best Practices

This is just the latest of several recent phishing campaigns targeting Office 365 users and attacks on Office 365 users are increasing. Listed below are some steps that can be taken to reduce risk along with some of the common Office 365 mistakes that are made which can increase the risk of account compromises, data breaches and HIPAA penalties.

Consider Using a Third-Party Anti-Phishing Solution on Top of Office 365

Office 365 incorporates anti-spam and anti-phishing protections as standard through Microsoft Exchange Online Protection (EOP). While this control is effective at blocking spam email (99%) and known malware (100%), it doesn’t perform so well at stopping phishing emails and zero-day threats. Microsoft is improving its anti-phishing controls but EOP is unlikely to provide a sufficiently high level of protection for healthcare organizations that are extensively targeted by cybercriminals.

Microsoft’s anti-phishing protections are better in Advanced Threat Protection (APT), although this solution cannot identify zero-day threats, does not include sandboxing for analyzing malicious attachments, and email impersonation protection is limited. For advanced protection against phishing and zero-day threats, consider layering a third-party anti-phishing solution on top of Office 365.

Implement Multi-Factor Authentication

A third-party solution will block more threats, but some will still be delivered to inboxes. The Verizon Data Breach Investigations Report revealed 30% of employees open phishing emails and 12% click links in those messages. Security awareness training for employees is mandatory under HIPAA and can help to reduce susceptibility to phishing attacks, but additional anti-phishing measures are required to reduce risk to a reasonable and acceptable level. One of the most effective measures is multi-factor authentication. It is not infallible, but it will help to ensure that compromised credentials cannot be used to access Office 365 email accounts.

Check DHS Advice Prior to Migrating from On-Premises Mail Services to Office 365

There are risks and vulnerabilities that must be mitigated when migrating from on-premises mail services to Office 365. The DHS’ Cybersecurity and Infrastructure Security Agency has issued best practices that should be followed. Check this advice before handling your own migrations or using a third-party service.

Ensure Logging is Configured and Review Email Logs Regularly

HIPAA requires logs to be created of system activity and ePHI access attempts, including the activities of authorized users. Those logs must also be reviewed regularly and checked for signs of unauthorized access and suspicious employee behavior.

Ensure Your Emails are Encrypted

Email encryption will prevent messages containing ePHI from being intercepted in transit. Email encryption is a requirement of HIPAA if messages containing ePHI are sent outside your organization.

Make Sure You Read Your Business Associate Agreement

Just because you have obtained a signed business associate agreement from Microsoft it does not mean your email is HIPAA-compliant. Make sure you read the terms in the BAA, check your set up is correct, and you are aware of your responsibilities for securing Office 365 and you are using Office 365 in a HIPAA compliant manner.

Backup and Use Email Archiving

In the event of disaster, it is essential that you can recover your email data. Your Office 365 environment must therefore be backed up and emails containing ePHI and HIPAA-related documents must be retained for a period of 6 years. An archiving solution – from Microsoft or a third-party – is the best way of retaining emails as archives can be searched and emails quickly recovered when they are required, such for legal discovery or a compliance audit.

The post Common Office 365 Mistakes Made by Healthcare Organizations appeared first on HIPAA Journal.

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website.

Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI.

When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information.

The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the Elite review page.

In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a), OCR determined Elite had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms, in violation of 45 C.F.R. § 164.530(i). Elite was also discovered not to have included the minimum required content in its Notice of Privacy Practices as required by the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).

OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three potential HIPAA violations could have attracted a substantially higher financial penalty; however, when considering an appropriate financial penalty, OCR took the financial position of the practice, its size, and Elite’s cooperation with the OCR investigation into account.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This is the 4th OCR HIPAA settlement of 2019. In September, OCR fined Bayfront Health St Petersburg $85,000 for a HIPAA Right of Access failure. In May, two settlements were agreed to resolve multiple HIPAA violations at Medical Informatics Engineering ($100,000) and Touchstone Medical Imaging ($3,000,000).

The post Dental Practice Fined $10,000 for PHI Disclosures on Yelp appeared first on HIPAA Journal.

Senate Fails to Remove Ban on Funding of National Patient Identifier

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year.

The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement.

The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different.

The proposed fiscal budget bill includes the text, “None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard.”

The purpose of the national patient identifier is to make it easier for patients to be efficiently matched with their health records. Regardless of where a patient receives treatment, their health data will be tied to them through their unique national patient identifier code. The new identifier would help to ensure that patient information could flow freely between different healthcare organizations and it is seen by many healthcare industry stakeholders to be essential for full interoperability. A national patient identifier could help to improve patient privacy, patient safety, and eliminate considerable waste and misspending in healthcare.

For several years, industry associations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHMIA), and the Health Innovation Alliance (HIA) have been calling for the ban to be lifted.

HIA Executive Director Joel White has called the ban ‘antiquated’ and said studies have suggested that patients are matched with their records as little as 50% of the time. A national patient identifier would instantly solve that problem.

Efforts to have the ban removed have stepped up in recent years, and this year 56 healthcare stakeholder groups urged the Senate to remove the ban. Significant progress was made this year when the amendment receives strong bipartisan support in the House of Representatives.

Convincing the Senate to lift the ban is proving more difficult. As long as privacy concerns remain, the ban is unlikely to be lifted. One of the main issues is a single identifier would be used to tie medical records to an individual from birth until death, and that could allow unprecedented tracking of Americans through their health records. It could also potentially facilitate the sharing, use, and analysis of patient data without patient consent.

While the draft fiscal budget bill has not had the ban removed, it is possible that an amendment could be made at a later date. AHMIA and CHIME leaders remain hopeful that the Senate will follow the House’s lead and have the ban lifted this year.

The post Senate Fails to Remove Ban on Funding of National Patient Identifier appeared first on HIPAA Journal.

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.