HIPAA Compliance News

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Posted by HIPAA Journal

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule.

The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities.

Prevention of Phishing

Phishing is one of the commonest ways that cyber actors gain a foothold in healthcare networks. Coveware’s Q2, 2021 Quarterly Ransomware Report suggests 42% of ransomware attacks in the quarter saw initial network access gained via phishing emails. Phishing attacks attempt to trick employees into visiting a malicious website and disclosing their credentials or opening a malicious file and installing malware.

Anti-phishing technologies such as spam filters and web filters are key technical safeguards to prevent phishing attacks. They stop emails from being delivered from known malicious domains, scan attachments and links, and block access to known malicious websites where malware is downloaded or credentials are harvested. These tools are important technical safeguards for ensuring the confidentiality, integrity, and availability of ePHI.

OCR reminded HIPAA-regulated entities that “The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” which includes management personnel and senior executives. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond,” said OCR.

The Security Rule also has an addressable requirement to send periodic security reminders to the workforce. OCR said one of the most effective forms of “security reminders” is phishing simulation emails. These exercises gauge the effectiveness of the training program and allow regulated entities to identify weak links and address them. Those weak leaks could be employees who have not fully understood their training or gaps in the training program.

“Unfortunately, security training can fail to be effective if it is viewed by workforce members as a burdensome, “check-the-box” exercise consisting of little more than self-paced slide presentations,” suggested OCR. “Regulated entities should develop innovative ways to keep the security trainings interesting and keep workforce members engaged in understanding their roles in protecting ePHI.”

Prevention of Vulnerability Exploitation

Some cyberattacks exploit previously unknown vulnerabilities (zero-day attacks) but it is much more common for hackers to exploit known vulnerabilities for which patches are available or mitigations have been made public. It is the failure to patch and update operating systems promptly that allows cyber actors to take advantage of these vulnerabilities.

The continued use of outdated, unsupported software and operating systems (legacy systems) is common in the healthcare industry. “Regulated entities should upgrade or replace obsolete, unsupported applications and devices (legacy systems),” said OCR. “However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur (e.g., increase access restrictions, remove or restrict network access, disable unnecessary features or services”

The HIPAA Security Rule requires regulated entities to implement a security management process to prevent, detect, contain, and fix security violations. A risk analysis must be conducted and risks and vulnerabilities to ePHI must be reduced to a reasonable and appropriate level. The risk analysis and risk management process should identify and address technical and non-technical vulnerabilities.

To help address technical vulnerabilities, OCR recommends signing up for alerts and bulletins from CISA, OCR, the HHS Health Sector Cybersecurity Coordination Center (HC3), and participating in an information sharing and analysis center (ISAC). Vulnerability management should include regular vulnerability scans and periodic penetration tests.

Eradicate Weak Cybersecurity Practices

Cyber actors often exploit poor authentication practices, such as weak passwords and single-factor authentication. The 2020 Verizon Data Breach Investigations Report suggests over 80% of breaches due to hacking involved compromised or brute-forced credentials.

“Regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes,” explained OCR. The risk of unauthorized access is higher when users access systems remotely, so additional authentication controls should be implemented, such as multi-factor authentication for remote access.

Since privileged accounts provide access to a wider range of systems and data, steps should be taken to bolster the security of those accounts. “To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement,” suggests OCR. “A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure.  A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.”

OCR reminds regulated entities that they are required to periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate, and also conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI.

The post OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks appeared first on HIPAA Journal.

Video: Why HIPAA Compliance is Important for Healthcare Professionals

Posted by HIPAA Journal

Many sources explaining why HIPAA compliance is important for healthcare professionals tend to focus on the purpose of HIPAA regulations rather than the benefits of compliance for healthcare professionals. The same sources also tend to focus on how noncompliance affects patients and employers, rather than the impact it can have on healthcare professionals´ lives.

This article discusses why HIPAA compliance is important for healthcare professionals from a healthcare professional´s perspective. It explains why healthcare professionals cannot avoid HIPAA; and that, by complying with HIPAA, healthcare professionals can foster patient trust, keep patients safer, and contribute towards better patient outcomes. This is turn raises morale, creates a more rewarding work experience, and enables healthcare professionals to get more from their vocation.

Conversely, the failure to comply with HIPAA can have significant professional and personal consequences. Yet the failure to comply with HIPAA is not always a healthcare professional´s fault. Sometimes it can be due to insufficient training or cultural norms. We look at why Covered Entities might not always be able to provide sufficient training or monitor HIPAA compliance, why they may not accept responsibility when an avoidable HIPAA violation occurs, and how you can avoid HIPAA violations due to a lack of knowledge.

Click here for free HIPAA training

Click here to view HIPAA training pricing

Why Healthcare Professionals Cannot Avoid HIPAA

One of the objectives of HIPAA is to provide a federal floor of privacy protections for individuals´ identifiable health information held by Covered Entities. To achieve this objective, the Privacy and Security Rules imposes standards Covered Entities must comply with in order to protect the privacy of “Protected Health Information” (PHI). The failure to comply with the HIPAA standards can result in substantial financial penalties – even when no data breach occurs and PHI is not compromised.

Most healthcare organizations are Covered Entities and, as such, are required to implement policies and procedures to comply with the Privacy and Security Rule standards. As employees of Covered Entities, healthcare professionals are required to comply with their employer´s policies and procedures. This is why healthcare professionals cannot avoid HIPAA. However, this is not the only reason why HIPAA compliance is important for healthcare professionals.

The Benefits of HIPAA Compliance for Healthcare Professionals

There is little doubt the most important element of a patient/healthcare professional relationship is trust. Patients trust their healthcare professionals with intimate details of their lives because they trust healthcare professionals work in their best interests to achieve optimal health outcomes. However, trust can be a fragile commodity. If their intimate details are exposed due to a HIPAA violation, patients may withhold information crucial to the delivery of care despite the potential long-lasting consequences for their health.

Healthcare professionals can mitigate the risk of trust being broken by complying with the policies and procedures implemented by their employer to prevent HIPAA violations. When patients are confident their privacy is being respected, this fosters trust – which contributes to the delivery of better care in order to achieve optimal health outcomes. Better patient outcomes raise the morale of healthcare professionals and result in a more rewarding work experience.

The Professional and Personal Consequences of Noncompliance

One of the policies a Covered Entity is required to implement is a sanctions policy for when members of its workforce do not comply with HIPAA policies and procedures. Covered Entities are required to enforce the sanctions policy and act on HIPAA violations by healthcare professionals because, if they don´t enforce the sanctions policy, the Covered Entity will be in violation of HIPAA. Furthermore, if the Covered Entity fails to act, noncompliance can deteriorate into a cultural norm.

Being sanctioned for a HIPAA violation can have professional and personal consequences for healthcare professionals. Penalties can range from verbal warnings to the loss of professional accreditation – which will make it difficult for a healthcare professional to get another job – and, if a criminal conviction results from the noncompliance, it will likely be reported in the media which will have repercussions for a healthcare professional´s personal reputation.

Who is Responsible for HIPAA Violations?

As mentioned previously, the failure to comply with HIPAA is not always the healthcare professional´s fault. Although Covered Entities are required to provide training on policies and procedures that relate to healthcare professionals´ functions, they may not have the resources to provide training on every conceivable scenario a healthcare professional may encounter, or to monitor compliance 24/7 in order to prevent the development of cultural norms.

Consequently, unintentional violations of HIPAA can occur due to a lack of knowledge. However, Covered Entities are not always willing to accept responsibility for unintentional violations due to a lack of knowledge because it implies they failed to conduct a thorough risk assessment, overlooked a threat to the privacy of PHI, and failed to provide “necessary and appropriate” training – or, when a cultural norm has developed, failed to monitor compliance with policies and procedures.

How You Can Avoid Unintentional Violations of HIPAA

The best way to avoid unintentional HIPAA violations and the professional and personal consequences of noncompliance – even when they are not your fault – is to ensure your knowledge of HIPAA covers every area of your role and the scenarios you may encounter. To achieve this level of knowledge, you should take advantage of third-party HIPAA training courses that provide you with an in-depth knowledge of HIPAA and its rules and regulations.

Taking responsibility for your own knowledge of HIPAA – and using that knowledge to work in a HIPAA-compliant manner – protects your career, improves your job prospects, and enables you to get more from your vocation. Given the choice, most healthcare professionals would prefer to work in an environment which operates compliantly to delivery better patient outcomes, in which morale is high, and in which the healthcare professional enjoys a more rewarding work experience.

Click here to view HIPAA training pricing

The post Video: Why HIPAA Compliance is Important for Healthcare Professionals appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

Posted by HIPAA Journal

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk

Posted by HIPAA Journal

There have been calls for healthcare organizations to take steps to improve security due to a major rise in hacking incidents, ransomware attacks, and vulnerability disclosures in 2021. Record numbers of healthcare data breaches were reported last year, and tens of millions of healthcare records were compromised.

Adhering to the minimum requirements of the HIPAA Security Rule and conducting risk analyses, having robust risk management practices, conducting vulnerability scans, and implementing technical safeguards such as intrusion prevention systems, next-generation firewalls, and spam filters are all important measures to improve cybersecurity and ensure HIPAA compliance, but it is also important to improve the human aspect of cybersecurity. Risky employee behaviors need to be eradicated and the workforce needs to be trained to be more security-aware and taught how to recognize common attacks that target individuals, such as phishing and social engineering.

The human aspect of cybersecurity is often one of the weakest links in the security chain, which has been highlighted by a recent study commissioned by New Zealand-based Mobile Mentor and conducted by the Austin, TX-based Center for Generational Kinetics. The aim of the study was to explore the Endpoint Ecosystem to understand how employees perceive privacy, productivity, and personal well-being in the modern workplace. The Endpoint Ecosystem is the combination of all devices, applications, and tools that are used by employees coupled with the experiences of employees using technologies.

The survey was conducted on 1,500 employees in highly regulated industries such as government, healthcare, education, and finance in the United States and Australia, and the findings are detailed in the Mobile Mentor report, The Endpoint Ecosystem – 2022 National Study.

Employees are Taking Security Risks

The survey confirmed what other studies have found – The pandemic has led to the workforce becoming much more distributed and employers have had difficulty adapting to this new way of working and ensuring security policies are implemented and enforced that are well suited to the change in how employees are working.

One of the major findings was a lack of awareness about security policies and a failure of employers to provide security awareness training to the workforce. 27% of employees said they saw security policies less than once a year and 39% said they receive security awareness training less than once a year. Healthcare and education employees were the least likely to see security policies and employees often felt they were not adequately trained to protect company data.

41% of respondents said security policies implemented by their employers restricted the way they work, and 36% of employees said they had found a way to work around security policies. The use of shadow IT – applications and services that have not been authorized by the IT department – was found to be out of control. Workers are routinely using unregulated apps and services for work activities, which can involve regulated data.  Employees commonly used services such as Gmail and Dropbox because they believe it makes them more efficient, even though the use of those services has an impact on security.

Interestingly, while remote working is viewed as a security risk, remote workers appeared to be much more tech-savvy, were more aware of security and privacy policies, and were more careful with their passwords. That said, workers are allowing family members to use their work devices – 46% of younger workers said other family members use their work devices.

The lines are getting blurred between device use for personal and work purposes. Overall, 64% of respondents said they use personal devices for work, but only 31% had a secure BYOD program.  57% of younger workers said they use work devices for personal use and 71% said they used personal devices for work. Many employers are failing to address the security risks associated with the use of personal devices for work purposes and work devices for personal use.

Poor Password Hygiene is a Major Security Risk

One of the main security risks identified in the study related to passwords. Poor password hygiene is a major security risk. 80% of cyberattacks start with a compromised password. One of the findings, mirrored by a recent IDC survey, is employees have too many passwords to remember. While password policies may be in place – and enforced – they are often circumvented. 69% of respondents said they choose passwords that are easy to remember, 29% of employees said they write down their passwords in a personal journal, and 24% said they store work passwords on their phones. While many of the security problems associated with passwords can be solved by using a password manager, only 31% of respondents used one.

The survey revealed employees are much more concerned about personal privacy than security, with healthcare employees the most concerned about protecting personal privacy. Mobile Mentor suggests that healthcare employers looking to improve security need to teach employees that privacy and security are two sides of the same coin.

“When the endpoint ecosystem works well, you have a secure, productive, and happy workforce. It’s always been important, but it became urgent over the last two years when the pandemic forced more people to work remotely, cybersecurity attacks increased, and the Great Resignation forced employers to rethink how they support their employees,” said Denis O’Shea, founder of Mobile Mentor. “Until employers prioritize the importance of each component within the Endpoint Ecosystem, their company security and employee productivity are going to be exposed to serious risk.”

The post Poor Employee Cyber Hygiene is Putting Healthcare Cybersecurity at Risk appeared first on HIPAA Journal.

HIPAA Violation Reporting

Posted by HIPAA Journal

There is no one-size-fits-all HIPAA violation reporting process because different organizations have different policies and procedures for reporting HIPAA violations, while the process for reporting violations to HHS´ Office for Civil Rights varies according to the nature of the violation and who is making the report.

There are many different types of HIPAA violations, but some are not as serious as others. For example, the failure to send periodic security reminders (an implementation specification of 45 CFR § 164.308) is a HIPAA violation, but it is unlikely to have as serious consequences as the theft of an unencrypted laptop containing the ePHI of twenty thousand patients.

Consequently, a single Covered Entity or Business Associate may have several HIPAA violation reporting processes depending on the nature and potential severity of the event. Similarly, the HHS´ Office for Civil Rights – the HIPAA enforcement agency – has three reporting processes through which organizations, members of the workforce, and patients can report a HIPAA violation.

HIPAA Violation Reporting by Employees

When a HIPAA violation is identified by a member of a Covered Entity´s or Business Associate´s workforce, the reporting process is determined by the organization´s HIPAA policies and procedures. Some organizations´ policies require a verbal report to an immediate supervisor or manager, while others require the violation to be reported in writing directly to the organization´s Privacy or Security Officer. In some cases, the recipient of the report depends on the nature of the violation.

Some organizational policies include a process for escalating HIPAA violation reporting. Typically, if the immediate supervisor fails to address the violation, the report should be escalated to the Privacy or Security Officer. If the violation remains unaddressed, the report should be escalated to the HHS´ Office for Civil Rights. It is also possible to escalate reports to State Attorney Generals or through the courts by bringing a qui tam action against the Covered Entity or Business Associate.

HIPAA Violation Reporting by Patients

Most patients´ knowledge of HIPAA is limited to the information provided for them in a Notice of Privacy Practices. Consequently, patients should be aware of their HIPAA rights and how to report a violation of their rights – most often to the Covered Entity´s Privacy Officer (whose contact details should be on the Notice of Privacy Practices) or to the HHS´ Office for Civil Rights through the online complaints portal. Complaints using these channels have to made within six months of the violation.

If a patient witnesses a violation unrelated to their rights, the HIPAA violation reporting process varies slightly. Reports can be made to the organization´s Privacy Officer as before, to the HHS´ Office for Civil Rights via a different complaint portal (for Privacy Rule violations and Security Rule violations), or to State Attorney Generals via State Departments for Consumer Protection. However, federal and state agencies may require evidence of the violation before initiating an investigation.

Reporting Data Breaches to HHS´ Office for Civil Rights

Covered Entities and Business Associates are not required to report HIPAA violations unless they result in unauthorized access to – or acquisition, use, or disclosure of – unsecured PHI. Most HIPAA violations of this nature must be reported to individuals affected by the data breach and to the HSS´ Office for Civil Rights, unless it can be shown there is a low probability PHI has been compromised based on a four-point risk assessment or an exception to the reporting requirements exists.

The manner of HIPAA violation reporting to HHS´ Office for Civil Rights varies according to the number of individuals affected by the data breach. For data breaches affecting more than five hundred individuals, Covered Entities must notify HHS´ Office for Civil Rights within sixty days of the breach being identified. For breaches affecting fewer than five hundred individuals, Covered Entities can report these violations of HIPAA to HHS´ Office for Civil Rights on an annual basis.

Why You Shouldn´t Delay Reporting HIPAA Violations

There are multiple reasons why members of the workforce, patients, and Covered Entities should not delay reporting HIPAA violations. One of the most pressing reasons for members of the workforce – and supervisors, managers, and Privacy Officers – not to delay HIPAA violation reporting is that, if reports are delayed, no action will be taken to address them, and violations could develop into “cultural norms” which will be harder to reverse.

For the same reason, patients should not delay reporting HIPAA violations – notwithstanding that they only have a six month window for making a complaint – while the consequences of Covered Entities failing to report HIPAA violations in a timely manner can be substantial. In 2019, Sentara Hospitals had to pay a fine of $2.175 million as part of a settlement for failing to notify the HHS´ Office of Civil Rights of a data breach affecting 577 patients.

The post HIPAA Violation Reporting appeared first on HIPAA Journal.

OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture

Posted by HIPAA Journal

In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry.

2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached.

The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled.

Pino also drew attention to the critical vulnerability identified in the Java-based logging utility Log4J, which has been incorporated into many healthcare applications. The vulnerability was discovered in December 2021 and cybercriminals and other threat groups were quick to exploit it to gain access to servers and networks for a range of malicious purposes.

The vulnerabilities and data breaches show how important it is for healthcare organizations to be vigilant to threats and take prompt action when new risks to the confidentiality, integrity, and availability of protected health information are identified. “With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022,” said Pino.

Pino said OCR investigations and audits have uncovered many cases of noncompliance with the risk analysis and risk management requirements of the HIPAA Rules. “All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope,” explained Pino. “You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”

OCR’s investigations of data breaches in 2020 showed multiple areas where HIPAA-regulated entities need to take steps to improve compliance with the standards of the HIPAA Security Rule, especially in the following areas:

  • Risk analysis
  • Risk management
  • Information system activity review
  • Audit controls
  • Security awareness and training
  • Authentication

Pino made several recommendations, including reviewing risk management policies and procedures, ensuring data are regularly backed up (and testing backups to ensure data recovery is possible), conducting regular vulnerability scans, patching and updating software and operating systems promptly, training the workforce how to recognize phishing scams and other common attacks, and practicing good cyber hygiene.

“We owe it to our patients, and industry, to improve our cybersecurity posture in 2022 so that health information is private and secure”, concluded Pino, who also drew attention to resources that have been made available by CISA and the Office for Civil Rights to help protect against common threats to ePHI.

The post OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture appeared first on HIPAA Journal.

January 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

50 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR) in January 2022. January was the second successive month where the number of reported data breaches fell, although 38.9% more breaches were reported last month than in January 2020.

Healthcare data breaches over the past 12 months to January 2022

The protected health information of 2,304,607 individuals was exposed or impermissibly disclosed across those 50 breaches – 22% fewer records than December 2021, and well below the 12-month average of 3.51 million records a month. 726 data breaches of 500 or more records were reported to OCR in the 12 months from February 2021 to January 2022, and 42,175,121 records were breached across those 726 incidents.

Healthcare records breached in the past 12 months to January 2022

 

Largest Healthcare Data Breaches in January 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in January 2022, including one major data breach that affected more than 1.35 million Broward Health patients.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Breach Cause
North Broward Hospital District d/b/a Broward Health FL Healthcare Provider 1,351,431 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
Medical Review Institute of America UT Business Associate 134,571 Hacking/IT Incident Network Server Ransomware attack
Medical Healthcare Solutions, Inc. MA Business Associate 133,997 Hacking/IT Incident Network Server Ransomware attack
Ravkoo FL Healthcare Provider 105,000 Hacking/IT Incident Other Cyberattack on cloud prescription portal
TTEC Healthcare Solutions CO Business Associate 86,305 Hacking/IT Incident Network Server Ransomware attack
Advocates, Inc. MA Healthcare Provider 68,236 Hacking/IT Incident Network Server Unspecified hacking and data theft incident
iRise Florida Spine and Joint Institute, LLC FL Healthcare Provider 61,595 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Suncoast Skin Solutions FL Healthcare Provider 57,730 Hacking/IT Incident Network Server Ransomware attack
Hospital Authority of Valdosta and Lowndes County Georgia GA Healthcare Provider 41,692 Unauthorized Access/Disclosure Desktop Computer Unauthorized access and PHI theft by former employee
Family Christian Health Center IL Healthcare Provider 31,000 Hacking/IT Incident Network Server Ransomware attack
Lakeshore Bone & Joint Institute, PC IN Healthcare Provider 23,627 Hacking/IT Incident Email Email account accessed by unauthorized individual
South City Hospital MO Healthcare Provider 21,601 Theft Network Server, Other Burglary
Pace Center for Girls FL Healthcare Provider 18,300 Unauthorized Access/Disclosure Network Server Unspecified hacking and data theft incident
County of Kings, a political subdivision of the State of California CA Healthcare Provider 16,590 Hacking/IT Incident Network Server Misconfigured web server
Philadelphia FIGHT Community Health Centers PA Healthcare Provider 15,000 Hacking/IT Incident Network Server Unspecified hacking incident
Catholic Hospice, Inc. FL Healthcare Provider 14,986 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Houston Area Community Services, Inc. d/b/a Avenue 360 Health and Wellness TX Healthcare Provider 12,186 Hacking/IT Incident Email Email accounts accessed by unauthorized individuals
Spencer Gifts LLC Health and Welfare Benefit Plan NJ Health Plan 10,023 Hacking/IT Incident Network Server Unspecified hacking and data theft incident

Causes of January 2022 Healthcare Data Breaches

Hacking incidents continue to dominate the breach reports and accounted for 76% of the month’s data breaches and 95.57% of the month’s breached records. The average breach size was 57,962 records and the median breach size was 6,174 records. The largest healthcare data breach of the month resulted in the theft of the protected health information of more than 1.35 million patients of Broward Health in Florida. A hacker gained access to the Broward Health network via a third-party medical provider that had been given access rights to Broward Health’s systems.

Causes of January 2022 Healthcare Data Breaches

Ransomware is still being extensively used in cyberattacks on healthcare organizations. 5 of the month’s top 10 data breaches were reported as ransomware attacks, with several others likely to have involved ransomware. Ransomware attacks have become highly sophisticated, with the attackers using a variety of methods to gain access to healthcare networks. CISA, the FBI, and the NSA recently issued a joint threat brief warning about the increased risk of ransomware attacks on critical infrastructure firms and provided mitigations that can be implemented to improve resilience to ransomware attacks.

Phishing attacks are also common. 12 of the month’s data breaches involved compromised email accounts. Combatting phishing attacks requires a combination of email security solutions and end user training. While HIPAA does not specify anti-phishing training for employees, HIPAA-regulated entities should go beyond the requirements of HIPAA and ensure the workforce receives regular security awareness training, including instruction on how to identify phishing emails. When combined with phishing simulation exercises, susceptibility to phishing attacks can be significantly reduced.

There were 11 unauthorized access/disclosure incidents reported to OCR in January, across which the protected health information of 80,456 individuals was impermissibly accessed or disclosed. One of the incidents reported in January involved the theft of the protected health information of 41,692 patients by a former employee. That individual was arrested and charged in connection to the incident. The average size of these breaches was 7,314 records, and the median breach size was 1,125 records. There was also one theft incident reported – a burglary – involving the theft of a network server that contained the protected health information of 21,601 patients.

January 2022 healthcare data breaches - location of breached PHI

Data Breaches by HIPAA-Regulated Entity Type

Data breaches were reported by 31 healthcare providers, 6 health plans, and 13 business associates in January; however, a further 5 breaches occurred at business associates but were reported by the HIPAA-covered entity. The pie chart below shows the adjusted figures for where the data breach occurred.

January 2022 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states, with Florida the worst affected with 7 data breaches.

State Number of Reported Data Breaches
Florida 7
Pennsylvania 6
California 4
Illinois, Massachusetts, New Jersey & New York 3
Colorado, Georgia, Ohio, Tennessee, Texas, & Utah 2
Arkansas, Connecticut, Idaho, Indiana, Minnesota, Missouri, Oklahoma, South Carolina, & Wisconsin 1

HIPAA Enforcement in January 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in January 2022.

The post January 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws

Posted by HIPAA Journal

Healthcare privacy laws in the United States are due an update to bring them into the modern age to ensure individually identifiable health information is protected no matter how it is collected and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now more than 2 decades old, and while the Department of Health and Human Services (HHS) has proposed updates to the HIPAA Privacy Rule that are due to be finalized this year, even if the proposed HIPAA Privacy Rule changes are signed into law, there will still be regulatory gaps that place health data at risk.

The use of technology for healthcare and health information has grown in a way that could not be envisaged when the Privacy Rule was signed into law. Health information is now being collected by health apps and other technologies, and individuals’ sensitive health information is being shared with and sold by technology companies. The HIPAA Privacy and Security Rules introduced requirements to ensure the privacy and security of health data, but HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. Some of the emerging technologies now being used to record, store, and transmit health data are not covered by HIPAA and its protections and safeguards do not apply. Further, the proposed updates to the HIPAA Privacy Rule will make it easier for individuals to access their health data and direct covered entities to send that information to unregulated personal health applications.

New bipartisan legislation has now been introduced that aims to start the process of identifying and closing the current privacy gaps associated with emerging technologies to ensure health data are better protected, including health data that are not currently protected by HIPAA. The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aims to set up a new commission that will be tasked with analyzing current federal and state laws covering health data privacy and make recommendations for improvements to cover the current technology landscape.

“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

The Comptroller General is tasked with appointing committee members who will be required to submit their report, conclusions, and recommendations to Congress and the President within 6 months. The commission will be required to assess current privacy laws and determine their effectiveness and limitations, any potential threats to individual health privacy and legitimate business and policy interests, and the purposes for which the sharing of health data is appropriate and beneficial to consumers.

The commission is required to report on whether further federal legislation is necessary and, if current privacy laws need to be updated, provide suggestions on the best ways to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy. Those recommendations could involve updates to HIPAA to cover a broader range of entities or new state or federal legislation covering health data. If updates are recommended, the commission will be required to provide details of the likely costs, burdens, and potential unintended consequences, and whether there is a threat to health outcomes if privacy rules are too stringent.

“I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”

The Health Data Use and Privacy Commission Act has attracted support from a dozen medical associations and technology vendors, including the Federation of American Hospitals, College of Cardiology, National Multiple Sclerosis Society, Association of Clinical Research Organizations, Epic Systems, and IBM.

The post Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws appeared first on HIPAA Journal.

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

Posted by HIPAA Journal

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals.

The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA.

RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals. The difference in the numbers was due to UnitedHealthcare, RIPTA’s previous health insurance provider, providing RIPTA with files containing the data of non-RIPTA employees.  In total, up to 22,000 individuals had their sensitive data stolen in the attack. The files were stored on RIPTA’s servers and were not encrypted and the hackers exfiltrated approximately 40,000 files from RIPTA’s systems.

RIPTA sent notification letters to affected individuals, including those that had no association with RIPTA, triggering a barrage of complaints to the Office for the Attorney General questioning why their personal data had been compromised in a breach at RIPTA when they had never had any association with the quasi-public agency. The delay in issuing notification letters was due to each of those 40,000 files having to be manually searched, which was a labor-intensive and time-consuming process. RIPTA said only a small number of people were involved in the document review to prevent sensitive data from being further exposed.

On Monday this week, RIPTA administrators testified under oath at a Senate oversight committee hearing about the incident. RIPTA Chief Legal Counsel Steven Colantuono said at the hearing, “We don’t believe that anyone did anything wrong on our end, but we are still investigating it.”

RIPTA Director Scott Avedisian confirmed that reports downloaded by RIPTA from a UnitedHealthcare portal between 2015 and 2020 were ‘filtered files’, and the data unrelated to RIPTA was supposed to remain hidden. While not confirmed, the description suggests the downloaded files were Excel spreadsheets with certain rows hidden. The secure links to access the files on the portal were emailed to RIPTA by UnitedHealthcare.

At the hearing, officials at the state Department of Information Technology confirmed there is a statewide policy requiring the encryption of sensitive data such as personally identifiable information, personal health information, and federal tax information; however, RIPTA is not one of the agencies or quasi-state agencies assisted or supported by the Department of Information Technology, so RIPTA is not required to comply with the state’s encryption policy.

UnitedHealthcare’s VP of external affairs was scheduled to appear at the hearing but backed out after initially agreeing to appear. UnitedHealthcare said it is investigating the breach to determine what went wrong. At this stage, there is no listing of a breach at UnitedHealthcare on the HHS’ Office for Civil Rights breach portal.

In addition to the investigation by the Rhode Island Attorney General, Colantuono said there will also be a federal investigation and discussions are currently being had between the Department of Justice and the HHS’ Office for Civil Rights to determine which of the two agencies will be conducting the investigation. There is also the possibility of legal action being taken against UnitedHealthcare and RIPTA by state employees affected by the data breach.

The post RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach appeared first on HIPAA Journal.