HIPAA Compliance News

Study Raises Awareness of Threat of Lateral Phishing Attacks

Posted by HIPAA Journal

A recent study by the University of San Diego, University of California Berkeley, and Barracuda Networks has shed light on a growing threat to healthcare organizations – Lateral phishing.

In a standard phishing attack, an email is sent containing an embedded hyperlink to a malicious website where login credentials are harvested. The emails contain a lure to attract a click. That lure is often tailored to the organization being attacked. These phishing emails are relatively easy to identify and block because they are sent from outside the organization.

Lateral phishing is the second stage in the attack. When an email account is compromised, it is then used to send phishing emails to other employees within the organization. Phishing emails are also sent to companies and individuals with a relationship with the owner of the compromised account.

This tactic is very effective. Employees are trained to be suspicious of emails from unknown senders. When an email is received from a person in the organization that usually corresponds with the employee via email, there is a much higher chance of a requested action being taken.

Lateral phishing is one of several types of email account takeover attacks. One of the most common is Business Email Compromise (BEC). With BEC, the aim of the attack is to gain access to the credentials of the CEO. The account is then used to request fraudulent wire transfers. Lateral phishing is primarily concerned with credential theft rather than financial fraud. The goal is to compromise as many accounts as possible within an organization.

For the study, the researchers took a detailed look at phishing and lateral phishing attacks at 100 organizations and identified the strategies being used, the sophistication of the attacks, and which techniques were the most successful.

1 in 7 of the organizations studied had experienced a lateral phishing attack and 180 lateral phishing attacks were identified. In 11% of attacks, further email accounts within the organization were compromised. The researchers note that in 42% of cases, the lateral phishing emails were not reported to the IT department or security team. This failure to report could mean an account breach remains undetected and the compromised email account can continue to be used.

55% of the attacks targeted individuals with a personal or work relationship with the company and almost all emails were sent during regular working hours.

The attackers followed four main strategies when conducting attacks. The most common, used in 45% of attacks, was the sending of generic phishing messages. The most common lures were “shared document” and “account problem.” 63% of all lateral phishing emails were commonplace messages, 30% were refined messages, and 7% were highly targeted.

In 29% of attacks, the email account was used to send tailored messages to close and recent contacts. 25% of attacks involved sending messages to dozens to hundreds of employees. Only 1% of attacks were on business associates of the organization.

In 31% of cases, the phishers use stealth tactics to add realism to their campaigns and evade detection. It is common for emails to be deleted from the sent folder in the compromised account to ensure an account compromise is not detected by the account owner. The researchers found that emails were also deleted from the recipient’s account. This tactic was used in 19.5% of hijacked accounts. In 17.5% of cases, the attackers responded to replies from the recipient of the phishing email to convince them that the request was genuine.

Defending against these attacks requires a three-pronged approach. Security awareness training for employees is essential. All employees should be made aware of the threat of phishing from within the organization.

Two-factor authentication will help to ensure that even in the event that credentials are obtained, they cannot be used to remotely access an email account.

Finally, organizations should invest in advanced detection techniques and solutions that can identify and delete phishing emails before they reach end users’ inboxes.

The post Study Raises Awareness of Threat of Lateral Phishing Attacks appeared first on HIPAA Journal.

32% of Healthcare Employees Have Received No Cybersecurity Training

Posted by HIPAA Journal

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches.

The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada.

The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace.

Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA.

Even when training is provided, it is often insufficient. 11% of respondents said they received cybersecurity training when they started work but had not received any training since. 38% of employees said they were given cybersecurity training each year, and a fifth (19%) of healthcare employees said they had been provided with cybersecurity training but did not feel they had been trained enough.

32% of respondents said they had been provided with a copy of their organization’s cybersecurity policy but had only read it once and 1 in 10 managers were not aware if their company had a cybersecurity policy.  40% of healthcare workers in the United States were unaware of the cybersecurity measures protecting IT devices at their organization.

Training on HIPAA also appears to be lacking. Kaspersky Lab found significant gaps in employees’ knowledge of regulatory requirements. For instance, 18% of respondents were unaware what the Security Rule meant and only 29% of respondents were able to identify the correct meaning of the HIPAA Security Rule.

Kaspersky Lab researchers recommend hiring a skilled IT team that understands the unique risks faced by healthcare organizations and has knowledge of the tools that are required to keep protected health information safe and secure.

It is also essential to address data security and regulatory knowledge gaps. IT security leaders must ensure that every member of the workforce receives regular cybersecurity training and is fully aware of the requirements of HIPAA.

It is also important to conduct regular assessments of security defenses and compliance. Companies that fail to regularly check their cyber pulse can identify and address vulnerabilities before they are exploited by hackers and cause a costly data breach.

The post 32% of Healthcare Employees Have Received No Cybersecurity Training appeared first on HIPAA Journal.

Webinar: Aug 21, 2019: Why Your Organization Needs More Than Just Training If You Want To Be HIPAA Compliant?

Posted by HIPAA Journal

On August 21, 2019. HIPAA Journal Sponsor, Compliancy Group, will be hosting a webinar entitled “Why your organization needs more than just training if you want to be HIPAA compliant?”

If you are a HIPAA covered entity or business associate, compliance with the Health Insurance Portability and Accountability Act is mandatory. All employees must be trained on HIPAA and should understand how the legislation applies to their role in the organization.

With the workforce trained on privacy and security and aware of the allowable uses and disclosures permitted by the HIPAA Privacy Rule, employees will be able to complete their work duties in full compliance with HIPAA and avoid financial penalties.

HIPAA compliance requires an ongoing commitment to achieve the required standards for privacy and security and ensure those standards are maintained.

To find out more about what’s entailed, Compliancy Group is holding a webinar.

During this webinar, Compliancy Group President and CEO Marc Haskelson will explain:

  • How to meet all federal requirements for effective HIPAA training
  • How your organization can avoid breaches and fines
  • What you can you be doing right now to protect your organization
  • How to keep your name off the HHS ‘Wall of Shame’
  • How your patients feel about HIPAA and why this is important for your business.

Tune into this exclusive webinar to learn how you can become HIPAA compliant. You can sign up for this and future webinars on the following link: https://compliancy-group.com/webinar/

Date: Wednesday, August 21, 2019

Start Time: 2:00 pm ET/11:00 am PT

The post Webinar: Aug 21, 2019: Why Your Organization Needs More Than Just Training If You Want To Be HIPAA Compliant? appeared first on HIPAA Journal.

Report Provides Insights into Recent HIPAA Enforcement Activity

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance. Up until 2016, financial penalties for HIPAA violations were rare. Then there was a doubling of financial penalties in 2016 and enforcement actions continued at an elevated level in 2017.

2018 got off to a slow start with few penalties issued and there was speculation that OCR was scaling back its enforcement activities. However, there was a flurry of announcements about settlements in the latter half of the year, including the largest ever HIPAA penalty.

The recently published Beazley Breach Insights Report includes an analysis of OCR enforcement activities in 2018 and confirms that OCR is not easing up on healthcare organizations. In 2018, settlements and civil monetary penalties ranged from $100,000 to $16 million, with an average penalty of $2.8 million, up from $1.9 million in 2017,

The Beazley Breach Response (BBR) team also found it is taking much longer for OCR to close its investigations and settle HIPAA cases. Cases now take an average of 4.3 years to close compared to 3.6 years in 2018.

The Beazley report contains a warning for healthcare organizations. It doesn’t require a major breach to trigger an OCR investigation.  OCR is now scrutinizing all breach reports and is attempting to identify patterns that could indicate non-compliant behavior.

In the case of Fresenius Medical Care, five breaches were experienced, but each involved fewer than 250 records. The pattern was identified, noncompliance was discovered, and the case was finally settled for $3.5 million.

There were many common themes in 2018 HIPAA enforcement actions, one of the most prevalent being risk analysis failures. Covered entities must regularly perform and document security risk analyses and develop risk management plans to address vulnerabilities and reduce them to an acceptable level.

Access controls must be set appropriately and maintained, and encryption must be considered for all ePHI. If the decision is taken not to encrypt, that decision must be documented and alternative measures must be implemented in its place. The settlements also highlight how important it is to have business associate agreements in place with all vendors who are provided with access to PHI.

While there were many Security Rule failures, the HIPAA settlements in 2018 also highlight the importance of respecting patient rights and complying with the HIPAA Privacy Rule. Multiple settlements resolved privacy violations such as filming patients and disclosing PHI without consent.

The post Report Provides Insights into Recent HIPAA Enforcement Activity appeared first on HIPAA Journal.

Study Reveals Widespread Noncompliance with HIPAA Right of Access

Posted by HIPAA Journal

A recent study conducted by the health manuscript archiving company medRxiv has revealed widespread noncompliance with the HIPAA right of access.

For the study, the researchers sent medical record requests to 51 healthcare providers and assessed the experience of obtaining those records. The companies were also assessed on their response versus the requirements of HIPAA.

In each case, the record request was a legitimate request for access to patient data. The requests were made to populate a new consumer platform that helps patients obtain their medical records. Record requests were sent for 30 patients at a rate of 2.3 medical requests per patient.

Each of the providers was scored based on their response to the request and whether they satisfied four requirements of HIPAA – Accepting a request by email/fax, sending the records in the format requested by the patient, providing records within 30 days, and only charging a reasonable fee.

Providers were given a 1-star rating for simply accepting a patient record request. Providers received a second star for satisfying the request and meeting all four requirements of HIPAA, but only after the researchers had escalated the request to a supervisor on more than one occasion.

A three-star rating was given to providers that required a single escalation phone call to a supervisor. A four-star rating was given to providers that were fully compliant with the HIPAA right of access. A five-star rating was given to providers that went above and behind the requirements of HIPAA by sending copies of records within 5 days, accepting non-standard forms, and providing patients with copies of their records at no cost.

More than half (51%) of the providers assessed were either not fully compliant with the HIPAA right of access or it too several attempts and referrals to supervisors before requests were satisfied in a fully compliant manner. 27%  of providers were given a one-star rating, 24% received a 2-star rating, and 20% received a 3-star rating. Only 30% of providers were fully compliant. 12% were given a 4-star rating and 18% received 5-stars.

The researchers also conducted a telephone survey on 3,003 healthcare providers and asked about policies and procedures for releasing patient medical records. The researchers suggest as many as 56% of healthcare providers may not be fully compliant with the HIPAA right of access. 24% did not appear to be fully aware of the fee limitations for providing copies of medical records.

The main area of noncompliance was the failure to send medical records electronically, even if it was specifically requested by the patient. 12 of the 14 providers who received a 1-star rating did not email medical records, one refused to send the records to the patient’s nominated representative, and one charged an unreasonable fee.

The researchers note that had they not escalated the requests to supervisors, 71% of all requests would not have been satisfied in a way that was fully compliant with HIPAA.

The post Study Reveals Widespread Noncompliance with HIPAA Right of Access appeared first on HIPAA Journal.

Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant

Posted by HIPAA Journal

The Cleveland, OH-based technology solution provider, Direct Connect Computer Systems, Inc., has demonstrated the company is fully compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules.

Companies that provide technology solutions and services to healthcare clients that require contact with electronic protected health information (ePHI) are classed as ‘business associates’ under HIPAA.

Business associates of HIPAA covered entities must ensure they are fully compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules, and must ensure the confidentiality, integrity, and availability of ePHI at all times. Business associates face substantial fines if they are discovered not to be compliant with HIPAA Rules.

In order to start providing products and services to healthcare organizations, companies must be able to provide reasonable assurances that they are fully compliant with HIPAA Rules. To help provide those assurances and demonstrate the company’s commitment to privacy and security, Direct Connect Computer Systems, Inc., partnered with Compliancy Group and completed its Six Stage Risk Analysis and remediation process.

Using Compliancy Group’s proprietary software, The Guard, and assisted by Compliancy Group Compliance Coaches, Direct Connect Computer Systems successfully completed the program and was awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance recognizes Direct Connect’s good faith efforts to comply with all HIPAA and HITECH Act requirements and confirms the company has met its regulatory obligations as a HIPAA business associate.

The post Direct Connect Computer Systems Inc. Recognized as HIPAA Compliant appeared first on HIPAA Journal.

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

Posted by HIPAA Journal

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to Confidentiality of Substance Use Disorder Patient Records regulations known as 42 CFR Part 2.

The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records.

Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient.

The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder.

NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance abuse disorder but says that the continued separation of substance abuse disorder from other diseases perpetuates that stigma. “The principle underlying these rules is that substance use disorder treatment is shameful and records of it should be withheld from other treatment providers in ways that we do not withhold records of treatment of other chronic diseases,” wrote NAAG.

NAAG wants substance abuse disorder to be recognized as the chronic disorder that it is, which would mean aligning the rules covering substance abuse treatment records with those of HIPAA. That would allow substance abuse treatment information to be shared along with other health information, provided protections are in place to keep that information private and confidential.

As it stands, Part 2 regulations are a barrier to treating opioid use disorder. Providers are used to complying with HIPAA, but the requirements of Part 2 can be intimidating. As such, many providers do not offer medicated-assisted treatment (MAT) for substance abuse disorder.

MAT providers are not required to comply with Part 2 requirements if they do not advertise their MAT services, but that means fewer people will take up those services. To effectively tackle the opioid epidemic in the United States, MAT services need to be promoted and should be easily accessible. Currently, many providers are keeping it a secret that they provide MAT programs to patients due to the restrictions of Part 2 regulations.

42 CFR Part 2 privacy regulations were updated in 2018, although the changes made were relatively minor. NAAG is not the only organization calling for more substantial changes and closer alignment between Part 2 and HIPAA regulations. A growing coalition of more than 40 national health care organizations support the changes and there is some support in the House and the Senate.

Reps. Markwayne Mullin (R-OK) and Earl Blumenauer (D-OR) introduced the Overdose Prevention and Patient Safety Act (OPPS Act) (H.R. 2062) and Sens. Joe Manchin (D-WV) and Shelley Moore Capito (RWV) introduced the Protecting Jessica Grubb’s Legacy Act (Legacy Act) (S. 1012) which both align HIPAA with Part 2. However, getting enough people to back the changes is likely to be a major challenge.

The post State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA appeared first on HIPAA Journal.

MU Health Patients Take Legal Action Over May 2019 Phishing Attack

Posted by HIPAA Journal

A lawsuit has been filed against University of Missouri Health Care (MU Health) over an April 2019 phishing attack.

On May 1, 2019, MU Health learned that two staff email accounts had been compromised for a period of more than one week, starting on April 23, 2019. The email accounts contained a range of sensitive information including names, dates of birth, Social Security numbers, health insurance information, clinical and treatment information.

MU Health’s investigation concluded on July 27 and notification letters were sent to individuals whose protected health information (PHI) had been exposed and potentially stolen. Approximately 14,400 patients had been impacted by the breach.

The lawsuit was filed by MU Health patient Penny Houston around a week after the notifications were issued. The lawsuit states that, as a result of the breach, patients have been placed at an elevated risk of suffering identity theft and fraud. The types of data contained in the compromised accounts would allow criminals to steal identities, file fraudulent tax returns, and open financial accounts in the victims’ names.

As a result of the exposure of personal information, breach victims could face long-term issues and have to cover the cost of credit monitoring and identity theft protection services, as none were offered by MU Health.

The lawsuit also argues that patients have been paying for medical services and a proportion of that cost should have covered securing their information. Since sufficient protections had not been implemented, the plaintiffs claim they have been overpaying for medical services at MU Health.

At least 19 other patients have now added their names to the lawsuit. The plaintiffs seek reimbursement of out-of-pocket expenses to cover costs incurred as a direct result of the breach and for MU Health to pay for credit monitoring services for all victims of the breach.  Additionally, the plaintiffs want MU Health to invest more money in cybersecurity to strengthen its data security defenses, monitoring systems, and also to agree to undergo audits of its systems and procedures in the future.

The post MU Health Patients Take Legal Action Over May 2019 Phishing Attack appeared first on HIPAA Journal.

Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case

Posted by HIPAA Journal

A preliminary settlement has been proposed by Allscripts Healthcare Solutions to resolve alleged violations of HIPAA, the HITECH Act’s electronic health record (EHR) incentive program, and the Anti-Kickback Statute related to the electronic health record (EHR) company Practice Fusion, which was acquired by Allscripts in 2018.

Prior to the acquisition, Practice Fusion has been investigated by the Attorney’s Office for the District of Vermont in March 2017 and had provided documentation and information. Between April 2018 and January 2019, the company received further requests for documents and information through civil investigative demands and HIPAA subpoenas.

Then in March 2019, the company received a grand jury subpoena over a Department of Justice (DOJ) investigation into the business practices of Practice Fusion, potential violations of the Anti-Kickback Statute, HIPAA, and the payments received under the HHS EHR incentive program. Scant information has been released about the nature of the alleged violations by Practice Fusion.

The proposed settlement will see Allscripts pay $145 million to the DOJ to resolve the company and Practice Fusion of all civil and criminal liability related to the investigation. Allscripts President Rick Poulton hopes the settlement will be sufficient to resolve the case. Since Practice Fusion was acquired, Allscripts has had to devote an increasing amount of resources the investigation. Poulton wants to reach an agreement as soon as possible so the company can move on.

“While the amount we have agreed to pay of $145 million is not insignificant, it is in line with other settlements in the industry, and we are happy to have reached the agreement in principle,” said Poulton. “We will work with the DOJ to finalize the details of the settlement over the coming months”.

Last year, the HHS agreed a settlement with EHR vendor eClinicalWorks over alleged false claims related to the HITECH Act EHR incentive program. eClinicalWorks paid $155 million to resolve the case.

The post Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case appeared first on HIPAA Journal.