HIPAA Compliance News

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

Posted by HIPAA Journal

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices.

Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen.

Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions jeopardize the confidentiality, integrity, or availability of ePHI.

HIPAA – 45 CFR § 164.310(a)(1) – requires covered entities and their business associates to implement policies and procedures to restrict access to electronic devices and media and the facilities in which they are housed. 45 CFR § 164.310(d)(1) of the HIPAA Security Rule requires policies and procedures to be implemented to govern the receipt and removal of those devices into and out of an organization’s facility, as well as movement within the facility. Robust policies and procedures must be developed to ensure ePHI is appropriately protected at all times.

When developing policies and procedures covering portable electronic devices and media, OCR recommends that HIPAA covered entities and their business associates consider the following questions:

  • Are records tracking the location, movements, alterations, repairs, and disposition of devices and media in place covering the entire life cycle of the devices/media?
  • Does the organization’s record of device and media movement include the individual(s) responsible for such devices and media?
  • Have members of the workforce (including management) received training on the correct handling of devices/media to ensure ePHI is safeguarded at all times?
  • Have appropriate technical controls been implemented to ensure the confidentiality, integrity, and availability of ePHI, such as encryption, access controls and audit controls?

There are several methods for tracking electronic devices and media. Smaller healthcare organizations that only use a limited number of devices/media may be able to manually track the movement of their devices/media, although this becomes a major challenge if large numbers of devices are in use. In such cases, specialized inventory management software and databases may be more appropriate. OCR suggests the use of a bar-code system or RFID tags may make it easier to organize, identify, and track the movement of devices and media.

When deciding on the most appropriate device and media controls to implement, healthcare organizations and their business associates should be guided by their risk analysis and risk management processes. Full consideration should be given to size, complexity and capabilities; hardware and software capabilities; technical infrastructure; the cost of implementing security measures; and the probability and criticality of potential risks to ePHI.

Policies and procedures must also be developed and implemented to ensure that when devices/media reach end of life, all ePHI stored on the devices is permanently erased to prevent the information from being retrieved or reconstructed. OCR covered the secure disposal of ePHI in its July 2018 cybersecurity newsletter.

Organizations that fail to track electronic devices and media and ensure that ePHI is appropriately protected at all times run the risk of HIPAA fines for non-compliance.

The most recent example is University of Texas MD Anderson Cancer Center’s failure to encrypt ePHI on portable electronic devices. That violation resulted in a civil monetary penalty of $4,348,000.

The August 2018 cybersecurity newsletter can be downloaded on this link (PDF – 140KB)

The post Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

Posted by HIPAA Journal

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients.

In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines.

The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained.

In total, 3,751 clients in New York had information such as their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number exposed. Those individuals were notified of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights was informed, and a breach report was submitted to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is required to safeguard the ePHI of its clients and prevent that information from being accessed by unauthorized individuals. The investigation into the breach by the New York Attorney General’s office confirmed that HIPAA Rules had been violated as appropriate physical, technical, and administrative safeguards had not been implemented to ensure the confidentiality, integrity, and availability of ePHI. As a result of that failure, there had been an impermissible disclosure of clients ePHI.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said New York Attorney General Barbara. D. Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

In addition to paying a financial penalty of $200,000, The Arc of Erie County has agreed to adopt a Corrective Action Plan (CAP) that includes the requirement to conduct a thorough risk analysis to identify all security risks and vulnerabilities affecting its electronic equipment and data systems. A report of that assessment must be submitted to the New York Attorney General’s office within 180 days. Any vulnerabilities identified must be corrected through a HIPAA-compliance risk management process and policies and procedures must also be reviewed and revised, based on the findings of the risk analysis.

The post NY Attorney General Fines Arc of Erie County $200,000 for Security Breach appeared first on HIPAA Journal.

Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure

Posted by HIPAA Journal

Following the accidental drowning of their adopted son, Denise and Wayne Russell were contacted by the child’s birth mother who made threats against their family.

The phone call from the birth mother came shortly after their son was admitted to McAlester Regional Health Center following a tragic swimming pool accident. Their 2-year old child had fallen into the pool after the gate to the pool area had been accidentally left open. The parents administered CPR at the scene until the paramedics arrived and the child was rushed to hospital where he was later confirmed to have died.

Shortly after their son died, the Russells received the telephone call from the birth mother. When asked how she knew about the accident and death of the child, she confirmed that she had been informed by the hospital. The birth month screamed at the Russells and made multiple threats, according to Denise Russell, including a threat to kill their other son. The situation became so bad that a protective order was filed against their son’s birth mother.

The Russells had taken care of their adopted son Keon since he was two weeks old and finalized the adoption in July 2015. Under the terms of the adoption, the birth mother terminated all of her parental rights. Even so, an employee at the hospital contacted the birth mother to alert her to the death of her son.

In the lawsuit the Russells claim that as a result of the impermissible disclosure of their son’s health information they have experienced “extreme emotional distress” from having to deal with the birth mother. The couple are seeking $150,000 in damages.

The call to the birth mother was made by an employee of the hospital, although according to the lawsuit that was not the only privacy violation and HIPAA violation that occurred. The lawsuit alleges multiple hospital workers accessed Keon’s medical records without authorization including workers in the hospital cafeteria.

One worker in the food service section had been legitimately been given access to the hospital’s EHR system. Access was required to check dietary requirements of patients and room numbers. It is alleged that that worker had been instructed to write down her login credentials on a sticky note and post them on a computer to allow others to be able to access the EHR system. Those credentials were allegedly used by other food service workers to access the child’s records, including labor and delivery department records.

An examination of the access logs showed that Keon’s medical records were accessed multiple times on the day of admission to the hospital using the food service worker’s credentials, even though the worker wasn’t on duty that day.

If the allegations are true, there have been multiple HIPAA violations, which have undoubtedly caused emotional distress for the parents; however, there is no private cause of action in HIPAA. It is not possible for an individual to sue a hospital for a HIPAA violation. Only state attorneys general and the Department of Health and Human Services’ Office for Civil Rights are permitted to bring legal action against healthcare organizations for HIPAA violations under federal law.

Instead, the lawsuit alleges the hospital was negligent for failing to protect Keon Russell’s medical records and meet HIPAA requirements and its own internal policies. It has also been alleged that Oklahoma’s medical records statutes were also been violated. A jury trial is expected to commence in January 2019.

The post Couple Sues McAlester Hospital Over Alleged Snooping and Impermissible Disclosure appeared first on HIPAA Journal.

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

Posted by HIPAA Journal

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident.

The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones.

In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation.

They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical records via personal smartphones was “a direct violation of HIPAA” and potentially placed millions of dollars of federal funding in jeopardy.

State CISO Mark Gower is adamant that HIPAA Rules were not violated. He explained that only a limited number of medical aides were allowed to access electronic health records using their smartphones, and access was only granted for a limited period of time until the problem was resolved. When the issue was over, access to medical records via smartphones was blocked. It was just a case of temporarily swapping a laptop or desktop computer for a smartphone.

Gower explained that accessing medical records using a smartphone did not result in medical records being copied to the devices. The medical records system does not create a cache or store any information locally. Gower also said that the records system and the smartphones met the VA’s security requirements.

The three lawmakers do not believe Gower’s explanation and claim that during the outage, employees at all seven of the state’s care centers were allowed to copy medical records onto their personal cellphones.

Doug Elliot said the medical aides were “the best and brightest” and that it was “Unfathomable that any of the med aides have disclosed that information to a third party.” He also said it was “unconscionable” for the legislators to suggest that VA employees had violated HIPAA Rules and patient privacy.

While Elliot does not believe the allegations have any merit, they are being taken seriously. Elliot has reported the matter to the state’s IT security team which will be conducting a full investigation. The Office of Management and Enterprise Services, which oversees IT for state agencies, is also looking into the allegations.

The legislators are not happy with the matter being investigated by a state agency and believe that this incident can only be impartially investigated by the federal government. The legislators have also reported the matter to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.

“The federal government’s going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.

The post Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules appeared first on HIPAA Journal.

OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media

Posted by HIPAA Journal

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media.

Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner.

HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes.

Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI.

If electronic devices are not disposed of securely and a data breach occurs, the costs to a healthcare organization can be considerable. Patients must be notified, it may be appropriate to pay for credit monitoring and identity theft protection services, and third-party breach response consultants, forensic investigators, and public relations consultants may need to be hired. OCR and/or state attorneys generals may conduct investigations and substantial financial penalties may be applied. Breach victims may also file lawsuits over the exposure of their financial information.

The costs all add up. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute/IBM Security highlighted the high cost of data breaches, in particular healthcare data breaches. The average cost of a breach of up to 100,000 records was determined to be $3.86 million. Healthcare data breaches cost an average of $408 per exposed record to mitigate, while the cost of data breaches of one million or more records was estimated to be between $40 million and $350 million.

It is not possible to ensure that all ePHI is disposed of securely if an organization does not know all systems and devices where PHI is stored. A full inventory of all equipment that stores ePHI must be created and maintained. When new equipment is purchased the list must be updated.

A full risk analysis should be conducted to determine the most appropriate ways to protect data stored on electronic devices and media when they reach the end of their lifespan.

Organizations must develop a data disposal plan that meets the requirements of 45 C.F.R. §164.310(d)(2)(i)-(ii). Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. OCR notes that “Redaction is specifically excluded as a means of data destruction.”

Electronic devices should be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” to ensure that ePHI cannot be retrieved. If reusable media are in use, it is important to ensure that all data on the devices are securely erased prior to the devices being reused. Before electronic devices are scrapped or disposed of, asset tags and corporate identifying marks should be removed.

Third party contractors can be used to dispose of electronic devices, although they would be considered business associates and a business associate agreement would need to be in place. All individuals required to handle the devices must be aware of their responsibilities with respect to ePHI and its safe handling and should be subjected to workforce clearance processes.

Organizations should also consider the chain of custody of electronic equipment prior to destruction. Physical security controls should be put in place to ensure the devices cannot be stolen or accessed by unauthorized individuals and security controls should cover the transport of those devices until all data has been destroyed and is no longer considered ePHI.

The OCR newsletter, together with further information on secure disposal of ePHI and PHI, can be found on this link (PDF).

The post OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media appeared first on HIPAA Journal.

NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices

Posted by HIPAA Journal

The HIPAA Security Rule requires HIPAA-covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information at all times. Healthcare organizations must ensure patients’ health is not endangered, their privacy is protected, and their identities are not compromised.

A range of physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers, but ensuring the same level of security for mobile devices can be a major challenge.

Mobile devices offer many benefits for healthcare providers. They can improve access to protected health information, ensure that data can be accessed anywhere, and they help healthcare providers improve coordination of care.

However, when ePHI is stored on mobile devices such as laptops, tablets and mobile phones, or is transmitted using those devices, it is particularly vulnerable. Mobile devices are easy to lose, are often stolen, and data transmitted through mobile devices can also be vulnerable to interception. In healthcare, mobile device security is a major concern.

Despite security concerns, the majority of healthcare providers are either using mobile devices or plan to implement a mobile device initiative. Mobile device usage by healthcare providers is expected to increase significantly over the next two years.

To help healthcare organizations take advantage of mobile devices without violating the HIPAA Security Rule and patient privacy, the National Institute of Standards and Technology (NIST) and The National Cybersecurity Center of Excellence (NCCoE) has produced a new guideSecuring Electronic Health Records on Mobile Devices.

The guide focuses on healthcare organizations that use mobile devices to review, update, and exchange electronic health records and addresses risks such as the loss or theft of devices, the hacking of devices, connecting to untrusted networks, and interaction between mobile devices and other systems.

The guide explains how ePHI can be secured on mobile devices without having a negative impact on delivering quality care and offers straightforward and detailed advice on securing electronic health records on mobile devices.

The guide explains how IT professionals can implement a security architecture to improve device security and better protect ePHI that is accessed, stored, or transmitted through mobile devices. The guide explains how commercially available and open-source technologies and tools can be deployed as part of a layered cybersecurity strategy to ensure ePHI can be accessed and shared securely.

The guide maps security characteristics to NIST standards and best practices and to the HIPAA Security Rule and includes a detailed architecture and capabilities that address security controls. The guide provides detailed information on automated configuration of security controls for ease of use and addresses both in-house and outsourced implementations.

The guide serves as a how-to guide to implement NIST’s security solution, or it can be taken as a starting point and customized to suit each individual organization. Since the guide is modular, healthcare providers can choose to implement the parts to suit their own needs.

”All healthcare organizations need to fully understand the potential risk posed to their information systems, the bottom-line implications of those risks, and the lengths that attackers will go to exploit them,” wrote NIST/NCCoE in the guide. “Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of business processes and technologies, the threat landscape, and the data itself. The guide describes [NIST’s] approach to risk assessment. We recommend that organizations implement a continuous risk management process as a starting point for adopting this or other approaches that will increase the security of EHRs. It is important for management to perform regular periodic risk review, as determined by the needs of the business.”

The post NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices appeared first on HIPAA Journal.

HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules

Posted by HIPAA Journal

At a July 27 address at The Heritage Foundation, Secretary of the Department of Health and Human Services (HHS), Alex Azar, explained that the HHS will be undertaking several updates to health privacy regulations over the coming months, including updates to the Health Insurance Portability and Accountability Act (HIPAA) and 45 CFR Part 2 (Part 2) regulations.

The process is expected to commence in the next couple of months. Requests for information on HIPAA and Part 2 will be issued, following which action will be taken to reform both sets of rules to remove obstacles to value-based care and support efforts to combat the opioid crisis. Rule changes are also going to be made to remove some of the barriers to data sharing which are currently hampering efforts by healthcare providers to expand the use of electronic health technology.

These requests for information are part of a comprehensive review of current regulations that are hampering the ability of doctors, hospitals, and payers to improve the quality healthcare services and coordination of care while helping to reduce healthcare costs.

That process has already commenced with the Centers for Medicare & Medicaid Services (CMS) already having proposed one of the most fundamental changes to Medicare in recent years – A change to how physicians are paid for basic evaluation visits.

At present there are currently five tiers of payments for visits, with payments increasing for visits of increasing complexity. While this system makes sense, in practice in involves a considerable administrative burden on physicians, requiring them to justify why they are claiming for a visit at a higher tier. The CMS has proposed reducing the five tiers to two. That simple change is expected to save physicians more than 50 hours a year – more than a week’s work – with that time able to be diverted to providing better care to patients.

The CMS has also submitted a request for information of issues with Stark’s Law, which prevents physicians from referring patients to other physicians/practices with which they have a financial relationship, except in certain situations. Requests for information on HIPAA, Part 2, and the Anti-Kickback Statute will follow.

Healthcare providers that wish to voice their concerns about issues with HIPAA, Part 2, and the Anti-Kickback Statute should consider preparing comments and suggestions for policy updates to address those issues, ready for submission when the HHS issues its requests for information.

The post HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules appeared first on HIPAA Journal.