HIPAA Compliance News

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications.

An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details.

The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual.

However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of breach notifications as doing so would not have impeded the investigation.

There is some debate as to whether CoPilot is a HIPAA covered entity. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was sent to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the breach.

OCR is investigating and trying to determine whether CoPilot is classed as a business associate and therefore must comply with HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered entity, the decision may be taken to issue a financial penalty for the delayed breach notifications. Earlier this year, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be considerably higher considering the number of individuals impacted by the breach and the length of the delay.

HIPAA fines may or may not result from the notification delay, but the New York attorney general has now taken action. On Thursday last week, Eric Schneiderman announced that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to individuals impacted by a data breach. In addition to the fine, CoPilot is required to improve its notification and legal compliance program.

Announcing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a message to all businesses that unnecessary breach notification delays will not be tolerated. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

The post Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

OCR Issues Guidance on the Correct Response to a Cyberattack

Last week, the Department of Health and Human Services’ Office for Civil Rights issued new guidance to covered entities on the correct response to a cyberattack. OCR issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken.

Responding to an ePHI Breach

Preparation is key. Organizations must have response and mitigation procedures in place and contingency plans should exist that can be implemented immediately following the discovery a cyberattack, malware or ransomware attack.

The first stage of the response is to take immediate action to prevent any impermissible disclosure of electronic protected health information. In the case of a network intrusion, unauthorized access to the network – and data – must be blocked and steps taken to prevent data from being exfiltrated.

Healthcare organizations may have staff capable of responding to such an incident, although third party firms can be contracted to assist with the response. Smaller healthcare organizations may have little choice but to call in external experts to investigate a breach and ensure access to data has been effectively blocked.

OCR has reminded covered entities that a third-party cybersecurity firm brought in to assist with response and mitigation would be classed as a business associate. Therefore, prior to access to systems being provided, a HIPAA-compliant business associate agreement must be signed by the cybersecurity firm. Failing to obtain a signed BAA prior to access to systems being provided would be a violation of HIPAA Rules and classed as an impermissible disclosure of ePHI.

Cyberattacks Should be Reported to Law Enforcement

A cyberattack is a crime, therefore law enforcement should be notified. Covered entities should alert the FBI and/or Secret Service to any cyberattack or ransomware incident and notify state and local law enforcement. Details of the incident should be provided, although covered entities should not disclose any protected health information, unless otherwise permitted by the HIPAA Privacy Rule (45 C.F.R. § 164.512(f)).

Covered entities have been advised that law enforcement may request breach reporting be delayed when the announcement of a breach may impede an investigation or could otherwise harm national security. Requests by law enforcement should state the duration of the delay and should be honored, while oral requests should result in a delay of no more than 30 days from the original request. (45 C.F.R. § 164.412)

Sharing Threat Indicators

After law enforcement has been notified, covered entities should report cyber threat indicators to federal and information sharing and analysis organizations (ISAOs). The Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response should be provided with threat indicators, although covered entities should not disclose any protected health information in their reports.

Notifying Affected Individuals and OCR

Covered entities are advised that threat indicator information is not passed to OCR by other federal agencies. Covered entities must therefore submit a separate breach notice to OCR as soon as possible, and certainly no later than 60 days following the discovery of the breach if the incident impacts 500 or more individuals (unless otherwise instructed by law enforcement).

Covered entities can notify OCR of a breach impacting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered.

According to the guidance, “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident.”

In all cases, individuals impacted by a security breach must be notified without unnecessary delay and no later than 60 days following the discovery of a breach.

OCR’s checklist and infographic can be downloaded using the links below:

OCR’s Cyber Security Checklist

Cybersecurity Infographic

The post OCR Issues Guidance on the Correct Response to a Cyberattack appeared first on HIPAA Journal.

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization.

The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization.

If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to limit harm. However, recent incidents have shown that while access logs are kept, they are not being regularly checked. There have been numerous recent examples of employees who have improperly accessed patients’ medical records over a period of several years.

A few days ago, Beacon Health announced an employee had been discovered to have improperly accessed the medical records of 1,200 patients without any legitimate work reason for doing so. That employee had been snooping on medical records for three years.

In March, Chadron Community Hospital and Health Services in Nevada discovered an employee had accessed the medical records of 700 patients over a period of five years and St. Charles Health System in central Oregon discovered an employee had accessed medical records without authorization over a 27 month period.

Also in March, Trios Health discovered an employee had improperly accessed the medical records of 570 patients. The improper access occurred over a period of 41 months.

Rapid detection of internal privacy breaches is essential. Even when snooping is discovered relatively quickly, the privacy of many thousands of patients may have already been violated. In January, Covenant HealthCare notified 6,197 patients of a privacy breach after an employee was discovered to have improperly accessed medical records over a period of 9 months, while a Berkeley Medical Center employee accessed the ePHI of 7,400 patients over a period of 10 months.

Healthcare organizations may not feel it is appropriate to restrict access to patients’ PHI, but a system can be implemented that will alert staff to improper access promptly. Software solutions can be used to detect improper access and alert appropriate members of staff in near real-time. If such systems are not implemented, regular audits of ePHI access logs should be conducted. Regular checks of ePHI access logs will allow organizations to prevent large-scale breaches, reduce legal liability and reduce the harm caused by rogue employees.

The post Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts appeared first on HIPAA Journal.

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

The ransomware attacks and high number of healthcare IT security incidents last month has prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules covering security breaches.

In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached.

HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time.

Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to report those incidents to OCR or notify patients that their ePHI may have been accessed.

OCR has reminded covered entities in its newsletter of the HIPAA definition of a security incident. The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

OCR has taken the opportunity to remind covered entities that they need to prepare for those incidents. Policies and procedures should be developed that kick into action immediately following the discovery of a security incident or data breach.

If covered entities react quickly to security incidents and data breaches it is possible to minimize the impact and reduce legal liability and operational and reputational harm. Contingency plans should exist for a range of security incidents and emergency situations. OCR says “policies, procedures, and plans should provide a roadmap for implementing the entity’s incident response capabilities.”

When a breach occurs, the HIPAA Breach Notification Rule requirements must be followed. The HIPAA Breach Notification Rule (45 CFR 164.402) requires OCR to be notified of a breach and notifications to be sent to patients in the event of “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”

Each month, Databreaches.net tracks healthcare data breach incidents, with the Protenus Breach Barometer report showing the time taken for covered entities to report their breaches to OCR. The past few reports show some improvement, with covered entities reporting their breaches more promptly. That said, there have been several cases where data breach notifications have been submitted late and patients have had their notification letters delayed.

OCR reminds covered entities that the HIPAA deadline for reporting security incidents and sending notifications to patients/health plan members is 60 days* from the discovery of the breach.

This is a deadline, not a recommendation. Many covered entities delay issuing notifications until day 59. OCR points out that the HIPAA Breach Notification Rule requires notifications to be issued “without reasonable delay.”

If you missed the email newsletter, you can download a copy on this link: https://www.hhs.gov/sites/default/files/may-2017-ocr-cyber-newsletter.pdf

*Breaches impacting fewer than 500 individuals can be reported to OCR annually, with the deadline 60 days after the end of the year when the breach was discovered. Breaches impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach. Individuals must be notified of a breach of PHI or ePHI within 60 days of the discovery of the breach, regardless of how many individuals have been impacted by the breach.

The post OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements appeared first on HIPAA Journal.

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast.

OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again.

Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed.

Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management process. Several recent settlements have highlighted just how frequently HIPAA covered entities get risk assessments wrong, either failing to conduct them at all, not conducting them frequently enough or conducting them to the standard demanded by HIPAA.

Peters pointed out that privacy violations are occurring frequently, with many HIPAA-covered entities still unsure of the allowable uses and disclosures of PHI. OCR recently announced two settlements have been reached with covered entities that have impermissibly disclosed patients’ health information to employers and the media.

Peters explained that the healthcare industry is not doing a good job at preventing cybersecurity incidents and that warrants attention, but it is important for OCR not to just focus on the hot topics and ‘sexy’ issues. OCR is also focussed on the lack of safeguards for paper records and the failure to secure removable media.

In the case of the latter, there have been numerous instances where ePHI has been exposed as a result of the failure to use encryption. Peters pointed out that if “[a device] can walk away from your enterprise, it will walk away.” OCR has settled cases with several organizations in recent months as a result of the lack of appropriate safeguards and policies and procedures covering removable devices.

Peters explained that OCR has been working on sharing penalties or other recoveries with individuals that have been harmed by privacy violations, although that has been a challenging process as it is difficult to determine and quantify harm. OCR is working on an advanced notice of proposed rulemaking and will be seeking advice from the public on how funds should be shared.

OCR is also working on initiatives to improve privacy protections at non-HIPAA covered entities. For instance, patients are being encouraged to share their health data with research organizations and through the “All of Us” initiative. For those programs to be as successful as they should be, patients need to be sure their data will be protected. OCR is providing advice to organizations and partners to ensure that patient data are protected, even if they are collected and stored by non-HIPAA-covered entities.

Peters also spoke of dealing with Certified EHR technology and how HIPAA applies to cloud computing, malware, and ransomware.

You can listen to the Compliance Perspectives podcast via this link.

The post HIPAA Enforcement Update Provided by OCR’s Iliana Peters appeared first on HIPAA Journal.

OCR and ONC Face Major Budget Cuts

On Tuesday this week, the Trump administration revealed its 2018 fiscal 2018 budget which revealed the Department of Health and Suman Services’ Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) face major cuts to their operational budgets.

The ONC faces the largest budget cut, with its $60 million per year cut by 36% for the coming financial year. ONC would need to lose 26 members of staff, with such a large budget cut likely to force the agency to reconsider its priorities. OCR faces a budget cut of 13%, reducing funding from $38 million to $33 million likely requiring the loss of 16 staff.

The fiscal 2018 budget is not set in stone and changes are likely to be made before the budget is passed by Congress. However, the Trump administration has previously stated the desire to shave $15.1 billion from the Department of Health and Human Services budget and cuts are therefore inevitable.

OCR has many roles, although as the main enforcer of HIPAA Rules, those budget cuts could affect the agency’s HIPAA enforcement activities. OCR has long been planning to implement a permanent HIPAA audit program, although those plans may have to be postponed again.

The second phase of compliance audits, which finally commenced last fall after numerous delays, could also be threatened. OCR has already conducted desk audits but the on-site audits that were due to take place in the first quarter of 2017 have already been pushed back to the end of the year.

Karen DeSalvo said earlier this year that the on-site audits may even be pushed back to 2018. If the budget cuts are approved by Congress, it is possible that those on-site audits of covered entities will be delayed even further or scaled back.

Other HIPAA activities are less likely to be affected. OCR is permitted to keep a proportion of the funds collected from its HIPAA enforcement activities which can be used to fund further investigations and enforcement actions. It is unlikely that major cut backs would be made to HIPAA enforcement actions that bring in much needed funds.

With less funding, some of OCR’s activities would likely need to be scaled back, with OCR’s civil rights activities likely to be adversely affected by the cut in funding.

The new director of the Department of Health and Human Services, Tom Price, issued a statement about the proposed budget saying, it “outlines a clear path toward fiscal responsibility by creating efficiencies that both improve services and save money.” He is likely to have to oversee some major changes to improve the efficiency of his department over the coming months.

The post OCR and ONC Face Major Budget Cuts appeared first on HIPAA Journal.

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule.

St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI.

In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer.

The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested.

The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule had been violation in such a fashion. A similar incident occurred nine months previously when a patient’s PHI was sent via fax to an office where he volunteered.

The Privacy Rule violations in both cases were particularly serious due to the highly sensitive nature of information that was disclosed. In the resolution agreement, OCR said the impermissible disclosures were egregious.

HIPAA Rules require covered entities to safeguard patients’ protected health information at all times. However, the investigation revealed that St Luke’s had failed to do that on two occasions, violating 45 C.F.R. § 164.530(c)(2)(i). Further, after the first impermissible disclosure, St Luke’s failed to address vulnerabilities in their compliance program to prevent further impermissible disclosures from occurring. Had those vulnerabilities been addressed, the second privacy violation may have been avoided.

In addition to paying OCR $387,200, St Luke’s is required to adopt a corrective action plan. The CAP involves reviewing and updating policies and procedures covering allowable uses and disclosures of PHI and training staff members on policy and procedural updates.

OCR issued a press release announcing the HIPAA settlement in which OCR director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” explaining “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.” OCR consideration the nature of the breach and the extent of the harm caused when deciding an appropriate settlement amount.

May is not yet over, but already there have been nine HIPAA settlements between OCR and covered entities to resolve HIPAA violations discovered during the investigation of complaints and data breaches. At the current rate of almost two settlements a month, OCR will double last year’s record breaking number of HIPAA enforcement penalties. The increase in HIPAA penalties shows that OCR is taking a much harder line on covered entities that fail to comply with HIPAA Rules.

Two of the most recent penalties have resulted from complaints involving HIPAA violations relating to one or two patients. It is no longer just large scale data breaches that merit financial penalties. Any severe violation of HIPAA Rules can result in a HIPAA fine.

The post Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty appeared first on HIPAA Journal.

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals.  Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.