HIPAA News for Small and Mid-Sized Practices

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017


Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

How to Handle A HIPAA Privacy Complaint

Healthcare providers need to be prepared to deal with a HIPAA privacy complaint from a patient. In order for an efficient response to be conducted, policies should be developed covering the complaints procedure and staff must be trained to handle HIPAA privacy complaints correctly.

Patients must also be clearly informed how they can make a HIPAA privacy complaint if they feel that their privacy has been violated or HIPAA Rules have been breached. This should be clearly stated in your Notice of Privacy Practices.

A HIPAA Privacy Complaint Should be Taken Seriously

When a HIPAA privacy complaint is filed, it is important that it is dealt with quickly and efficiently. Fast action will help to reassure patients that that you treat all potential privacy and security violations seriously.

While patients may be annoyed or upset that an error has been made, in many cases, patients are not looking to cause trouble. They want the issue to be investigated, any risks to be mitigated, the problem to be addressed to ensure it does not happen again, and in many cases, they seek an apology. If the complaint is dealt with quickly and efficiently, it may not be taken any further.

If a verbal complaint is made, the patient should be asked to submit the complaint in writing. You should provide a form for the patient to do this. The HIPAA privacy complaint form can then be passed on to your Privacy Officer to investigate.

Investigate All Complaints and Take Prompt Action

All HIPAA privacy complaints should be investigated to determine who was involved, and how the privacy of the patient was violated. The privacy breach may not be a one-off mistake. It could be an indication of a widespread problem within your organization. The Privacy Officer must identify the root cause of the privacy violation and take action to ensure that any issues are corrected to prevent similar privacy breaches from occurring in the future.

All individuals involved in the breach must be identified and appropriate action taken – disciplinary action and/or additional training. A report of the incident should be given to law enforcement if a crime is suspected, and policies and procedures may need to be updated to introduce new safeguards to prevent a recurrence.

The Privacy Officer will need to determine whether there has been a HIPAA breach, and if the incident must be reported. The investigation must determine whether any other patients are likely to have had their privacy violated. If so, they will need to be notified within 60 days.

If a HIPAA breach has occurred, the Breach Notification Rule requires covered entities to report the breach to OCR without unnecessary delay. State laws may also require healthcare organizations to notify appropriate state attorneys general of the breach.

A breach impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach, and within 60 days of year end for smaller breaches. The failure to investigate promptly may see that deadline missed. In 2017, OCR issued its first HIPAA penalty solely for a Breach Notification Rule violation.

It is important that all stages of the complaint and investigation are documented. Those documents are likely to be requested in the event of an audit or investigation by OCR or state attorneys general. If any documents are missing, that aspect of the complaint investigation cannot be easily proven to have taken place.

Once the investigation into the HIPAA privacy complaint has been completed, it is important to report back to the complainant and explain that their complaint has been investigated, and the actions taken to mitigate harm and prevent similar incidents from occurring in the future should be explained.

Summary of How to Correctly Handle a HIPAA Complaint

  • Request the HIPAA privacy complaint is made in writing
  • Pass the compliant to the Privacy Officer
  • Privacy Officer should find out who was involved and what PHI was breached
  • The root cause of the breach must be established
  • Action should be taken to mitigate harm
  • Pass information to HR to take disciplinary action against employees (if appropriate)
  • Report the breach to law enforcement (if appropriate)
  • Policies and procedures should be updated to prevent a recurrence
  • Retrain staff
  • Determine whether the breach is a reportable incident
  • Collate all documentation in relation to the breach and investigation
  • Contact the complainant and explain the findings of the investigation

If the breach is determined to be a reportable incident

  • Submit a breach report to OCR
  • Submit breach reports to appropriate state attorneys general
  • Provide a toll-free number for patients to find out more information
  • Notify all affected individuals by mail
  • Post a breach notice in a prominent place on the home page of your organization’s website for 90 days if current contact information for 10 or more individuals is not held

If the breach is discovered to affect more than 500 individuals

  • Issue a press release to a prominent media outlet

Privacy Violations Can Result in Financial Penalties

When patients believe their privacy has been violated, or HIPAA Rules have been breached, they may report the incident to the Department of Health and Human Services’ Office for Civil Rights. Some patients may choose to take this course of action rather than contact the covered entity concerned.

OCR is likely to take an interest in an organization’s HIPAA policies covering privacy complaints. Financial penalties await organizations that do not have documented policies and procedures in place, and the penalties for HIPAA violations can be severe.

OCR wants to see that complaints are treated seriously, they are adequately investigated and resolved, and that prompt action is taken to ensure they do not happen again. A fast and efficient response to a HIPAA privacy complaint – and correction of any HIPAA violations uncovered – will reduce the risk of a HIPAA violation penalty, and the amount of the penalty if it cannot be avoided.

The post How to Handle A HIPAA Privacy Complaint appeared first on HIPAA Journal.

Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails


The banking Trojan Ursnif, one of the most commonly used banking Trojans, has previously been used to attack financial institutions. However, it would appear the actors behind the malware have broadened their horizons, with attacks now being conducted on a wide range of organizations across many different industries, including healthcare.

The new version of the Ursnif Trojan was detected by researchers at security firm Barkly. The malware arrived in a phishing email that appeared to have been sent in response to a message sent to another organization.

The spear phishing email included the message thread from past conversations, suggesting the email account of the contact had been compromised. The email contained a Word document as an attachment with the message “Morning, Please see attached and confirm.”  While such a message would arouse suspicion if that was the only content in the email body, the inclusion of the message thread added legitimacy to the email.

The document contained a malicious macro that ran Powershell commands which tried to download the malicious payload; however, in contrast to many malware campaigns, rather than running the macro immediately, it is not run until the Word document is closed – an anti-sandbox technique.

If the payload is downloaded, in addition to the user’s device being compromised, their email account will be used to send out further spear phishing emails to all of that user’s contacts.

Barkly notes that If installed, the malware can perform man-in-the-middle attacks and can steal information as it is entered into the browser. The purpose of the Ursnif Trojan is to steal a wide range of credentials, including bank account information and credit card details. Ursnif Trojan is also able to take screenshots from the user’s device and log keystrokes.

Barkly reports that this is not the first time the firm has identified malware campaigns that use this tactic to spread malware, but this is the first time that the Ursnif Trojan has been used in this way, showing the threat is evolving.

Since the emails appear to come from a trusted sender, and include message threads, the likelihood of the emails and attachments being opened is far greater.

Barky reports that currently the malware is not being picked up by many anti-virus solutions, and its ability to delete itself after executing makes the threat hard to detect and analyze.

Further details on the threat, including the domains used by the malware and SHA256 hashes for the Word document, Macro, and Ursnif payload can be found on this link.

The post Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails appeared first on HIPAA Journal.

What is a Limited Data Set Under HIPAA?

A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met.

In contrast to de-identified protected health information, which is no longer classed as PHI under HIPAA Rules, a limited data set under HIPAA is still identifiable protected information. Therefore it is still subject to HIPAA Privacy Rule regulations.

A HIPAA limited data set can only be shared with entities that have signed a data use agreement with the covered entity. The data use agreement allows the covered entity to obtain satisfactory assurances that the PHI will only be used for specific purposes, that the PHI will not be disclosed by the entity with which it is shared, and that the requirements of the HIPAA Privacy Rule will be followed.

The data use agreement, which must be accepted prior to the limited data set being shared, should outline the following:

  • Allowable uses and disclosures
  • Approved recipients and users of the data
  • An agreement that the data will not be used to contact individuals or re-identify them
  • Require safeguards to be implemented to ensure the confidentiality of data and prevent prohibited uses and disclosures
  • State the discovery of improper uses and disclosures must be reported back to the covered entity
  • State that any subcontractors who are required to access or use the data also enter into a data use agreement and agree to comply with its requirements.

In all cases, the HIPAA minimum necessary standard applies, and information in the data set must be limited to only the information necessary to perform the purpose for which it is disclosed.

What Information Must be Removed From a Limited Data Set Under HIPAA?

Under HIPAA Rules, a limited data set cannot contain any of the following information:

  • Names
  • Street addresses or postal address information with the exception of town/city, state and zip code
  • Phone/Fax numbers
  • E-mail addresses
  • Social Security numbers
  • Medical records numbers
  • Health plan beneficiary numbers
  • Other account numbers
  • Certificate and license numbers
  • Vehicle identifiers and serial numbers, including license plates
  • Device identifiers and serial numbers
  • URLs and IP addresses
  • Biometric identifiers such as fingerprints, retinal scans and voice prints
  • Full face photos and comparable images

The post What is a Limited Data Set Under HIPAA? appeared first on HIPAA Journal.

How Can Healthcare Organizations Prevent Phishing Attacks?

The threat from phishing is greater than ever before. Healthcare organizations must now invest heavily in phishing defenses to counter the threat and prevent phishing attacks and the theft of credentials and protected health information.

Phishing on an Industrial Scale

More phishing websites are being developed than ever before. The scale of the problem was highlighted in the Q3 Quarterly Threat Trends Report from Webroot. In December 2016, Webroot reported there were more than 13,000 new phishing websites created every day – Around 390,000 new phishing webpages every month. By Q3, 2017, that figure had risen to more than 46,000 new phishing webpages a day – around 1,385,000 per month. The report indicated 63% of companies surveyed had experienced a phishing related security incident in the past two years.

Phishing webpages need to be created on that scale as they are now detected much more rapidly and added to blacklists. Phishing websites now typically remain active for between 4-6 hours, although that short time frame is sufficient for each site to capture many users’ credentials. Many of those websites also have an SSL certificate, so they appear to users to be secure websites. A website starting with HTTPS is no guarantee that it is not being used for phishing.

Study Provides Insight into Phishing Tactics

While phishers often use their own domains to phish for credentials, a recent report from Duo Security showed legitimate websites are increasingly being compromised and loaded with phishing kits. The study identified more than 3,200 unique fishing kits spread across 66,000 URLs. These phishing kits are being traded on underground marketplaces and sold to accomplished phishers and wannabe cybercriminals. 16% of those URLs were on HTTPS websites.

Duo Security notes that persistence is maintained by creating a .htaccess file that blocks the IP addresses of threat intelligence gathering firms to prevent detection. The Webroot report also highlighted an increase in the use of benign domains for phishing.

The phishing kits are typically loaded into the wp-content, wp-includes, and wp-admin paths of WordPress sites, and the signin, images, js, home, myaccount, and css folders on other sites. Organizations should monitor for file changes in those directories to ensure their sites are not hijacked by phishers. Strong passwords should also be used along with non-standard usernames and rate limiting on login attempts to improve resilience against brute force attacks.

How to Prevent Phishing Attacks

Unfortunately, there is no single solution that will allow organizations to prevent phishing attacks, although it is possible to reduce risk to an acceptable level. In the healthcare industry, phishing defenses are a requirement of HIPAA and steps must be taken to reduce risk to a reasonable and acceptable level. The failure to address the risk from phishing can result in financial penalties for noncompliance.

Defenses should include a combination of technological solutions to prevent the delivery of phishing emails and to block access to phishing URLs. Employees must also receive regular training to help them identify phishing emails.

As OCR pointed out in its July Cybersecurity newsletter, HIPAA (45 C.F.R. § 164.308(a)(5)(i)) requires organizations to provide regular security awareness training to employees to help prevent phishing attacks. OCR explained that “An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.”

Due to the increased use of HTTPS, it is no longer sufficient for users to check that the site is secure to avoid phishing scams. While a site starting with HTTPS does give an indication that the site is secure, it is important that end users do not automatically trust those websites and let their guard down. Just because a website has an SSL certificate it does not mean it can be trusted. Users should also be told to pay particular attention to the domain name to make sure that they are visiting their intended website, and always to exercise caution before deciding to disclose any login credentials.

Even with security awareness training, employees cannot be expected to recognize all phishing attempts. Phishers are developing increasingly sophisticated phishing emails that are barely distinguishable from genuine emails. Websites are harder to identify as malicious, emails are well written and convincing, and corporate branding and logos are often used to fool end users. Technological solutions are therefore required to reduce the number of emails that reach inboxes, and to prevent users from visiting malicious links when they do.

A spam filtering solution is essential for reducing the volume of emails that are delivered. Organizations should also consider using a web filtering solution that can block access to known phishing websites. The most effective real-time URL filtering solutions do not rely on blacklists and banned IP addresses to block attacks. Blacklists still have their uses and can prevent phishing attacks, but phishing websites are typically only active for a few hours – Before the sites are identified as malicious and added to blacklists. A range of additional detection mechanisms are required to block phishing websites. Due to the increase in phishing sites on secure websites, web filters should be able to decrypt, scan, and re-encrypt web traffic.

Healthcare organizations should also sign up to threat intelligence services to receive alerts about industry-specific attacks. To avoid being swamped with irrelevant threat information, services should be tailored to ensure only treat information relevant to each organization is received.

The post How Can Healthcare Organizations Prevent Phishing Attacks? appeared first on HIPAA Journal.

Is G Suite HIPAA Compliant?

Is G Suite HIPAA compliant? Can G Suite be used by HIPAA-covered entities without violating HIPAA Rules?

Google has developed G Suite to include privacy and security protections to keep data secure, and those protections are of a sufficiently high standard to meet the requirements of the HIPAA Security Rule. Google will also sign a business associate agreement (BAA) with HIPAA covered entities. So, is G Suite HIPAA compliant? G Suite can be used without violating HIPAA Rules, but HIPAA compliance is more about the user than the cloud service provider.

Making G Suite HIPAA Compliant (by default it isn’t)

As with any secure cloud service or platform, it is possible to use it in a manner that violates HIPAA Rules. In the case of G Suite, all the safeguards are in place to allow HIPAA covered entities to use G Suite in a HIPAA compliant manner, but it is up to the covered entity to ensure that G Suite is configured correctly. It is possible to use G Suite and violate HIPAA Rules.

Obtain a BAA from Google

One important requirement of HIPAA is to obtain a signed, HIPAA-compliant business associate agreement (BAA).

Google first agreed to sign a business associate agreement with healthcare organizations in 2013, back when G Suite was known as Google Apps. The BAA must be obtained prior to G Suite being used to store, maintain, or transmit electronic protected health information. Even though privacy and security controls are in place, the failure to obtain a BAA would be a HIPAA violation.

Obtaining a signed BAA from Google is the first step toward HIPAA compliance, but a BAA alone will not guarantee compliance with HIPAA Rules.

Configure Access Controls

Before G Suite can be used with any ePHI, the G Suite account and services must be configured correctly via the admin console. Access controls must be set up to restrict access to the services that are used with PHI to authorized individuals only. You should set up user groups, as this is the easiest way of providing – and blocking – access to PHI, and logs and alerts must be also be configured.

You should also make sure all additional services are switched off if they are not required, switch on services that include PHI ‘on for some organizations,’ and services that do not involve PHI can be switched on for everyone.

Set Device Controls

HIPAA-covered entities must also ensure that the devices that are used to access G Suite include appropriate security controls. For example, if a smartphone can be used to access G Suite, if that device is lost or stolen, it should not be possible for the device to be used by unauthorized individuals. A login must be required to be entered on all mobiles before access to G Suite is granted, and devices configured to automatically lock. Technology that allows the remote erasure of all data (PHI) stored on mobile devices should also be considered. HIPAA-covered entities should also set up two-factor authentication.

Not All Google Services are Covered by the BAA

You may want to use certain Google services even if they are not covered by the BAA, but those services cannot be used for storing or communicating PHI. For example, Google+ and Google Talk are not included in the BAA and cannot be used with any PHI.

If you do decide to leave these services on, you must ensure that your policies prohibit the use of PHI with these services and that those policies are effectively communicated to all employees. Employees must also receive training on G Suite with respect to PHI to ensure HIPAA Rules are not accidentally violated.

What Services in G Suite are HIPAA Compliant?

At the time of writing, only the following core services of G Suite are covered by Google’s BAA, and can therefore be used with PHI:

  • Gmail (Not free Gmail accounts)
  • Calendar
  • Drive
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Hangouts (Chat messaging only)
  • Google Cloud Search
  • Vault

Google Drive

In the case of Google Drive, it is essential to limit sharing to specific people. Otherwise it is possible that folders and files could be accessed by anyone over the Internet> drives should be configured to only allow access by specific individuals or groups. Any files uploaded to Google Drive should not include any PHI in titles of files, folders, or Team Drives.


Gmail, the free email service offered by Google, is not the same as G Suite. Simply using a Gmail account (@gmail.com) to send PHI is not permitted. The content of Gmail messages is scanned by third parties. If PHI is included, it is potentially being ‘accessed’ by third parties, and deleting an email does not guarantee removal from Google’s servers. Free Gmail accounts are not HIPAA compliant.

G Suite HIPAA Compliance is the Responsibility of Users

Google encourages healthcare organizations to use G Suite and has done what it can to make G Suite HIPAA compliant, but Google clearly states it is the responsibility of the user to ensure that the requirements of HIPAA are satisfied.

Google help healthcare organziations make G Suite HIPAA compliant, Google has developed guidance for healthcare organizations on setting up G Suite: See Google’s G Suite HIPAA Implementation Guide.

The post Is G Suite HIPAA Compliant? appeared first on HIPAA Journal.

What Happens if a Nurse Violates HIPAA?

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?  

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules?

What are the Penalties if a Nurse Violates HIPAA?

Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA Rules may not have negative consequences and can be dealt with internally. Employers may decide to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.

If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here.

Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Termination for a HIPAA violation does not just mean loss of current employment and benefits. It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules.

Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties for HIPAA violations. HIPAA-covered entities are likely to report such incidents to law enforcement and investigations will be launched. Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.

There is no private cause of action in HIPAA. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. There may be a viable claim, in some cases, under state laws.

Further information on the penalties for HIPAA violations are detailed here.

Examples of HIPAA Violations by Nurses

The list of possible HIPAA violations by nurses is long, although the most common nurse HIPAA violations are listed below.

  • Accessing the PHI of patients you are not required to treat
  • Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues
  • Disclosing PHI to anyone not authorized to receive the information
  • Taking PHI to a new employer
  • Theft of PHI for personal gain
  • Use of PHI to cause harm
  • Improper disposal of PHI – Discarding protected health information with regular trash
  • Leaving PHI in a location where it can be accessed by unauthorized individuals
  • Disclosing excessive PHI and violating the HIPAA minimum necessary standard
  • Using the credentials of another employee to access EMRs/Sharing login credentials
  • Sharing PHI on social media networks (See below)

Nurses Who Violate HIPAA with Social Media

Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media.

Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless prior authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media sites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media (on this link).

There have been several recent cases of nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking embarrassing or degrading photographs and sharing them with friends via social media networks.

There has been considerable publicity surrounding the practice, following the publication of a report on the extent to which this is occurring by ProPublica (Summarized here). In that case it involved the sharing of photographs of patients on Snapchat. 35 separate cases were uncovered.

In January, a nursing assistant was fired for sharing videos and photos of abuse of a patient with Alzheimer’s on Snapchat. A criminal complaint was filed and the nursing assistant faces up to three and a half years in jail if convicted.

The post What Happens if a Nurse Violates HIPAA? appeared first on HIPAA Journal.

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur.

The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses.

The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year.

Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no obligations for businesses to implement safeguards to secure the personal identifying information of New Yorkers if the data held on residents does not include a Social Security number.

The SHIELD Act will require all businesses, regardless of where they are based, to adopt reasonable administrative, physical, and technical safeguards for if they hold the sensitive data of New Yorkers. The laws will also apply if entities do not do business in the state of New York.

While many states have introduced data breach notification laws that require individuals impacted by breaches of information such as username/password combos and biometric data to be notified of the incidents, in New York, there are no such requirements. The Shield Act will change that and bring state laws in line with many other U.S. states.

Breach notification requirements will be updated to include breaches of username/password combos, biometric data, and protected health information covered by HIPAA laws. Breach notifications will be required if unauthorized individuals are discovered to have gained access to personal information as well as in cases of data theft.

Attorney General Schneiderman is encouraging businesses to go above and beyond the requirements of the SHIRLD Act and receive independent certification of their security controls to make sure they exceed the minimum required standards.

A flexible standard is being introduced for small businesses to ease the regulatory burden. Safeguards can be appropriate to the organization’s size for businesses employing fewer than 50 members of staff if gross revenue is under $3 million or they have less than $5 million in assets.

HIPAA-covered entities, organizations compliant with the Gramm-Leach-Bliley, and NYS DFS regulations will be deemed to already be compliant with the data security requirements of the SHIELD Act.

The failure to comply with the provisions of the SHIELD Act will be deemed to be a violation of General Business Law (GBL § 349) and will allow the state attorney general to bring suit and seek civil penalties under GBL § 350(d).

The post Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG appeared first on HIPAA Journal.

HIMSS Draws Attention to Five Current Cybersecurity Threats

In its October Cybersecurity report, HIMSS draws attention to five current cybersecurity threats that could potentially be used against healthcare organizations to gain access to networks and protected health information.

Wi-Fi Attacks

Security researchers have identified a new attack method called a key reinstallation (CRACK) attack that can be conducted on WiFi networks using the WPA2 protocol. These attacks take advantage of a flaw in the way the protocol performs a 4-way handshake when a user attempts to connect to the network. By manipulating and replaying the cryptographic handshake messages, it would be possible to reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to limit the potential for this attack scenario and man-in-the-middle attacks.

BadRabbit Ransomware

Limited BadRabbit ransomware attacks have occurred in the United States, although the NotPetya style ransomware attacks have been extensive in Ukraine. As with NotPetya, it is believed the intention is to cause disruption rather than for financial gain. The attacks are now known to use NSA exploits that were also used in other global ransomware attacks. Mitigations include ensuring software and operating systems are kept 100% up to date and all patches are applied promptly. It is also essential for that backups are regularly performed. Backups should be stored securely on at least two different media, with one copy stored securely offsite on an air-gapped device.

Advanced Persistent Threats

A campaign conducted by an APT group known as Dragonfly has been ongoing since at least May 2017. The APT group is targeting critical infrastructure organizations. The typical attack scenario is to target small networks with relatively poor security, and once access has been gained, to move laterally to major networks with high value assets. While the group has primarily been attacking the energy sector, the healthcare industry is also at risk. Further information on the threat and the indicators of compromise can be found on the US-CERT website.

DDE Attacks

In October, security researchers warned of the risk of Dynamic Data Exchange (DDE) attacks targeting Outlook users. This attack scenario involves the use of calendar invites sent via phishing emails. The invites are sent in Rich Text Format, and opening the invites could potentially result in the installation of malware. Sophos warned of the threat and suggested one possible mitigation is to view emails in plaintext. These attacks will present a warning indicating attachments and email and calendar invites contain links to other files. Users should click no when asked to update documents with data from the linked files.

Medical Device Security

HIMSS has drawn attention to the threat of attacks on medical devices, pointing out that these are a soft-spot and typically have poor cybersecurity protections. As was pointed out with the APT critical infrastructure attacks, it is these soft spots that malicious actors look to take advantage of to gain access to networks and data. HIMSS has warned healthcare organizations to heed the advice of analysts, who predict the devices will be targeted with ransomware. Steps should be taken to isolate the devices and back up any data stored on the devices, or the computers and networks to which they connect.

Medical device security was also the subject of the Office for Civil Rights October cybersecurity newsletter.

While not specifically mentioned in its list of current cybersecurity threats, the threat from phishing is ongoing and remains one of the most serious threats to the confidentiality, integrity, and availability of PHI. The threat can be reduced with anti-phishing defenses such as spam filtering software and with training to improve security awareness.

The post HIMSS Draws Attention to Five Current Cybersecurity Threats appeared first on HIPAA Journal.