HIPAA News for Small and Mid-Sized Practices

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses closes the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading.

FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations.

An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork.

That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In total, the records of 2,150 patients were included in the paperwork.

OCR determined that between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 patients as a result of either: A) Leaving the records in an unlocked truck where they could be accessed by individuals unauthorized to view the information or; B) By granting permission to an individual to remove the PHI and leaving the unsecured paperwork outside its facility for the woman to collect.

Since FileFax is no longer in business – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be covered by the court appointed receiver, who liquidated the assets of FileFax and is holding the proceeds of that liquidation.

A corrective action plan has also been issued that requires the receiver to catalogue all remaining medical records and ensure the records are stored securely for the remainder of the retention period. Once that time period has elapsed, the receiver must ensure the records are securely and permanently destroyed in accordance with HIPAA Rules.

The settlement has been agreed with no admission of liability.

HIPAA Retention Requirements and Disposal of PHI

There are no HIPAA retention requirements – Covered entities and their business associates are not required to keep medical records after their business has ceased trading. However, that does not mean medical records and PHI can be disposed of immediately. Businesses are bound by state laws, which do require documents to be retained for a set period of time. For instance, in Florida, physicians must maintain medical records for 5 years after the last patient contact and in North Carolina hospitals must maintain records for 11 years following the last date of discharge.

During that time, HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure those records are secure and remain confidential. After the retention period is over, all PHI must be disposed of in a compliant manner.

In the case of paper records, disposal typically means shredding, burning, pulping, or pulverization. Whatever method chosen must render the documents indecipherable and incapable of reconstruction.

This HIPAA breach is similar to several others that have occurred over the past few years. Businesses have ceased trading and paper records containing the protected health information of patients have been dumped, abandoned, or left unsecured. There have also been cases where businesses have moved location and left paperwork behind, only for contractors performing a cleanup or refurb of the property to find the paperwork and dispose of it with regular trash.

The failure to secure PHI during the retention period and the incorrect disposal of records after that retention period is over are violations of HIPAA Rules that can attract a significant financial penalty.

“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a press release about the latest HIPAA settlement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

The post $100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes appeared first on HIPAA Journal.

Healthcare Industry Scores Poorly on Employee Security Awareness

A recent report published by security awareness training company MediaPro has revealed there is still a lack of preparedness to deal with common cyberattack scenarios and privacy and security threats are still not fully understood by healthcare professionals.

For MediaPro’s 2017 State of Privacy and Security Awareness Report, the firm surveyed 1,009 US healthcare industry employees to assess their level of security awareness. Respondents were asked questions about common privacy and security threats and were asked to provide answers on several different threat scenarios to determine how they would respond to real world threats.

Based on the responses, MediaPro assigned respondents to one of three categories. Heroes were individuals who scored highly and displayed a thorough understanding of privacy and security threats by answering 93.5%-100% of questions correctly. Novices showed a reasonable understanding of threats, answering between 77.4% and 90.3% of answers correctly. The lowest category of ‘Risks’ was assigned to individuals with poor security awareness, who scored 74.2% or lower on the tests. Those individuals were deemed to pose a significant risk to their organization and the privacy of sensitive data.

Overall, 78% of healthcare employees were classified as risks or novices. The percentage of individuals rated in these two categories across all industry sectors was 70%, showing the healthcare industry still lags behind other industry sectors on security awareness and privacy and security best practices.

The survey revealed physicians’ understanding of privacy and security threats was particularly poor. Half of physicians who took part in the study were classified as risks, meaning their actions were a serious security threat to their organization. Awareness of the common identifiers of phishing emails was particularly poor, with 24% of physicians displaying a lack of understanding of phishing, compared with 8% of office workers and non-provider counterparts.

One of the main areas where security awareness was lacking was the identification of the common signs of a malware infection. 24% of healthcare employees had difficulty identifying the signs of a malware infection compared to 12% of the general population.

Healthcare employees scored worse than the general population in eight areas assessed by MediaPro: Incident reporting, identifying personal information, physical security, identifying phishing attempts, identifying the signs of malware infections, working remotely, cloud computing, and acceptable use of social media.

MediaPro points out that the 2017 Data Breach Investigations Report from Verizon showed human error accounted for more than 80% of healthcare data breaches last year, emphasizing the need for improved security awareness training for healthcare employees. Further, cybercriminals have been increasing their efforts to gain access to healthcare networks and sensitive patient information.

“The results of our survey show that more work needs to be done,” MediaPro explains in the report. “HIPAA courses often do not include information on how to stay cyber-secure in an increasingly interconnected world. Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack, for example.”

If the security awareness of healthcare employees is not improved, the healthcare industry is likely to continue to be plagued by data breaches, irrespective of the level of maturity of their security defenses.

The post Healthcare Industry Scores Poorly on Employee Security Awareness appeared first on HIPAA Journal.

Is iCloud HIPAA Compliant?

Is iCloud HIPAA compliant? Can healthcare organizations use iCloud for storing files containing electronic protected health information (ePHI) or sharing ePHI with third-parties? This article assesses whether iCloud is a HIPAA compliant cloud service.

Cloud storage services are a convenient way of sharing and storing data. Since files uploaded to the cloud can be accessed from multiple devices in any location with an Internet connection, information is always at hand when it is needed.

There are many cloud storage services to choose from, many of which are suitable for use by healthcare providers for storing and sharing ePHI. They include robust access and authentication controls and data uploaded to and stored in the cloud is encrypted. Logs are also maintained so it is possible to tell who accessed data, when access occurred, and what users did with the data once access was granted.

iCloud is a cloud storage service that owners of Apple devices can easily access through their iPhones, iPads, and Macs. iCloud has robust authentication and access controls, and data is encrypted in storage and during transfer. The level of encryption used by Apple certainly meets the minimum standard demanded by HIPAA. iCloud certainly appears to tick all the right boxes in terms of security, but is iCloud HIPAA compliant?

Will Apple Sign a Business Associate Agreement with HIPAA Covered Entities?

Cloud storage services are not covered by the HIPAA Conduit Exception Rule and are therefore classed as business associates. As a business associate, the service provider is required to enter into a contract with a HIPAA covered entity – in the form of a business associate agreement – before its service can be used in connection with any ePHI.

It is the responsibility of the covered entity to ensure a BAA is obtained prior to the use of any cloud service for sharing, storing, or transmitting ePHI.

That business associate agreement must explain the responsibilities the service provider has with respect to any ePHI uploaded to its cloud storage platform. The BAA should also explain the uses and disclosures of PHI, and the need to alert the covered entity of any breaches that expose data.

If a BAA is not obtained from Apple, its iCloud service cannot be used with any ePHI. So, will Apple sign a BAA with HIPAA covered entities?

Apple could not have made it any clearer in its iCloud terms and conditions that the use of iCloud by HIPAA-covered entities or their business associates for storing or sharing ePHI is not permitted, and that doing so would be a violation of HIPAA Rules.

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

Is iCloud HIPAA Compliant?

It doesn’t matter what security controls are in place to ensure ePHI cannot be accessed by unauthorized individuals. If a communications channel is not covered by the conduit exception rule and the service provider will not enter into a contract with a HIPAA covered entity in the form of a business associate agreement, the service cannot be used with any ePHI. So, is iCloud HIPAA compliant? Until such point that Apple decides to sign a BAA, iCloud is not a HIPAA compliant cloud service and should not be used by healthcare organizations for sharing, storing, or transmitting ePHI.

The post Is iCloud HIPAA Compliant? appeared first on HIPAA Journal.

How Can Healthcare Organizations Protect Against Cyber Extortion

In its January 2018 Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights drew attention to the rise in extortion attempts on healthcare organizations and offered advice on how healthcare organizations can protect against cyber extortion

Ransomware Attacks Have Risen Significantly

Ransomware attacks on healthcare organizations have increased significantly over the past two years. Healthcare providers are heavily reliant on access to electronic data and any attack that prevents access is likely to have a major impact on patients. The inevitable disruption to services – and the cost of that disruption – makes it more likely that a ransom will be paid.

The relatively high probability of a ransom being paid, coupled with the ease of attacking healthcare organizations, has made the industry an attractive target for cybercriminals.

It may be more cost effective and better for patients if a ransom to be paid instead of recovering data from backups. That was certainly the view of Hancock Health. A ransom payment of 4 Bitcoin was paid to minimize disruption when data could have been recovered from backups.

Paying a ransom may seem preferable, but there is no guarantee that data will be recoverable. This year has seen wiper malware used that mimics ransomware. In such cases, there are no keys to unlock encrypted data. There have also cases of ransoms being paid, only for further demands to be sent, such as the 2016 ransomware attack on Kansas Heart Hospital.

Data Theft and Threats of Data Dumps

There have been numerous cases of data theft by hackers followed by threats to dump the data online if a ransom payment is not made – The modus operandi of the hacking group, TheDarkOverlord. The hacking group was responsible for many cyber extortion attacks on healthcare providers over the past 2 years.

Typically, this type of attack sees vulnerabilities exploited to gain access to data. Brute force attacks allow weak passwords to be guessed, and the past year saw several healthcare organizations have data stolen as a result of misconfigurations of databases and unsecured Amazon S3 buckets. Several attacks saw data deleted from healthcare organizations’ databases after data had been exfiltrated, adding an extra incentive to pay the ransom demand.

As with ransomware attacks, there is no guarantee that the attacker will return data, make good on a promise not to publish data or delete any copies of stolen PHI.

DoS and DDoS Attacks

Not all cyber extortion attempts involve the theft of data or use of encryption to prevent PHI access. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks direct large volumes of traffic to computers and servers rendering them inaccessible. Demands for payment are often issued to stop the attacks, or threats of attacks are made unless payment is made.

How Can Healthcare Organizations Reduce Cyber Extortion Risk?

There are several ways that healthcare organization can reduce the risk of cyber extortion attacks, most of which are general cybersecurity best practices which should already have been adopted. Others are requirements of HIPAA Rules.

The most important measure, and one which so many healthcare organizations fail at,  is to perform a comprehensive, organization-wide risk analysis covering all systems and devices containing ePHI and systems/devices that can be used to access PHI. A risk management program must also be implemented that addresses all identified vulnerabilities and reduces them to an acceptable level.

Since so many cyber extortion attacks take advantage of unplugged vulnerabilities, healthcare organizations need to ensure all software and operating systems are kept up to date and patches are applied promptly. Robust inventory and vulnerability identification processes are necessary to ensure the accuracy and completeness of risk analyses.

Healthcare organizations should consider signing up with information Sharing and Analysis Organizations (ISAO) and other providers of threat intelligence to discover new threats and vulnerabilities in time to block attacks.

Ransomware attacks often occur as a result of healthcare employees responding to malicious emails. Unless a security awareness training program is implemented, employees will be a major weak point in security defenses. Technologies should also be implemented to block malicious emails and prevent them from reaching end users’ inboxes.

While anti-malware, anti-virus, and other signature-based malware defenses are not as effective as they once were, they are still an essential part of security defenses for healthcare organizations. Firewalls and other perimeter and network defenses should also be deployed, while internal defenses should be hardened to slow down attacks and prevent lateral movement within a network. Network segmentation is strongly recommended.

Just as encryption can prevent breaches when portable devices are lost or stolen, encryption can also prevent attackers from gaining access to sensitive data if the network is breached. Regular backups should also be created to ensure data recovery is possible without paying a ransom. A good backup strategy is the 3-2-1 approach. At least three copies of data, on two different media, with one copy stored securely off-site.

Backups are only of use if data recovery is possible. Backups should therefore be tested to make sure data has not been corrupted and can be recovered in the event of a cyberattack.

The post How Can Healthcare Organizations Protect Against Cyber Extortion appeared first on HIPAA Journal.

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been?

There Were at Least 477 Healthcare Data Breaches in 2017

In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day.

There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches.

There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was a massive reduction in the number of breached records. In 2016, there were 27,314,647 records exposed/stolen. The 407 healthcare data breaches in 2017 resulted in the exposure/theft of 5,579,438 records.

In 2017, there were no million-record+ breaches. The largest security incident was a breach of 697,800 records. That breach was an insider incident where a healthcare employee downloaded PHI onto a USB drive and CD.

Main Causes of Healthcare Data Breaches in 2017

There were two causes of healthcare data breaches in 2017 that dominated the breach reports – Hacking/IT incidents and insider breaches, both of which were behind 37% of the year’s breaches. 178 incidents were attributed to hacking/IT incidents. There were 176 breaches caused by insider wrongdoing or insider errors.

Hacking/IT incidents resulted in the exposure/theft of 3,436,742 records, although detailed data is only available for 144 of those breaches. In 2016, 86% of breaches were attributed to hacking/IT incidents. In 2016, 120 hacking incidents were reported which resulted in the exposure/theft of 23,695,069 records. The severity of hacks/insider incidents was therefore far lower in 2017, even though hacking incidents were more numerous.

What is clear from the breach reports is a major increase in malware/ransomware attacks, which were at more than twice the level seen in 2016. This could be explained, in part, by the issuing of new guidance from OCR on ransomware attacks. OCR confirmed that ransomware attacks are usually reportable security incidents under HIPAA Rules. Until the issuing of that guidance, many healthcare organizations did not report ransomware attacks unless it was clear that data had been stolen or viewed prior to or during the attack.

Insider breaches continue to plague the healthcare industry. Data is available for 143 of the 176 data breaches attributed to insiders. 1,682,836 records were exposed/stolen in those incidents. While the totals are still high, there were fewer insider incidents in 2017 than 2016, and the incidents resulted in fewer exposed records. There were 192 insider-related incidents in 2016 and those incidents resulted in the exposure/theft of 2,000,262 records.

Protenus broke down the incidents into insider error – mistakes made by healthcare employees – and insider wrongdoing, which included theft and snooping. The breakdown was 102 insider errors and 70 cases of insider wrongdoing. Four incidents could not be classified as either. One of the cases of snooping lasted for an astonishing 14 years before it was discovered.

While theft of PHI by employees is difficult to eradicate, arguably the easiest cause of healthcare data breaches to prevent is theft of electronic devices containing unencrypted PHI. If devices are encrypted, if they are stolen the incidents do not need to be reported. There has been a steady reduction in theft breaches over the past few years as encryption has been more widely adopted. Even so, 58 breaches (16%) were due to theft. Data is available for 53 of those incidents, which resulted in the exposure of 217,942 records. The cause of 47 healthcare data breaches in 2017 could not be determined from the data available.

Breached Entities and Geographic Spread

The breaches affected 379 healthcare providers (80%), 56 health plans (12%), and 4% involved other types of covered entity. Business associate reported 23 incidents (5%) although a further 66 breaches (14%) reported by covered entities had some business associate involvement. Figures are known for 53 of those breaches, which resulted in the exposure/theft of 647,198 records.  Business associate breaches were lower than in 2016, as was the number of records exposed by those breaches.

There were breaches by covered entities and business associates based in 47 states, Puerto Rico and the District of Columbia. Interestingly, three states were free from healthcare data breaches in 2017 – Hawaii, Idaho, and New Mexico. California was the worst hit with 57, followed by Texas on 40, and Florida with 31.

Slower Detection, Faster Notification

Reports of healthcare data breaches in 2017 show that in many cases, breaches are not detected until many months after the breach occurred. The average time to discover a breach, based on the 144 incidents for which the information is known, was 308 days. Last year the average time to discover a breach was 233 days. It should be noted that the data were skewed by some breaches that occurred more than a decade before discovery.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) allows up to 60 days from the discovery of a breach to report the incident. The average time to report a breach, based on the 220 breaches for which information was available, was 73 days. Last year the average was 344 days.

The faster reporting may have been helped by the OCR settlement with Presense Health in January for delaying breach notifications – The first HIPAA penalty solely for late breach notifications.

Overall there were several areas where the healthcare industry performed better in 2017, although the report shows there is still considerable room for improvement, especially in breach prevention, detection and reporting.

The post Analysis of Healthcare Data Breaches in 2017 appeared first on HIPAA Journal.

Analysis of Q4 2017 Healthcare Security Breaches

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported.

There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches.

Q4 2017 Healthcare Security Breaches by Month

Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.

 Largest Q4, 2017 Healthcare Security Breaches

 

Covered Entity Entity Type Number of Records Breached Cause of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
Pulmonary Specialists of Louisville, PSC Healthcare Provider 32000 Hacking/IT Incident
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC) Healthcare Provider 22000 Loss
Chase Brexton Health Care Healthcare Provider 16562 Hacking/IT Incident
Hackensack Sleep and Pulmonary Center Healthcare Provider 16474 Hacking/IT Incident
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Shop-Rite Supermarkets, Incorporated Healthcare Provider 12172 Improper Disposal
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
The Medical College of Wisconsin, Inc. Healthcare Provider 9500 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

 

There was a steady increase in breached records each month in Q4. In October, 71,377 records were breached, rising to 107,143 records in November and 341,621 records in December. Even December’s high total was lower than any month in the previous quarter.

Q4 2017 Healthcare Security Breaches - breached records

 

Hacking/IT incidents tend to involve the highest number of exposed/stolen records and Q4 was no exception. 7 of the top 15 security incidents (47%) were due to hacks and IT incidents. Loss and theft incidents accounted for 27% of the worst healthcare security breaches in Q4, followed by unauthorized access/disclosures on 20%.

Causes of Q4 2017 Healthcare Security Breaches

 

While hacking/IT incidents resulted in the exposure/theft of the most records, unauthorized access/disclosure incidents were the most numerous. Out of the 86 reported healthcare security breaches in Q4, 33 were unauthorized access/disclosures (38.37%). There were 29 hacking/IT incidents (33.7%), and 20 incidents (23.3%) involving the loss/theft of PHI and electronic devices containing ePHI. Four incidents (4.7%) involved the improper disposal of PHI/ePHI.

In Q4, paper records/films were involved in the most breaches, showing how important it is to physically secure records. 21 incidents (24.4%) involved physical records. As was the case in Q3, email was also a top three cause of breaches, with many healthcare organizations suffering phishing attacks in Q4. Network server attacks completed the top three locations of breached PHI.

Q4 2017 Healthcare Security Breaches - location of breached PHI

 

 

Healthcare providers reported the most security breaches in Q4, following by health plans and business associates of HIPAA-covered entities, as was the case for most of 2017.

Q4 2017 Healthcare Security Breaches by covered entity

 

In Q4, 2017, healthcare organizations based in 35 states reported security breaches. Unsurprisingly, being the most populous state in the US, California topped the list for the most reported healthcare security breaches with 7 incidents in Q4.

In close second on 6 breaches were Florida and Maryland, followed by New York with 5 incidents. Kentucky, Michigan, and Texas each had four reported breaches, and Colorado, Illinois, New Jersey, and Pennsylvania each suffered 3 incidents.

Q4 2017 Healthcare Security Breaches - by state

 

 

 

The post Analysis of Q4 2017 Healthcare Security Breaches appeared first on HIPAA Journal.

Is FaceTime HIPAA Compliant?

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate protected health information (PHI) without violating HIPAA Rules?

In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary.

Will Apple Sign A BAA for FaceTime?

An extensive search of the Apple website has revealed no sign that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only mention of its services in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be used by healthcare providers or their business associates to create, receive, maintain or transmit PHI.

Since Apple is not prepared to sign a business associate agreement for FaceTime, that would indicate FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be signed by business associates. So, is Apple a business associate?

The HIPAA Conduit Exception Rule

The HIPAA Conduit Exception Rule applies to organizations that act as conduits through which PHI is sent. The HIPAA Conduit Exception Rule covers entities such as the US Postal Service, some courier companies, and their electronic equivalents. Internet Service Providers (ISPs) fall under the description of “electronic equivalents,” as do telephone service providers such as AT&T. But what about FaceTime?

There is some debate about whether FaceTime is covered by the HIPAA Conduit Exception Rule. In order to be considered as a conduit, the service provider must not store any PHI, must not access PHI, and not have the key to unlock encryption.

The Office for Civil Rights has confirmed on its website that cloud service providers are generally not considered conduits, even if the CSP does not access ePHI, or cannot view the information because ePHI is encrypted and no key is held to unlock the encryption. That is because the HIPAA Conduit Exception Rule only applies to transmission-only services, where any ePHI storage is only transient. That is not the case with CSPs.

Apple has confirmed that all communications through FaceTime are protected by end to end encryption. Access controls are in place, via Apple IDs, to ensure the service can only be used by authorized individuals. Apple also does not store any information sent via FaceTime. FaceTime is a peer-to-peer communication channel, and voice and audio communications are transmitted between the individuals involved in the session. Apple also cannot decrypt sessions.

Apple says, “FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.”

Is FaceTime HIPAA Compliant?

So, is FaceTime HIPAA compliant? No communications platform can be truly HIPAA compliant as HIPAA compliance is about users, not technology. It would be possible to use FaceTime in a noncompliant way, such as communicating PHI with an individual who is not authorized to have the information. However, protections are in place to ensure FaceTime can be used in a HIPAA compliant fashion.

The question is FaceTime HIPAA compliant depends entirely on whether it is classed as a conduit, since Apple will not sign a BAA. In our opinion, FaceTime could be classed as a conduit. The US Department of Veteran Affairs also believes FaceTime is HIPAA compliant and allows its use, which shows it is confident that the service is classed as a conduit.

However, other companies that provide video conferencing platforms do not feel the same way, and offer to sign BAAs with HIPAA-covered entities. Therefore, our advice is to use one of those business solutions rather than the consumer-focused FaceTime and err on the side of caution.

The post Is FaceTime HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities

The Office for Civil Rights has sent an email update on the Spectre and Meltdown chip vulnerabilities, urging HIPAA-covered entities to mitigate the vulnerabilities as part of their risk management processes. The failure to address the computer chip flaws could place the confidentiality, integrity, and availability of protected health information at risk.

HIPAA-covered entities have been advised to read the latest updates on the Spectre and Meltdown chip vulnerabilities issued by the Healthcare Cybersecurity and Communications Integration Center (HCCIC).

What are Spectre and Meltdown?

Spectre and Meltdown are computer chip vulnerabilities present in virtually all computer processors manufactured in the past 10 years. The vulnerabilities could potentially be exploited by malicious actors to bypass data access protections and obtain sensitive data, including passwords and protected health information.

Meltdown is an attack that exploits a hardware vulnerability (CVE-2017-5754) by tricking the CPU into speculatively loading data marked as unreadable or “privileged,” allowing side-channel exfiltration. Spectre is an attack involving two vulnerabilities (CVE-2017- 5753, CVE-2017-5715) in the speculative execution features of CPUs. The first vulnerability is exploited to trick the CPU into mispredicting a branch of code of the attacker’s choosing, with the second used to trick the CPU into speculatively loading the memory allocated to another application on the system. The Meltdown and Spectre chip vulnerabilities can be exploited to gain access to sensitive data, including passwords, cryptographic keys used to protect PII, PHI, or PCI information handled by an application’s database.

Meltdown and Spectre affect computers running on Windows, Mac, Linux and other operating systems. Eradicating the vulnerabilities means replacing chips on all vulnerable devices; however, operating system vendors have been developing patches that will prevent the vulnerabilities from being exploited. Updates have also been made to web browsers to prevent web-based exploitation of the vulnerabilities.

Following the disclosure of the vulnerabilities, HCCIC alerted healthcare organizations about the risk of attack, with the vulnerabilities categorized as a medium threat since local access is generally required to exploit the flaws. However, potentially the flaws can be exploited remotely if users visit a specially crafted website. Browsers are susceptible due to improper checks on JavaScript code, which could lead to information disclosure of browser data.

Mitigating the Threat of Spectre and Meltdown Attacks

Patching operating systems and browsers will mitigate the vulnerabilities, but there may be a cost. The patches can affect system performance, slowing computers by 5-30%. Such a reduction would be noticeable when running high demand computer applications.

There have also been several compatibility issues with anti-virus software and other programs. It is therefore essential for patches to be thoroughly tested before implementation, especially on high value assets and systems containing PII and PHI.

Due to the compatibility issues, Microsoft is only releasing updates for computers that are running anti-virus software that has been confirmed as compatible with the patch. If anti-virus software is not updated, computers will remain vulnerable as the update will not take place. Most anti-virus software companies have now updated their programs, but not all. Kevin Beaumont is maintaining a list of the patch status of AV software.

Web browsers must also be updated to the latest versions. Microsoft has updated Internet Explorer 11 and Microsoft Edge, and Firefox (57.0.4) and Safari (11.0.2) include the update. Google Chrome has also been patched. Healthcare organizations should ensure they are running the latest versions of browsers on all devices to prevent data leakage and operating systems should be patches as soon as possible. One of the main challenges for healthcare organizations is identifying all vulnerable devices – including computers, medical devices and accessory medical equipment – and ensuring they are fully patched.

The vulnerabilities also affect cloud service providers, as their servers also contain computer chips. There could be leakage of PII and PHI from cloud environments if patches have not been applied.

Amazon AWS and Azure have already been patched to protect against Meltdown and Spectre. Healthcare organizations using other managed cloud service providers or private cloud instances should check that they have been patched and are protected against Meltdown and Spectre.

The post HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities appeared first on HIPAA Journal.

The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance.

The HIPAA Omnibus Final Rule and Business Associates

On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also confirmed that most data transmission service providers are also classed as business associates.

What is the HIPAA Conduit Exception Rule?

The HIPAA Conduit Exception Rule is detailed in the HIPAA Privacy Rule, but was defined in the HIPAA Omnibus Final Rule. The Rule allows HIPAA-covered entities to use certain vendors without having to enter into a business associate agreement. The HIPAA Conduit Exception Rule is narrow and excludes an extremely limited group of entities from having to enter into business associate agreements with covered entities. The Rule applies to entities that transmit PHI but do not have access to the transmitted information and do not store copies of data. They simply act as conduits through which PHI flows.

HIPAA Conduit Exception Rule covers organizations such as the US Postal Service and certain other private couriers such as Fed-Ex, UPS, and DHL as well as their electronic equivalents. Companies that simply provide data transmission services, such as internet Service Providers (ISPs), are considered conduits.

The HIPAA Conduit Exception Rule is limited to transmission-only services for PHI. If PHI is stored by a conduit, the storage must be transient in nature, and not persistent.

It does not matter if the service provider says they do not access transmitted information. To be considered a conduit, the service provider must not have access to PHI, must only store transmitted information temporarily, and should not have a key to unlock encrypted data.

Vendors that are often misclassified as conduits are email service providers, fax service providers, cloud service providers, and SMS and messaging service providers. These service providers are NOT considered conduits and all must enter into a business associate agreement with a covered entity prior to the service being used in conjunction with any PHI.

Some service providers claim that they are conduits when they are not, in order to avoid having to sign a business associate agreement. Certain fax service providers have claimed they are conduits, and while they appear at face value to be an electronic equivalent to an organization such as the US Postal Service, they are not covered by the HIPAA Conduit Exception Rule. Fax services do not simply send documents from the sender to the recipient. Faxes are stored, and the storage is not considered transient.

Penalties for Misclassifying a Business Associate as a Conduit

Any vendor that has routine access to PHI is considered a business associate (We have covered the definition of a HIPAA business associate on this page). All business associates must sign a business associate agreement with the HIPAA-covered entity before PHI is provided or access to PHI is granted.

Misclassifying a vendor as a conduit rather than a business associate can result in a significant financial penalty, since PHI will have been disclosed without first entering into a business associate agreement.

The Department of Health and Human Services’ Office for Civil Rights has financially penalized many covered entities that have been discovered to have disclosed PHI to a vendor without obtaining a BAA.

In 2017, the Center for Children’s Digestive Health settled with OCR for $31,000 to resolve business associate agreement failures. In 2016, Care New England Health System settled its HIPAA violation case for $400,000, North Memorial Health Care of Minnesota paid $1,550,000 and Oregon Health & Science University settled for $2,700,000.

The post The HIPAA Conduit Exception Rule and Transmission of PHI appeared first on HIPAA Journal.