HIPAA News for Small and Mid-Sized Practices

Warning Issued Over Vulnerabilities in Siemens CT and PET Scanners: Exploits Publicly Available

Posted by HIPAA Journal

Warnings have been issued about four vulnerabilities in Siemens CT and PET scanner systems following the discovery of four publicly available exploits. Siemens is currently developing patches to address the vulnerabilities.

The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7.

The vulnerabilities allow remote code execution, potentially giving attackers access to the scanners and networks to which the systems are connected. One of the main risks is malware and ransomware infections, which in the case of the latter can prevent the devices from being used. It is also possible that a malicious actor could interfere with the systems causing patients harm.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has also issued an alert, warning healthcare organizations to ensure the devices are run on a “dedicated, network segment and protected IT environment” until the patches are applied. Siemens rated the flaws as highly critical, giving them a CVSS score of 9.8 out of 10 and suggests the devices should be run in standalone mode until the patches are applied.

To protect the systems from attack, healthcare organizations should ensure the systems are not be accessible over the Internet and are isolated from other networks and located behind firewalls.

If remote access is required, Virtual Private Networks (VPNs) should be used, although the use of VPNs is not without risks. Many VPNs also have vulnerabilities that could be remotely exploited. ICS-CERT says if remote access is unavoidable, the latest versions of VPNs should be used.

One of the vulnerabilities concerns improper restriction of operations within the bounds of a memory buffer, two are code injection vulnerabilities with one exploiting permissions, privileges and access controls. All the vulnerabilities are remotely exploitable.  The code injection vulnerabilities can be exploited by sending a specially crafted HTTP request to over port 80 and 443 to the Microsoft IIS webserver. The remaining two vulnerabilities could be exploited by sending a specially crafted request to the HP Client automation service.

ICS-CERT says exploiting the vulnerabilities would only require a low skill level.

The post Warning Issued Over Vulnerabilities in Siemens CT and PET Scanners: Exploits Publicly Available appeared first on HIPAA Journal.

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Posted by HIPAA Journal

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends.

The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates.

In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review.

Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the first half of the year resulted in the theft of 697,800 records and was caused by a rogue insider – one of 96 incidents involving insiders.

Out of those 96 incidents, 57 were due to insider error – 423,000 records – and 36 incidents due to insider wrongdoing –743,665 records. The remaining three breaches could not be classified.

Insider incidents are likely to be far higher than the figures in the Breach Barometer report. Dissent explained that many incidents are not being disclosed publicly or reported to HHS. One of the best examples being misconfigured MongoDB databases. Dissent explained that many organizations have not reported that protected health information has been exposed online, even though security researchers have discovered data could be accessed, without authentication, via the Internet. When these incidents are reported, they are often reported to HHS as hacking incidents, even though the root cause is human error.

The first six months of the year saw 75 hacking incidents and 29 ransomware incidents reported. As was explained, ransomware incidents are similarly underreported, even though OCR has made it clear that ransomware attacks are reportable breaches. The true figure is likely to be far worse.

The breakdown for the year was 41% of incidents caused by insiders, 32% due to hacking, 18% due to loss/theft of records and devices and the cause of 9% of the breaches is still unknown.

Hacking may be the second biggest cause of breaches, but hacking has resulted in the exposure/theft of the most records. 1,684,904 records were exposed/stolen as a result of hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records exposed in incidents with unknown causes.

To put the figures into perspective, between January and December 2016 there were 450 incidents reported. Data breaches have been occurring at a similar rate to last year. While the number of reported incidents has remained fairly constant, there has been an increase in the severity of those breaches with this year likely to see far more individuals impacted by breaches than last year.

Last year, approximately 2 million patients were affected by insider incidents. This year, 1.17 million individuals have already been impacted by insider incidents. Hacking incidents are also up. Last year there were 120 confirmed hacking incidents for the entire year. This year there have already been 75 reported incidents.

In June, 52 healthcare data breaches were reported, the highest total for any month of the year to date by some distance. The second biggest monthly breach total was 39 incidents. June also saw the third highest number of individuals impacted by the breaches, with 729,930 records confirmed as exposed or stolen.

Robert Lord explained that the time from the initial breach date to discovery is particularly bad in the healthcare industry. The mean time to discover a breach was 325.6 days, with a median of 53 days. Healthcare organizations are not discovering breaches quickly enough. Fast detection can greatly reduce the harm caused to patients, and as the Ponemon Institute has shown, also the cost of mitigation.

There is some good news however. The time taken to report breaches to OCR has improved over the past 6 months. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and notify affected individuals. In June, both the mean and the median were under the maximum time frame allowed by the HIPAA Breach Notification Rule.

So, what does the rest of 2017 has in store? Dissent explained that 2017 has been a “no good, horrible, very bad year.” Unfortunately, there is no indication that the rest of the year will be any better. The next six months are likely to be just as bad, and 2017 may surpass last year for both the number of breaches and the number of patients impacted by those incidents.

While other industry sectors have hacking/malware as the main breach cause, insider incidents are the biggest problem for the healthcare industry. Healthcare organizations need to take steps to prevent these breaches. As Robert Lord explained, technologies can be deployed to help prevent insider incidents and detect them promptly when they occur.

One of the most important take home messages from the report is that people’s lives are seriously affected by healthcare data breaches. More must be done to prevent breaches and ensure they are detected promptly. Fast detection and notification allows patients and health plan members to take action to reduce the harm caused.

The post Protenus Provides Insight into 2017 Healthcare Data Breach Trends appeared first on HIPAA Journal.

How Often Should Healthcare Employees Receive Security Awareness Training?

Posted by HIPAA Journal

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training?

Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training

Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails.

In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%.

In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised. In July alone, 9 email-related security incidents have been reported to OCR.

The recent WannaCry ransomware attacks may have exploited unaddressed vulnerabilities, but email remains the number one vector for spreading ransomware and malware. Many of these email attacks could have been prevented if employees had been trained to detect threats and knew how to respond appropriately.

Regular Security Awareness Training is a Requirement of HIPAA

Security awareness training is more than just a checkbox item to tick off to demonstrate compliance with HIPAA Rules. If fact, a one-off training session does not meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

45 C.F.R. § 164.308(a)(5)(i) requires covered entities to “Implement a security awareness and training program for all members of its workforce (including management)”. As OCR recently pointed out in its July Cybersecurity Newsletter, all members of staff in an organization “can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.” It may not be possible to reduce risk to zero, but security awareness training can help to reduce risk to an acceptable level.

How Often Should Healthcare Employees Receive Security Awareness Training?

Cybercriminals are constantly changing tactics and new threats are emerging on an almost daily basis.  An effective security awareness program must therefore provide ongoing training; raising awareness of new threats as they emerge and when threat intelligence is shared by Information Sharing and Analysis Organization (ISAOs).

After the provision of initial training, HIPAA requires healthcare employees to receive periodic security updates – 45 C.F.R. § 164.308(a)(5)(ii)(A). While HIPAA does not stipulate how often these “periodic security updates” should be issued, OCR points out that monthly security updates work well for many healthcare organizations, with additional training provided bi-annually.

Some healthcare organizations may require less or more frequent updates and training sessions, which should be determined through the organization’s risk analyses.

The security updates should include details of the latest security threats including phishing and social engineering scams that have been reported by other covered entities or shared by an ISAO. The security alerts can take many forms – email bulletins, posters, newsletters, team discussions, classroom-based training or CBT sessions. It is up to the covered entity to determine which are the most appropriate. Annual or biannual training sessions should be more in-depth and should cover new risks faced by an organization and recap on previous training.

OCR also points out in its recent newsletter that covered entities must document any training provided to employees. Without documentation on the training provided, newsletters sent, updates issued and evidence of workforce participation, it will not be possible to demonstrate to OCR auditors that training has taken place. HIPAA requirements for documenting training are covered in 45 C.F.R. §§ 164.316(b) and 164.530(j).

OCR provides some training materials on privacy and security, with third-party training companies and anti-phishing solution providers offering specific training courses on the full range of cybersecurity threats.

Tailoring training to the needs of the individual will help to ensure that all employees become security assets and organizations develop a robust last line of defense against phishing attacks.

The post How Often Should Healthcare Employees Receive Security Awareness Training? appeared first on HIPAA Journal.

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

Posted by HIPAA Journal

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years.

The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 in annual revenue.

47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years.

Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred.

Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach in the past two years that involved ransomware. 41% of those respondents said they paid the ransom to unlock their data.

70% of organizations that experienced at least one security breach in the past 2 years said a malicious actor hacked their system as a result of an unaddressed vulnerability, 54% of respondents said they had experienced a single-system based malware incident and 36% said employees had responded to phishing emails resulting in a system compromise. 26% said they had experienced a breach of a third-party device or service, while 20% said they had experienced a breach as a result of an insider.

The probability of organizations experiencing a security breach has increased considerably in the past two years, yet there was a decrease in organizations that believed cybersecurity was a board matter. In 2015, 87% of organizations believed cybersecurity was a board issue. This year, only 79% of respondents said they thought cybersecurity was a C-level issue.

KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Investment in cybersecurity protections has also decreased. In 2015, 88% of organizations said they had invested in information protection measures in the past 12 months. This year, only 66% said they had made such an investment.

When it comes to investment, organizations appear to be favoring technology rather than staff. Only 15% believe increases in staff numbers and higher quality staff are important for improving their security posture.

Only 41% of respondents said they were planning on investing in hiring or training staff, with 76% saying they were planning on investment more in technology. Budgets for training staff were low, with a quarter of respondents saying they were investing less than $1,000 per cybersecurity team member. 83% said improvements would be made to policies and data access controls and processes.

KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said, “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” explaining that “Software can only protect you so far and staff is important when it comes time to respond to a data breach.

When asked what they thought the main targeted asset was, only 30% believed it was patient data. Financial information was seen as the data most likely targeted (69%), followed by patient/clinical research (63%) competitive market analysis (49%) and the PII of employees (45%).

The biggest threats were seen to be state-sponsored actors (53%), individual hackers (49%) and hactivists (47%).

The post 47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years appeared first on HIPAA Journal.

HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management

Posted by HIPAA Journal

HITRUST has launched a new community extension program that will see town hall events taking place in 50 major cities across the United States over the course of the next 12 months. The aim of the community extension program is to improve education and collaboration on risk management and encourage greater community collaboration.

With the volume and variety of cyber threats having increased significantly in recent years, healthcare organizations have been forced to respond by improving their cybersecurity programs, including adopting cybersecurity frameworks and taking part in HITRUST programs. Healthcare organizations have been able to improve their resilience against cyberthreats, although the process has not been easy.

HITRUST has learned that the process can be made much easier with improved education and collaboration between healthcare organizations. The community extension program is an ideal way to streamline adoption of the HITRUST CSF and other HITRUST programs, while promoting greater collaboration between healthcare organizations and encouraging greater community collaboration.

The events will allow healthcare organizations to share best practices and the lessons they have learned from conducting their own risk management programs, including discussing some of the many challenges they have faced.

Tufts Medical Center played an important role in the development of the community extension program, encouraging HITRUST to run the community sessions. Tufts Medical Center CISO, Taylor Lehmann, said “The importance of improving the overall cyber resilience of organizations cannot be overstated. Although it’s a difficult goal, HITRUST provides a number of programs that make the goal achievable and sharing best practices, lessons learned and remediation strategies makes the community stronger.”

HITRUST Assurance Strategy and Community Development Vice President Michael Parisi said, “This program provides significant value by allowing organizations to engage with, and learn from, others in the community about how they approach the challenges related to managing risk, controlling compliance costs while effectively implementing a strong security posture and defending against cyber threats.”

The time it takes to adopt HITRUST programs can be shortened through education and knowledge transfer, which will be a key component of the community extension program sessions.

Some of the main topics that will be covered at the events include:

  • Structuring and implementing an information risk management program
  • Considerations in implementing the HITRUST CSF
  • Leveraging the HITRUST CSF to implement the NIST Cybersecurity Framework
  • Considerations regarding a HITRUST CSF Assessment and reporting options
  • Leveraging the HITRUST Cyber Threat Catalogue
  • Implementing a third-party assurance program and effective vendor risk management
  • How to align information risk management and cyber insurance programs
  • Engaging in cyber information sharing and how it supports cyber threat management regardless of size or cyber maturity

HITRUST Community Extension Program Dates

The events will take place at town halls in major cities and will be hosted by healthcare organizations from each community, assisted by HITRUST CSF assessors. There will be no charge for attendees.

The events are likely to be popular and HITRUST will add more locations to meet demand over the course of the next 12 months.

The first six events will be held in Boston, MA, hosted by Tufts Medical Center; Houston, TX, hosted by Texas Children’s Hospital; Denver, CO, hosted by Centura Health; Dallas, TX hosted by Blue Cross Shield of Texas; Cleveland, OH, hosted by Cleveland Clinic; and Seattle, WA, hosted by Microsoft.

The first event in Boston is scheduled to take place on September 14, 2017, with further dates to be confirmed. Interested parties can now register for the first event and view details of future events on this link.

The post HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management appeared first on HIPAA Journal.

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Posted by HIPAA Journal

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’.

Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal.

The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules.

OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form.

For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display indefinitely.

OCR Director Roger Severino said last month that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”

While the HITECH Act requires OCR to maintain the portal, the Act does not specify for how long that information must be displayed. One possibility for change would be a time limit for displaying the breach summaries. There was concern from some privacy advocates about the loss of information from the portal, which would make it hard for information about past breaches to be found for research purposes or by patients whose PHI may have been exposed.

This week, changes have been made to the breach portal. The breach list now displays all data breaches that are currently under investigation by OCR. OCR investigates all reported data breaches impacting more than 500 individuals. Currently, the list shows there are 354 active investigations dating back to July 2015.

The order of the list has also been changed so the most recent breach reports are displayed first – A much more convenient order for checking the latest organizations to report data breaches.

Data breaches that were reported to OCR more than 24 months ago along with breach investigations that have now been closed have not been lost, instead they have been moved to an archive. The archive can still be accessed through the site and is searchable, as before.

Since recent data breaches could be in the archive or main list, it has potential to make research and searches more complicated. OCR has tackled this issue by offering a research report containing the full list of breaches dating back to 2009.

The post OCR Data Breach Portal Update Highlights Breaches Under Investigation appeared first on HIPAA Journal.

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

Posted by HIPAA Journal

The American Healthcare Informatics Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data.

The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization.

AHIMA claims that until now, a model PHI access request form was not available to healthcare providers. HIPAA-covered entities have had to develop their own forms and there is considerable variation in the forms used by different healthcare organizations. Patients with multiple healthcare providers often find the process of obtaining their health data confusing.

AHIMA has listened to feedback from its members and industry stakeholders who explained that the process of accessing medical records was often confusing for patients. Even some healthcare organizations are confused about what is permitted and not permitted under HIPAA Rules when it comes to providing access to health data. The new model form should help clear up confusion.

It is hoped that the new form will be used as a standard across the industry which will make it easier for patients to exercise their rights under HIPAA, regardless of which healthcare providers they use.

AHIMA interim CEO Pamela Lane said, “Our hope is that it will help connect patients with their health information and make them more empowered healthcare consumers.”

Streamlining the Process of Providing Copies of Health Data to Patients

The ONC recently issued a report in which HIPAA-covered entities were given tips to help streamline the process of providing patients with access to their healthcare data.

The ONC report explained its research has shown that oftentimes patients are confused about the process of accessing their health data. Forms are confusing and patients are often unaware of their rights under HIPAA. For example, many are unaware that under HIPAA Rules they are permitted to have PHI provided in the format of their choosing. Paper copies can be requested or they are entitled to have their health data in electronic form – electronic copies can be sent via email or provided on a portable storage device such as a CD or zip drive.

The new model PHI access request form ties in with the advice given by the ONC and patients can stipulate how they would like their PHI copies to be delivered. The form should also make processing requests straightforward for healthcare providers and help them to streamline the processing of PHI access requests.

The form is suitable for use by all types of healthcare providers, from large multi-hospital health systems to individual physicians, clarifying what patients have the right to access and what healthcare organizations must provide.

Lane said the the model PHI access request form is “Written in easy-to-understand language for all patients” explaining, “this model form and explanation of use provides healthcare providers with a customizable tool that both ensures their compliance and captures patient request information in a clear, simple format.”

The final version of the PHI access request form can be downloaded from AHIMA on this link.

Recommendations for HIPAA Covered Entities Wishing to Use the Model PHI Access Request Form

The model PHI access request is self-explanatory for patients, but AHIMA has given additional recommendations for healthcare providers who wish to start using the new form.

AHIMA suggests the form should be customized to match the capabilities of healthcare providers’ systems and can be updated as required when systems are upgraded. Healthcare providers can also add their address, logos and barcodes to the forms should they so wish.

While the form is HIPAA-compliant in its original form, healthcare providers that customize the form must ensure that any changes comply with HIPAA Rules. Healthcare providers are told they should read 45 CFR 164.524(c)(3) to ensure the form stays compliant.

Internal policies can be developed by HIPAA-covered entities, but AHIMA stresses those policies must be in line with HIPAA guidance and should not serve as a barrier to health data access. HIPAA Rules allow covered entities to charge patients fees for providing copies of their health data. AHIMA recommends providers consult OCR guidance on fees as well as state laws to ensure compliance.

The post Model HIPAA-Compliant PHI Access Request Form Released by AHIMA appeared first on HIPAA Journal.

Is Google Drive HIPAA Compliant?

Posted by HIPAA Journal

Google Drive is a useful tool for sharing documents, but can those documents contain PHI? Is Google Drive HIPAA compliant?

Is Google Drive HIPAA Compliant?

The answer to the question, “Is Google Drive HIPAA compliant?” is yes and no. HIPAA compliance is less about technology and more about how technology is used. Even a software solution or cloud service that is billed as being HIPAA-compliant can easily be used in a manner that violates HIPAA Rules.

G Suite – formerly Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not violate HIPAA Rules provided HIPAA Rules are followed by users.

G Suite incorporates all of the necessary controls to make it a HIPAA-compliant service and can therefore be used by HIPAA-covered entities to share PHI (in accordance with HIPAA Rules), provided the account is configured correctly and standard security practices are applied.

The use of any software or cloud platform in conjunction with protected health information requires the vendor of the service to sign a HIPAA-compliant business associate agreement (BAA) prior to the service being used with any PHI. Google offers a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid users only.

Prior to use of any Google service with PHI, it is essential for a covered entity to review, sign and accept the business associate agreement (BAA) with Google. It should be noted that PHI can only be shared or used via a Google service that is specifically covered by the BAA. The BAA does not cover any third-party apps that are used in conjunction with G Suite. These must be avoided unless a separate BAA is obtained from the provider/developer of that app.

The BAA does not mean a HIPAA covered entity is then clear to use the service with PHI. Google will accept no responsibility for any misconfiguration of G Suite. It is down to the covered entity to make sure the services are configured correctly.

Covered entities should note that Google encrypts all data uploaded to Google Drive, but encryption is only server side. If files are downloaded or synced, additional controls will be required to protect data on devices. HIPAA-compliant syncing is beyond the scope of this article and it is recommended syncing is turned off.

To avoid a HIPAA violation, covered entities should:

  • Obtain a BAA from Google prior to using G Suite with PHI
  • Configure access controls carefully
  • Use 2-factor authentication for access
  • Use strong passwords
  • Turn off file syncing
  • Set link sharing to off
  • Restrict sharing of files outside the domain (Google offers advice if external access is required)
  • Set the visibility of documents to private
  • Disable third-party apps and add-ons
  • Disable offline storage for Google Drive
  • Disable access to apps and add-ons
  • Audit access and account logs and shared file reports regularly
  • Configure ‘manage alerts’ to ensure the administrator is notified of any changes to settings
  • Back up all data uploaded to Google Drive
  • Ensure staff are training on the use of Google Drive and other G Suite apps
  • Never put PHI in the titles of files

To help HIPAA-covered entities use G Suite and Google Drive correctly, Google has released a Guide for HIPAA Compliance with G Suite to assist with implementation.

The post Is Google Drive HIPAA Compliant? appeared first on HIPAA Journal.

U.S. Data Breaches Hit Record High

Posted by HIPAA Journal

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout.

In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches.

Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches.

ITRC says it is becoming much more common to withhold this information. In the first 6 months of 2017, 67% of data breach notifications and public notices did not include the number of records exposed, which is a 13% increase year on year and a substantial increase from the 10-year average of 43%. The lack of full information about data breaches makes it harder to produce meaningful statistics and assess the impact of breaches.

81.5% of healthcare industry data breach reports included the number of people impacted – a similar level to 2016. ITRC points out that does not mean healthcare organizations are failing to provide full reports, only that HITECH/HIPAA regulations do not require details of breaches of employee information to be reported.

The OCR breach portal shows healthcare industry data breaches in the year to June 30, 2017 increased by 14% year on year. 169 breaches were reported in the first six months of 2017 compared to 148 in the same period in 2016.

Hacking is Still the Biggest Cause of U.S Data Breaches

The biggest cause of U.S data breaches is still hacking according to the report, accounting for 63% of data breaches reported in the first half of the year across all industries – and increase of 5% year on year. Phishing, ransomware, malware and skimming were also included in the totals for hacking. 47.7% of those breaches involved phishing and 18.5% involved ransomware or malware.

The second biggest causes of U.S. data breaches were employee error, negligence and improper disposal, accounting for 9% of the total, followed by accidental exposure on the Internet – 7% of breaches.

The OCR breach portal shows 63 healthcare data breaches were attributed to hacking/IT incidents – 37% of the half yearly total. That represents a rise of 19% from last year.

In close second place is unauthorized access/disclosure – 58 incidents or 35% of the total. A 14% decrease year on year. In third place is loss/theft of devices – 40 incidents or 24% of all healthcare data breaches. A 4% fall year on year. The remaining 4% of healthcare data breaches – 7 incidents – were caused by improper disposal of PHI/ePHI.

Matt Cullina, CEO of CyberScout, said “All these trends point to the need for businesses to take steps to manage their risk, prepare for common data breach scenarios, and get cyber insurance protection.”

The post U.S. Data Breaches Hit Record High appeared first on HIPAA Journal.