HIPAA News for Small and Mid-Sized Practices

OCR’s Wall of Shame Under Review by HHS

Posted by HIPAA Journal

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

Microsoft Patches Two Critical, Actively Exploited Vulnerabilities

Posted by HIPAA Journal

Microsoft released a slew of updates this Patch Tuesday, including patches for two critical vulnerabilities that are being actively exploited in the wild. In total, 95 vulnerabilities were addressed yesterday, eighteen of which have been rated critical and 76 as important.

The two actively exploited vulnerabilities are of most concern, in fact one is so serious that Microsoft took the decision to issue a patch for Windows XP, even though extended support for the outdated operating system ended in April 2014. As with the emergency patch issued last month shortly after the WannaCry ransomware attacks, the vulnerability was considered so severe it warranted a patch.

Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, explained the decision to issue a patch for Windows XP saying, “Due to the elevated risk for destructive cyberattacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”

The flaw – CVE-2017-8543 – exists in the Windows Server Message Block (SMB) service. It was also a SMB service vulnerability that was exploited in the recent WannaCry ransomware attacks that spread to more than 300,000 devices in 150 countries on May 12.

CVE-2017-8543 could similarly be exploited by cybercriminals to install malware with wormlike capabilities, allowing infections to spread rapidly across a network. The flaw exists in most Windows versions, including Windows XP, Windows 7, Windows 8.1 and Windows 10, as well as Microsoft Server 2003, 2008, 2012 and 2016. Microsoft has also issued a patch for Microsoft Server 2003.

As with the WannaCry attacks, the vulnerability could be exploited without any user interaction required. A remote unauthenticated user could trigger the vulnerability via a SMB connection. If exploited, the attacker could take control of the infected device. Since this vulnerability is being actively exploited in the wild, it is essential that the patch is applied promptly.

The other critical – and actively exploited – flaw is CVE-2017-8464: A LNK remote code execution vulnerability. This vulnerability can be exploited using a specially crafted shortcut file.

While not believed to be exploited at present, a memory corruption vulnerability in Outlook (CVE-2017-8507) is of particular concern. An attacker could exploit the vulnerability simply by sending a specially crafted message to an Outlook user. The vulnerability would be triggered when the user views the message, giving the attacker full control of their computer. No attachment would need to be opened in order for the vulnerability to be exploited.

CVE-2017-8527 could also potentially be exploited with little user interaction required. A user would only be required to visit a website with specially crafted fonts.

Patches have also been issued for remote code execution vulnerabilities in Microsoft Edge and Internet Explorer. These flaws are not being actively exploited at present, although the flaws have been publicly disclosed so it is only a matter of time before attacks occur.

In addition to the patches released by Microsoft, Adobe has similarly issued a round of updates. In total, 21 vulnerabilities have been addressed, 15 of which have been rated critical. Four products have been updated – Flash, Shockwave, Captivate and Adobe Digital Editions.

While Microsoft has now issued patches for unsupported operating systems on two occasions in the past 30 days, this should not be taken as a sign that flaws will continue to be addressed. Any organization still using unsupported operating systems should ensure those systems are upgraded to supported Windows versions as soon as possible. Further flaws are likely to be discovered, but Microsoft is unlikely to continue to release patches.

Eric Doerr, general manager of the Microsoft Security Response Center said, “Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies.”

The post Microsoft Patches Two Critical, Actively Exploited Vulnerabilities appeared first on HIPAA Journal.

OCR Issues Guidance on the Correct Response to a Cyberattack

Posted by HIPAA Journal

Last week, the Department of Health and Human Services’ Office for Civil Rights issued new guidance to covered entities on the correct response to a cyberattack. OCR issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken.

Responding to an ePHI Breach

Preparation is key. Organizations must have response and mitigation procedures in place and contingency plans should exist that can be implemented immediately following the discovery a cyberattack, malware or ransomware attack.

The first stage of the response is to take immediate action to prevent any impermissible disclosure of electronic protected health information. In the case of a network intrusion, unauthorized access to the network – and data – must be blocked and steps taken to prevent data from being exfiltrated.

Healthcare organizations may have staff capable of responding to such an incident, although third party firms can be contracted to assist with the response. Smaller healthcare organizations may have little choice but to call in external experts to investigate a breach and ensure access to data has been effectively blocked.

OCR has reminded covered entities that a third-party cybersecurity firm brought in to assist with response and mitigation would be classed as a business associate. Therefore, prior to access to systems being provided, a HIPAA-compliant business associate agreement must be signed by the cybersecurity firm. Failing to obtain a signed BAA prior to access to systems being provided would be a violation of HIPAA Rules and classed as an impermissible disclosure of ePHI.

Cyberattacks Should be Reported to Law Enforcement

A cyberattack is a crime, therefore law enforcement should be notified. Covered entities should alert the FBI and/or Secret Service to any cyberattack or ransomware incident and notify state and local law enforcement. Details of the incident should be provided, although covered entities should not disclose any protected health information, unless otherwise permitted by the HIPAA Privacy Rule (45 C.F.R. § 164.512(f)).

Covered entities have been advised that law enforcement may request breach reporting be delayed when the announcement of a breach may impede an investigation or could otherwise harm national security. Requests by law enforcement should state the duration of the delay and should be honored, while oral requests should result in a delay of no more than 30 days from the original request. (45 C.F.R. § 164.412)

Sharing Threat Indicators

After law enforcement has been notified, covered entities should report cyber threat indicators to federal and information sharing and analysis organizations (ISAOs). The Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response should be provided with threat indicators, although covered entities should not disclose any protected health information in their reports.

Notifying Affected Individuals and OCR

Covered entities are advised that threat indicator information is not passed to OCR by other federal agencies. Covered entities must therefore submit a separate breach notice to OCR as soon as possible, and certainly no later than 60 days following the discovery of the breach if the incident impacts 500 or more individuals (unless otherwise instructed by law enforcement).

Covered entities can notify OCR of a breach impacting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered.

According to the guidance, “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident.”

In all cases, individuals impacted by a security breach must be notified without unnecessary delay and no later than 60 days following the discovery of a breach.

OCR’s checklist and infographic can be downloaded using the links below:

OCR’s Cyber Security Checklist

Cybersecurity Infographic

The post OCR Issues Guidance on the Correct Response to a Cyberattack appeared first on HIPAA Journal.

Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified

Posted by HIPAA Journal

The recent WannaCry ransomware attacks have highlighted the risks from failing to apply patches and update software promptly; however, a new study conducted by BitSight sought to quantify the level of risk that tardy updates introduce.

For the study, BitSight analyzed the correlation between data breaches and the continued to use old operating systems such as Windows 7, Windows Vista and Windows XP and old versions of web browsers.

Operating systems and browsers used by approximately 35,000 companies from 20 industries were assessed as part of the study. BitSight checked Apple OS and Microsoft Windows operating systems and Chrome, Internet Explorer, Safari, and Firefox web browsers.

2,000 of the companies studied (6%) had out of date operating systems on more than half of their computers. BitSight said 8,500 companies were discovered to be using out of date web browsers.

BitSight used its risk platform to study computer compromises and identified operating system and browser versions at those companies. BitSight was able to determine that organizations running out of date operating systems were three times more likely to suffer a data breach than those running newer operating systems. Organizations with out of date web browsers were two times more likely to experience a data breach.

The analysis did not confirm whether the data breaches occurred as a direct result of running outdated browsers and operating systems. The outdated software was only an indicator in the risk profile of those companies.

BitSight research scientist Dan Dahlberg said it is common knowledge that using outdated software and operating systems increases risk, but the big surprise from the study was the number of companies that were taking such big risks. For instance, prior to the WannaCry attacks, 20% of computers analyzed during the study were still running Windows XP.

The healthcare industry fared better than other industry sectors with 85% of organizations using up to date browsers and operating systems. However, 15% were taking risks by failing to update their browsers promptly and upgrade their operating systems.

Unsurprisingly, government organizations were some of the worst offenders, with more than a quarter of computers running on old operating systems and using out-of-date browsers.

The post Data Breach Risk From Out of Date Operating Systems and Web Browsers Quantified appeared first on HIPAA Journal.

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017.

Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks.

The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded.

The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption process has been blocked, that does not stop infection. Vulnerable devices could still be infected if the patch has not been applied.

Further, if a device has already been infected prior to the patch being applied, the malware will still be present on the infected system. The HHS likens the patch to quarantining a patient. While that action will prevent the spread of the infection to other individuals, simply placing a patient in quarantine will not remove the infection in that patient.

While the ransomware component of the malware is not active, the presence of the malware on computer systems will have some effects. Those are dependent on the Windows version installed.

If the malware is present, it will be capable of scanning the network for other vulnerable devices and spreading to those devices.

The HHS says that if a device has been infected with WannaCry, reimaging and applying the patch will remove the virus and prevent it from being installed again. However, HHS explains that while the patch addresses a vulnerability in the Windows Server Message Block version 1 (SMBv1) protocol, that may not be the only vulnerability that is exploited to download WannaCry. Even patched systems may still be infected if the threat actors exploit a different vulnerability to introduce the malware. Patches must therefore be applied promptly after they have been issued to prevent future WannaCry – and other – malware attacks.

If you have been affected by WannaCry, the HHS recommends contacting your FBI Field Office Cyber Task Force or the US Secret Service Electronic Crimes Task Force to report the incident and request assistance.

The HHS also recommends contacting the FDA’s 24/7 emergency line at 1-866-300-4374 if a suspected cyberattack affects medical devices.

HHS has issued the following advice to healthcare organizations on mitigating the risk of WannaCry infection:

The post WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals appeared first on HIPAA Journal.

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Posted by HIPAA Journal

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization.

The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization.

If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to limit harm. However, recent incidents have shown that while access logs are kept, they are not being regularly checked. There have been numerous recent examples of employees who have improperly accessed patients’ medical records over a period of several years.

A few days ago, Beacon Health announced an employee had been discovered to have improperly accessed the medical records of 1,200 patients without any legitimate work reason for doing so. That employee had been snooping on medical records for three years.

In March, Chadron Community Hospital and Health Services in Nevada discovered an employee had accessed the medical records of 700 patients over a period of five years and St. Charles Health System in central Oregon discovered an employee had accessed medical records without authorization over a 27 month period.

Also in March, Trios Health discovered an employee had improperly accessed the medical records of 570 patients. The improper access occurred over a period of 41 months.

Rapid detection of internal privacy breaches is essential. Even when snooping is discovered relatively quickly, the privacy of many thousands of patients may have already been violated. In January, Covenant HealthCare notified 6,197 patients of a privacy breach after an employee was discovered to have improperly accessed medical records over a period of 9 months, while a Berkeley Medical Center employee accessed the ePHI of 7,400 patients over a period of 10 months.

Healthcare organizations may not feel it is appropriate to restrict access to patients’ PHI, but a system can be implemented that will alert staff to improper access promptly. Software solutions can be used to detect improper access and alert appropriate members of staff in near real-time. If such systems are not implemented, regular audits of ePHI access logs should be conducted. Regular checks of ePHI access logs will allow organizations to prevent large-scale breaches, reduce legal liability and reduce the harm caused by rogue employees.

The post Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts appeared first on HIPAA Journal.

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

Posted by HIPAA Journal

The ransomware attacks and high number of healthcare IT security incidents last month has prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules covering security breaches.

In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached.

HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time.

Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to report those incidents to OCR or notify patients that their ePHI may have been accessed.

OCR has reminded covered entities in its newsletter of the HIPAA definition of a security incident. The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

OCR has taken the opportunity to remind covered entities that they need to prepare for those incidents. Policies and procedures should be developed that kick into action immediately following the discovery of a security incident or data breach.

If covered entities react quickly to security incidents and data breaches it is possible to minimize the impact and reduce legal liability and operational and reputational harm. Contingency plans should exist for a range of security incidents and emergency situations. OCR says “policies, procedures, and plans should provide a roadmap for implementing the entity’s incident response capabilities.”

When a breach occurs, the HIPAA Breach Notification Rule requirements must be followed. The HIPAA Breach Notification Rule (45 CFR 164.402) requires OCR to be notified of a breach and notifications to be sent to patients in the event of “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”

Each month, Databreaches.net tracks healthcare data breach incidents, with the Protenus Breach Barometer report showing the time taken for covered entities to report their breaches to OCR. The past few reports show some improvement, with covered entities reporting their breaches more promptly. That said, there have been several cases where data breach notifications have been submitted late and patients have had their notification letters delayed.

OCR reminds covered entities that the HIPAA deadline for reporting security incidents and sending notifications to patients/health plan members is 60 days* from the discovery of the breach.

This is a deadline, not a recommendation. Many covered entities delay issuing notifications until day 59. OCR points out that the HIPAA Breach Notification Rule requires notifications to be issued “without reasonable delay.”

If you missed the email newsletter, you can download a copy on this link: https://www.hhs.gov/sites/default/files/may-2017-ocr-cyber-newsletter.pdf

*Breaches impacting fewer than 500 individuals can be reported to OCR annually, with the deadline 60 days after the end of the year when the breach was discovered. Breaches impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach. Individuals must be notified of a breach of PHI or ePHI within 60 days of the discovery of the breach, regardless of how many individuals have been impacted by the breach.

The post OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements appeared first on HIPAA Journal.

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Posted by HIPAA Journal

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results.

Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication.

Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved.

It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical claims. Molina Healthcare serves 4.8 million individuals in 12 states and Puerto Rico.

The individuals who identified the flaw and reported the issue to Brian Krebs was able to demonstrate it was possible to access other patients’ names, addresses, birthdates, medical procedure codes, prescribed medications and other sensitive data related to health complaints. Anyone with a link to a medical claim could change a digit in the URL and view other individuals’ medical claims.

In contrast to the security flaw at True Health, Brian Krebs said anyone with a link to a medical claim would be able to access the URL without any authentication required. The link could be clicked and the medical claim could be viewed.

On Friday last week, Molina Healthcare issued a statement saying “We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities.”

Molina Healthcare has also engaged the services of Mandiant to improve its system security. Molina Healthcare says the security vulnerability in the patient portal has now been remediated.

The post Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data appeared first on HIPAA Journal.

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Posted by HIPAA Journal

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast.

OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal similar non-compliance issues. Peters said many issues come up time and time again.

Peters confirmed that cases are chosen to move on to financial settlements when they involve particularly egregious HIPAA violations, but also when they relate to aspects of HIPAA Rules that are frequently violated. The settlements send a message to healthcare organizations about specific aspects of HIPAA Rules that must be addressed.

Peters said one of the most commonly encountered problems is the failure to conduct a comprehensive, organization-wide risk assessment and ensure any vulnerabilities identified are addressed through a HIPAA-compliant risk management process. Several recent settlements have highlighted just how frequently HIPAA covered entities get risk assessments wrong, either failing to conduct them at all, not conducting them frequently enough or conducting them to the standard demanded by HIPAA.

Peters pointed out that privacy violations are occurring frequently, with many HIPAA-covered entities still unsure of the allowable uses and disclosures of PHI. OCR recently announced two settlements have been reached with covered entities that have impermissibly disclosed patients’ health information to employers and the media.

Peters explained that the healthcare industry is not doing a good job at preventing cybersecurity incidents and that warrants attention, but it is important for OCR not to just focus on the hot topics and ‘sexy’ issues. OCR is also focussed on the lack of safeguards for paper records and the failure to secure removable media.

In the case of the latter, there have been numerous instances where ePHI has been exposed as a result of the failure to use encryption. Peters pointed out that if “[a device] can walk away from your enterprise, it will walk away.” OCR has settled cases with several organizations in recent months as a result of the lack of appropriate safeguards and policies and procedures covering removable devices.

Peters explained that OCR has been working on sharing penalties or other recoveries with individuals that have been harmed by privacy violations, although that has been a challenging process as it is difficult to determine and quantify harm. OCR is working on an advanced notice of proposed rulemaking and will be seeking advice from the public on how funds should be shared.

OCR is also working on initiatives to improve privacy protections at non-HIPAA covered entities. For instance, patients are being encouraged to share their health data with research organizations and through the “All of Us” initiative. For those programs to be as successful as they should be, patients need to be sure their data will be protected. OCR is providing advice to organizations and partners to ensure that patient data are protected, even if they are collected and stored by non-HIPAA-covered entities.

Peters also spoke of dealing with Certified EHR technology and how HIPAA applies to cloud computing, malware, and ransomware.

You can listen to the Compliance Perspectives podcast via this link.

The post HIPAA Enforcement Update Provided by OCR’s Iliana Peters appeared first on HIPAA Journal.