HIPAA News for Small and Mid-Sized Practices

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Posted by HIPAA Journal

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules.

SMS texts are unencrypted, potentially allowing unauthorized individuals to access the messages and view the contents. SMS messages may also be stored on the servers of service providers. Those messages may remain on unsecured servers indefinitely.

Copies of SMS texts can remain on the sender’s and recipients phone. In the event that either the sender or recipient’s phone is lost or stolen, PHI/PII in messages may be exposed. With SMS messages, there are no HIPAA-compliant controls to verify the identity of the recipient or for the recipient to verify the identity of the sender.

The lack of safeguards in place to ensure the confidentiality and integrity of PHI and limited authentication controls means the sending of any PHI/PII over the SMS network is a violation of the HIPAA Security Rule.

Technology has advanced considerably in recent years and numerous secure text messaging platforms are now available that incorporate all of the necessary privacy, security, authentication controls required by HIPAA. By using such a platform to send messages securely, healthcare professionals can communicate quickly, easily, and securely without risking a HIPAA violation.

While those secure messaging platforms satisfy HIPAA requirements, the platforms have yet to be approved by the Joint Commission for texting patient care orders. While the ban on texting orders was temporarily lifted, it was soon put back in place over fears of patient safety. The use of secure texting platforms was also thought to place an increased and unnecessary burden on nurses required to enter texted information into EHRs.

Due to the ease of communication via text messages, many healthcare organizations allow physicians to communicate with patients via text. Patients may even prefer to use SMS messages rather than logging into patient portals or calling their healthcare providers.

As with text messages between healthcare professionals, the sending of PHI or PII via SMS to patients is also covered by HIPAA Rules. Any communications with patients via SMS have potential to risk the exposure of PHI and physicians and other healthcare professionals must exercise extreme caution.

Even with the potential privacy risks, the use of text messages for communicating with patients is increasing. This has prompted the American Medical Association (AMA) to discuss the issues surrounding the use of SMS messages and HIPAA-compliant texting platforms at next month’s AMA House of Delegates annual meeting.

The AMA has already issued guidance for healthcare providers on the use of email, although guidance on the use of text messages has not yet been issued. Current guidance is therefore expected to be expanded after the meeting to cover the use of text messaging between patients and physicians to help healthcare providers avoid privacy – and HIPAA – violations.

The post Patient-Physician Texting to Be Covered at AMA Annual Meeting appeared first on HIPAA Journal.

NIST Small Business Cybersecurity Act of 2017 Approved by SST Committee

Posted by HIPAA Journal

Cybercriminals may not be targeting small healthcare practices to the same extent as large health systems, but as the OCR’s data breach portal shows, cyberattacks on small healthcare organizations occur frequently.

When cyberattacks occur they can be catastrophic for small businesses. Figures from the National Cybersecurity Alliance suggest 60% of small businesses cease trading within 6 months of experiencing a cyberattack. Faced with the financial burden of resolving a data breach, it is no surprise that so many businesses fail to make it through the next six months.

In order to prevent cyberattacks and keep sensitive health data secure, small healthcare organizations must effectively manage cybersecurity risks. However, many cybersecurity resources and security frameworks have been developed for medium to large sized businesses. Smaller organizations typically lack the necessary resources to be able to implement highly effective cybersecurity defenses and few have skilled cybersecurity staff to monitor and manage cybersecurity risks.

NIST has developed a cybersecurity framework to help organizations protect critical infrastructure, and while adoption of the framework can be advantageous for many businesses, for smaller organizations the demands are too great.

Late last year, NIST released a new guide specifically to help small businesses improve their cybersecurity posture. The guide was based on the NIST Framework for Improving Critical Infrastructure Cybersecurity and outlined best practices and standards and explained how an information security program can be implemented that balanced security with the capabilities of small businesses. Now further guidance for small businesses will be issued, following the approval of new legislation by the U.S. House Committee on Science, Space, and Technology last week.

The NIST Small Business Cybersecurity Act of 2017 calls for the National Institute of Standards and Technology to provide small to medium sized businesses with new guidance to allow them to reduce cybersecurity risk.

The NIST Small Business Cybersecurity Act requires NIST to develop clear and concise guidelines and make available appropriate tools, best practices, standards and methodologies to help small businesses identify, assess, manage and reduce cybersecurity risks. Those tools and guidelines will be based on the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The new act does not make it mandatory for small businesses to access and follow the new guidance and best practices, although using the new resources will help small businesses effectively manage risk and prevent data breaches. The guidance and best practices, when completed, will be made available through the NIST website.

According to Chairman Lamar Smith (R-Texas), “The NIST Small Business Cybersecurity Act will help ensure that our small businesses have the information they need to protect themselves from cyber-attacks.”

Due to a squeeze on spending at NIST, the costs of developing the new resources and guidelines will have to be found from its existing budget. NIST has been given a year to develop and release the new guidance and resources.

The post NIST Small Business Cybersecurity Act of 2017 Approved by SST Committee appeared first on HIPAA Journal.

NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants

Posted by HIPAA Journal

Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert about an emerging sophisticated campaign affecting multiple industry sectors.

The attacks have been occurring for at least a year, with threat actors using stolen administrative credentials and certificates to install multiple malware variants on critical systems. A successful attack gives the threat actors full access to systems and data, while the methods used allow the attackers to avoid detection by conventional security solutions.

While many organizations have been attacked, one of the main targets has been IT service providers. Gaining access to their systems has allowed the actors to conduct attacks on their clients and gain access to their environments. The method of attack allows the actors to bypass conventional monitoring and detection tools and, in many cases, results in the attackers gaining full access to networks and stored data.

NCCIC is still investigating the campaign so full information is not yet available, although an advance warning has been issued to allow organizations to search for signs of a potential system compromise and take appropriate action to mitigate risk.

While multiple tactics, techniques and procedures are used in the campaign, credentials primarily are stolen using malware. Those credentials are then used to gain access to business environments. Once access has been gained, the attackers use PowerShell for reconnaissance, to assess business networks and move laterally within those networks.

Communication with the C2 uses RC4 cipher communications over port 443; however, the domains frequently change IP address, with domains commonly spoofed to make them appear as Windows update sites and other legitimate domains.

While many malware variants are used by the threat actors two of the most common variants are the REDLEAVES remote administration Trojan (RAT) and the sophisticated Remote Access Tool (RAT) PLUGX/SOGU, both of which are executed via DLL side-loading.

REDLEAVES is capable of passing a range of information about the user’s system and allows the attackers to run commands on the infected system. PLUGX provides the attackers with complete C2 capabilities including the ability to take screenshots and silently download files with all C2 communications encrypted to prevent detection.

NCCIC has compiled and published indicators of compromise (IOCs) to allow organizations to identify intrusions and malware infections. Organizations have been advised to continuously analyse their systems for those IOCs via their normal intrusion detection systems.

It may not be possible for organizations to prevent their systems from being attacked, but if appropriate defences are put in place it will make it much harder for the threat actors to infiltrate systems and operate undetected. NCCIC says no single set of defensive techniques will avert malicious activity; however, adopting a multi-layered approach to security will allow organizations to construct an effective barrier to prevent attacks.

IOCs, details of the attack methods and suggested mitigations are available for download from NCCIC on this link.

The post NCCIC Warns of Highly Sophisticated Campaign Delivering Multiple Malware Variants appeared first on HIPAA Journal.

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

Posted by HIPAA Journal

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk.

Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks.

According to the report, the threat of mobile cyberattacks in growing. Two out of ten companies have already experienced a mobile device cyberattack, although in many cases, organizations are not even aware that a cyberattack on a mobile device has occurred.

The survey, which was conducted on 410 security professionals, found that two thirds of respondents were doubtful they would be able to prevent a cyberattack on mobile devices and 51% believed the risk of data theft/loss via mobile devices was equal to or greater than the risk of data theft/loss from PCs and laptops. Yet, a third of respondents said they did not adequately protect mobile devices.

94% of respondents said cyberattacks on mobile devices will become more frequent while 79% said the already difficult task of securing mobile devices will become harder.

A broad range of attack methods are used to gain access to mobile devices and the networks and accounts to which they connect. Malware infections are most common cause of mobile device security breaches, being involved in 58% of attacks. Text message phishing attacks were reported by 54% of organizations as were man-in-the-middle attacks and connections to malicious Wi-Fi networks. Intercepted calls and text messages (43%) and keylogging and credential theft (41%) made up the top five attack methods.

Even though mobile device security breaches are occurring with increasing frequency, 38% of companies have yet to implement a dedicated mobile device security solution.

Virtually all staff members carry mobile phones at work. Many employees use them for work communications and to access sensitive data. While laptop computers are frequently lost or stolen and are often protected, the risk of mobile devices being lost or stolen is greater yet the devices are poorly protected.

When asked about the reasons why a mobile device security solution was not used, a lack of budget (53%) and shortage of resources (41%) were the primary reasons. For 37% of respondents, the perceived risk of a data breach or security incident did not justify the cost a dedicated security solution. However, 62% of companies are aware of the increasing risk of mobile device security breaches and are dedicating more funds to securing mobile devices.

Since the devices are likely to store far less data than desktops, the perceived cost of a mobile device breach may be lower. However, the survey revealed that IT security professionals did not believe that to be the case. 37% of respondents said a mobile data breach would likely cost the company more than $100,000 to resolve, with 23% expecting the cost to be in excess of $500,000.

David Gehringer, Principal at Dimensional Research said, “The research consistently revealed that the overall focus and preparedness of security for mobile devices is severely lacking,” and pointed out that “security professionals identified the risk of mobile devices, but focus and resources assignment seem to be waiting for actual catastrophes to validate the need to properly prepare their defenses.”

As we have already seen on countless occasions, such a strategy can prove costly. That cost is likely to be much higher than the cost of implementing a security solution to protect mobile devices.

The post Majority of Organizations Failing to Protect Against Mobile Device Security Breaches appeared first on HIPAA Journal.

Rise in Business Email Compromise Scams Prompts IC3 Warning

Posted by HIPAA Journal

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3).

In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5 billion. U.S. organizations lost more than $1.5 billion to BEC scams between October 2013 and December 2016.

The rise in BEC attacks has prompted IC3 to issue a new warning to businesses, urging them to implement a range of defenses to mitigate risk.

What are Business Email Compromise Scams and How Do They Work?

A business email compromise scam – also known as an email account compromise – involves an attacker gaining access to an email account of an executive and sending an email request to a second employee via the compromised email account. The request can be a bank transfer or a request to email data. Since the email comes from within an organization, the request is much less likely to arouse suspicion. Further, since a CEO, CTO or CFO email account is often involved, the email recipient is less likely to question the request.

Business email compromise scams often start with a phishing email. The aim of the phish is to obtain login credentials to email accounts, which can be provided by employees directly via a phishing website or obtained using malware.

Once access to an email account is gained, the attackers send an email request to another individual in the company requesting a bank transfer or asking for sensitive data to be emailed. This year has seen an increase in the latter during tax season. Email requests have been sent to HR and payroll departments requesting W-2 tax statements for all employees. Numerous healthcare organizations have been fooled into sending the data.

The majority of fraudulent transfer requests ask for payments to be sent to foreign bank accounts in China and Hong Kong. Just because a healthcare organization does not make wire transfers to Asia, does not mean they are not at risk. IC3 reports that fraudulent transfers have been sent to bank accounts in 103 countries. Even if wire transfers are not made and checks are issued, organizations are still at risk. The attackers choose the payment method most commonly used by the targeted organization.

Typical Business Email Compromise Scams

There are many different variants of business email compromise scams, although the most common scams reported to IC3 are:

Bogus Invoice Scams

A compromised email account is used to gather information on frequently used suppliers. An email is then sent to a member of the billings/finance department requesting a transfer be made to that supplier, including a change to the usual bank account. The typical transfer amounts can be checked from past invoices and set accordingly so as not to arouse suspicion.

Business Executive Scams

Business executive scams involve an email being sent from a compromised executive email account to a member of the payroll/billings department requesting a bank transfer be made. This could involve a new supplier or an existing supplier.

Vendor Invoice Scams

In this scam, the victim is a vendor or client. The compromised email account is scanned and details gathered on clients and vendors. An email containing an invoice is then sent to the vendor/client requesting urgent payment.  Vendors/clients may lack awareness of BEC scams and make payment.

Friday Afternoon Scams

Typically performed on a Friday afternoon after financial institutions have closed, or at the end of the business day, these scams often involve the impersonation of an attorney or law firm used by the organization. Time-sensitive payments are requested with the targets often pressured into keeping the payments secret.

Data Theft Scams

Compromised email accounts are used to send requests to payroll/HR departments requesting tax summaries for all employees who worked during the past fiscal year. Other PII of employees may also be requested. In the case of healthcare organizations, similar scams may be performed requesting patients’ PHI and can be sent to any individual who has access to EHRs.

How Can Organizations Mitigate Risk?

Raising awareness of business email compromise scams is essential, especially with the employees most likely to be targeted – payroll, billings and HR department employees. Internal prevention techniques should also be implemented to block the initial phishing attempts to prevent access to email accounts being gained.

Internal policies and procedures should be implemented that require a two-step verification process before any new transfer request or request for sensitive information is processed. IC3 recommends setting up non-email based out-of-band communication channels to verify significant transactions. Digital signatures should also be used by parties on each side of a transaction to verify identities. A secondary sign off policy should be implemented for all requests to send sensitive data via email.

Two-factor authentication should be considered for all email accounts to protect the account in the event that a password is compromised. To reduce the risk of passwords being guessed, password policies should be implemented ensuring only strong passwords can be set.

All requests to send data or make transfers should be very carefully scrutinized. Any out-of-the-ordinary request or change to business practices should prompt the recipient to independently verify the request or suggested change to business practices.

Spam filters and intrusion detection systems should be configured to flag or quarantine all emails using extensions similar to the company’s email to prevent spoofing.

Organizations should encourage all employees never to use the reply option when responding to email requests, instead using the forward option and manually typing in the email addresses or selecting the email address from a contact list.

A culture of security should be developed, with training provided to all staff warning of the risks of opening emails, attachments and clicking hyperlinks sent from unknown senders. The risks of business email compromise scams should also be clearly explained to all staff.

A system of reporting suspect emails should also be implemented to allow action to be taken to prevent other employees from falling for the same scam.

The post Rise in Business Email Compromise Scams Prompts IC3 Warning appeared first on HIPAA Journal.

Bitglass Publishes 2017 Healthcare Data Security Report

Posted by HIPAA Journal

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm.

For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights.

The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans.

The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set to continue in 2017, although the number of data breaches already reported by healthcare organizations remains high.

The 2017 Healthcare Data Security Report confirms that the biggest problem area is unauthorized disclosures, which accounted for 40% of breaches last year. Those figures include deliberate acts by healthcare employees and unintentional errors that left data exposed.

The report’s authors explain the rise in unauthorized disclosures saying, “Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier.”

Those incidents have exposed the records of many Americans, but hacking is the biggest cause of exposed and stolen records. More records were stolen as a result of hacking than all of the other breach causes combined.

80% of all exposed/stolen healthcare records in 2016 were the result of hacks and the five largest healthcare data breaches of 2016 were all due to hacking and IT incidents. The same is true of 2017 so far. With the exception of the largest reported breach this year, all other breaches in the top five were the result of hacking.

Largest Healthcare Data Breaches of 2016

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident
2 Newkirk Products Business Associate 3,466,120 Hacking/IT Incident
3 21st Century Oncology Healthcare Provider 221,3597 Hacking/IT Incident
4 Valley Anesthesiology Consultants Healthcare Provider 882,590 Hacking/IT Incident
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749,017 Hacking/IT Incident
6 Bon Secours Health System Incorporated Healthcare Provider 651,971 Hacking/IT Incident
7 Peachtree Orthopaedic Clinic Healthcare Provider 531,000 Unauthorized Access/Disclosure
8 Radiology Regional Center, PA Healthcare Provider 483,063 Hacking/IT Incident
9 California Correctional Health Care Services Healthcare Provider 400,000 Loss
10 Community Health Plan of Washington Health Plan 381,504 Theft

 

Largest Healthcare Data Breaches of 2017 (January-April)

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
3 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
4 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
5 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
6 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
7 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
8 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
9 WellCare Health Plans, Inc. Health Plan 24,809 Hacking/IT Incident
10 Denton Heart Group Healthcare Provider 21,665 Theft

 

Healthcare Security Spending is Increasing

Fortunately, healthcare organizations have realized they need to increase spending on data and network security defenses. Security budgets growing rapidly and while not quite at the level of the retail sector, they are fast catching up.

While healthcare organizations are committed to protecting the privacy of patients, one of the main drivers behind the increase in security investment is the cost of breach resolution. The cost of data breaches makes investment in cybersecurity defenses a priority.

The authors of the 2017 Healthcare Data Breach Report point out that healthcare data breaches cost more to resolve than breaches experienced by other industries. Figures from the Ponemon Institute show that a healthcare data breach costs organizations an average of $402 per compromised record. For other industries, the average is $221 per compromised record. With such high costs, lax data security simply isn’t an option.

Bitglass CEO Nat Kausik, said “While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach events.”

The post Bitglass Publishes 2017 Healthcare Data Security Report appeared first on HIPAA Journal.

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

Posted by HIPAA Journal

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and the impact of healthcare data breaches on consumers.

The survey revealed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust.

Trust in Healthcare Providers and Insurers is High

In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents.

Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%) and tech companies that provide wearables and health apps (43%). As a comparison, 56% said they somewhat trusted or trusted the government a great deal with respect to health data security. 32% didn’t trust the government very much and 13% didn’t trust the government at all.

80% of consumers were very confident or somewhat confident in their healthcare providers’ data security measures, with trust in health insurers’ data security measures a fraction lower at 79%. The measures put in place by health app and device companies only received the highest two ratings by 63% of consumers.

Trust may be fairly high, but a quarter of U.S. consumers have experienced a breach of their healthcare data and half of those individuals have been a victim of medical identity theft as a direct result. Consumers have been forced to cover costs as a result of the exposure of their data, with 88% of individuals spending an average of $2,528.

More than a third of those individuals said their hospital had experienced the breach. 22% said their pharmacy or urgent care clinic had been breached with health insurers’ and physicians’ offices the next worst affected, with 21% of consumers saying they were the source of the breach.

Even with HIPAA Rules requiring breach notifications to be sent to patients, half of those impacted by a health data breach said they found out about it on their own. Only 36% of respondents said their company told them about the breach, although 91% said action was taken by that company in response to the breach.

The breach response was rated as being handled very well by 25% of respondents and somewhat well by 51% of respondents. 18% said the breach response was not handled very well and 6% said it was not handled well at all.

Trust in Healthcare Organizations May Improve After a Data Breach

While healthcare data breaches have the potential to destroy patients’ and health plan members’ trust in their providers, the survey showed that is not always the case. In fact, in 41% of cases, consumers’ trust in their healthcare organizations increased after a data breach.

12% of respondents said they ended up trusting their providers much more, 29% said they trusted their providers a little more and 24% said the breach response made no difference to trust levels.

The results show just how important it is for the breach response to be handled well. 34% of respondents said they lost trust in their healthcare organization after a breach was experienced.

Getting the breach response right is essential if healthcare organizations want to ensure trust is not negatively affected. For that to happen, organizations must be prepared for the worst and have policies and procedures that can be rapidly implemented when a breach is discovered.

Fast notifications are important for consumers as they need to take action to secure their accounts and protect their identities. 91% of respondents said they personally took action when they discovered their health data had been stolen. The faster that process can take place, the less likely consumers are to experience losses.

Getting breach notifications right is also important. If trust is to be built, consumers need to be reassured that privacy and security is taken seriously. Consumers should also be informed about the actions that are being taken in response to the breach to ensure a similar incident will not occur in the future. However, this is an area that could be improved.

Only 27% of companies explained the cause of the breach and just 26% the breach has prompted them to add new security protocols. Only 22% explained how future breaches would be prevented.

Fewer than a quarter of companies (24%) explained the potential consequences of the breach to consumers and only 23% offered identity theft protection services.

The post Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure appeared first on HIPAA Journal.

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.