HIPAA News for Small and Mid-Sized Practices

Small Business Cybersecurity Bill Heads to Senate

Posted by HIPAA Journal

New legislation to help small businesses protect their data and digital assets has been approved by the Senate Commerce, Science and Transportation Committee this week. The new bill, which was introduced by Sen. Brian Schatz (D-Hawaii) last week, will now head to the U.S Senate.

The legislation – the MAIN STREET (Making Information Available Now to Strengthen Trust and Resilience and Enhance Enterprise Technology) Cybersecurity Act will require the National Institute of Standards and Technology (NIST) to develop new guidance specifically for small businesses to help them protect themselves against cyberattacks.

New NIST guidance should include basic cybersecurity measures that can be adopted to improve resilience against cyberattacks and mitigate basic security risks.

Guidance and security frameworks have been developed by NIST to help larger organizations protect their assets and data, although for smaller businesses with limited knowledge of cybersecurity and a lack of trained staff and resources they can be difficult to adopt.

What is needed is specific guidance for small businesses that can easily be adopted to improve cybersecurity defences. If the new legislation is passed, NIST would be required to develop simplified guidance specifically tailored to the needs of small businesses.

Many small business owners do not believe they are at risk because of the size of their organization. Yet, breaches at small to mid-sized businesses are all too common. In the past two years, cyberattacks on small businesses have significantly increased.

A 2016 survey conducted by Keeper Security – 2016 State of SMB Cybersecurity – suggests half of small businesses experienced a breach in the past 12 months. The main threats are phishing and social engineering attacks on employees, although the survey revealed numerous vulnerabilities exist which could all too easily be exploited by cybercriminals.  The survey, which was conducted on 600 SMB IT leaders revealed only 14% of those businesses had cybersecurity defenses that were considered to be very effective.

When it comes to preventing cyberattacks and improving cybersecurity defenses many small businesses – including small healthcare organization – do not know where to start. Many small businesses do not have a dedicated IT person and are unaware of what is required to prevent cyberattacks. Cybersecurity guidance is sorely needed.

If passed, the new legislation would require NIST to suggest commonly used, off-the-shelf products that can be easily implemented in a cost-effective manner to mitigate common cybersecurity risks.

Sen. Maria Cantwell, D-Wash, one of the bill’s five sponsors, said “By creating a simple, voluntary cybersecurity framework for small businesses, the Main Street Cybersecurity Act will help them protect their data.”

The post Small Business Cybersecurity Bill Heads to Senate appeared first on HIPAA Journal.

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

Posted by HIPAA Journal

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation.

The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited.

Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information.

At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity.

At the hearing, Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC), explained that failing to take action to combat cybersecurity threats is putting patient safety at risk. In some cases, this could be a life or death matter for affected patients.

Ransomware can prevent patients’ health records from being accessed by healthcare providers; however, Anderson explained that data manipulation could be an even bigger problem. If cybercriminals were to change medical records, they could then demand a ransom from the healthcare provider to divulge which records had been changed. Data manipulation could result in patients being incorrectly diagnosed or provided with the wrong medications. That could have fatal consequences.

The healthcare industry has many small to medium-sized healthcare organizations that lack the capital and resources to deal with cybersecurity issues. They cannot keep up with the practices that are required to keep patients’ data secured. Many are faced with a choice – purchase essential medical equipment or a new cybersecurity tool. There is little incentive to choose the latter.

Cybersecurity Incidents Often Go Unreported

The number of cybersecurity threats has increased significantly in recent years, as has the number of reported healthcare data breaches, yet those reported breaches are just a fraction of the security incidents that are now plaguing the healthcare industry. Many cybersecurity threats and security incidents go unreported.

Evidence gathered from normal security monitoring suggests there are far more breaches occurring than current data breach reports suggest. Terry Rice, vice president of IT risk management and chief information security officer at Merc, suggested that while laws are in place that require healthcare organizations to report security incidents, current disclosure laws have limited requirements for reporting incidents and many organizations are not submitting or delaying incident reports.

Threat Information Sharing is Critical

While it is important for further efforts to be made to educate the healthcare industry on the importance of sharing threat information, education alone is unlikely to solve the problem. Sharing threat information carries a cost that many small healthcare providers simply cannot afford.

Anderson suggests that while there are clear benefits to participating in information sharing efforts, threat intelligence sharing should not be mandatory. Healthcare organizations should be given a choice. However, healthcare organizations can be encouraged to share information if they are offered financial incentives for doing so.

She also suggested ISACs should be offered tax breaks, that information shared through ISACs should be protected, and that organizations that share threat intelligence should be provided with better legal protections.

Congress was also advised to create permanent cybersecurity liaisons and leaders. Those individuals should be experienced cybersecurity professionals that are aware of the threats, vulnerabilities and cybersecurity issues faced by the healthcare industry.

Michael McNeil, global product security and services officer for Royal Phillips pointed out that cyberattacks on medical devices pose a serious threat to patients and potentially place patients’ lives at risk.

He suggested medical device manufacturers should be included in conversations about cybersecurity and should ensure security is considered at every stage of the manufacturing process. Device manufacturers must also address cybersecurity issues at every stage of the product lifecycle, not just until their devices come to market.

Device manufacturers also need to collaborate and agree to a set of standards that can be adopted to improve cybersecurity. There should be regulatory requirements covering cybersecurity for device manufacturers.

The post Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing appeared first on HIPAA Journal.

More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack

Posted by HIPAA Journal

San Antonio, TX-based ABCD Pediatrics has discovered cybercriminals gained access to its servers and encrypted data with ransomware, including the protected health information of its patients. The individuals behind the attack may also have gained access to data stored on the healthcare provider’s servers prior to ransomware being deployed. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 55,447 patients have been impacted.

The attack involved a variant of CrySiS ransomware called Dharma, which started encrypting data on February 6, 2017. Dharma ransomware is not known to exfiltrate data; however, an analysis of the attack revealed a number of suspicious user accounts on the servers, suggesting access had been gained prior to the ransomware being installed. User logs were also discovered that indicated programs or users may have been on the servers for a limited period of time prior to the ransomware being installed.

Fortunately, the encryption process was hampered by the anti-virus solution used by ABCD Pediatrics. ABCD Pediatrics, via its IT company, was able to isolate the affected servers and take them offline limiting the effectiveness of the attack. ABCD was not able to determine with a high degree of certainty that data were not viewed or stolen, although no evidence was uncovered to suggest data were accessed or exfiltrated.

The types of information potentially compromised included patients’ names, addresses, telephone numbers, demographic information, dates of birth, Social Security numbers, insurance billing information, medical records, procedural codes and lab test results. To protect patients from identity theft and fraud, ABCD Pediatrics has offered 12 months of credit monitoring and identity theft protection services to affected individuals via Equifax Personal Solutions.

Fortunately, ABCD Pediatrics was able to restore all encrypted and corrupted data from a backup that was securely stored on a different system. No data were lost as a result of the attack and no ransom was paid. ABCD Pediatrics reports that no ransom demand was actually received from the attackers.

The ransomware attack occurred in spite of a host of security defenses that had been deployed. Those defenses included “network filtering and security monitoring, intrusion detection systems, firewalls, antivirus software, and password protection.”

The forensic investigation identified the source of the attack and additional security solutions have now been deployed to prevent future attacks, including state-of-the-art network cyber monitoring.

The incident shows that even with advanced cybersecurity solutions in place, ransomware attacks remain a threat. While it may not be possible to prevent all ransomware attacks, risk can be reduced to an acceptable level with cybersecurity solutions and securely stored backups of data will ensure ransom demands will not have to be paid.

A good backup policy to adopt is the 3-2-1 approach. There should be three copies of data, two should be stored locally on two different mediums and one should be stored off site. The local media should be disconnected after a backup has been performed.

The post More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack appeared first on HIPAA Journal.

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

Posted by HIPAA Journal

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained.

Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password.

The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data

The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud.

Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name TheDarkOverlord conducted a number of attacks on healthcare organizations. The protected health information of patients was stolen and organizations were threatened with the publication of data if a sizable ransom payment was not made. In some cases, patient data were published online when payment was not received.

There are reasons why IT departments require FTP servers to accept anonymous requests; however, if that is the case, those servers should not be used to store any protected health information of patients. If PHI must be stored on the servers, they cannot be configured to run in anonymous mode.

In anonymous mode, any information stored on the server can potentially be accessed by the public. Hacking skills would not be required. Default usernames are freely available on the Internet.

Even if PHI is not stored on the servers, healthcare organizations may still be at risk. Any sensitive data could be accessed and used against the organization, ransomware could be installed or the servers could be used by hackers and other cybercriminals to store illegal content or malicious tools.

In the alert, the FBI said “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud.”

Large healthcare organizations may already have ensured their servers are not configured to allow anonymous access or that all sensitive information has been removed from those servers; however, that may not be the case for smaller healthcare organizations. Smaller medical and dental organizations are more likely to be placing patient data and other sensitive information at risk.

The FBI suggests all healthcare organizations should instruct their IT departments to check the configuration of their FTP servers to ensure they are not running in anonymous mode and to take immediate action to secure those servers and reduce risk if they are.

The post FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks appeared first on HIPAA Journal.

SAFER Guides Updated by ONC: Ransomware Prevention and Mitigations Now Included

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has updated its SAFER Guides to include information to help healthcare providers protect against ransomware attacks and mitigate attacks should they occur.

The Safety Assurance Factors for Electronic Health Record Resilience (SAFER) Guides were first released in January 2014 to help healthcare providers improve the usability of their EHRs and address the risks that EHR technology can introduce. The SAFER Guides can also be used to reduce the potential for patients to suffer EHR-related harm.

The SAFER Guides cover a range of key focus areas and include evidence-based best practices that can be adopted by healthcare providers to improve the usability and safety of their EHRs. Over the past three years, technology has changed as have the threats faced by the healthcare industry.

The guides were therefore due an update to keep them useful and relevant. Prior to issuing the updated guides, ONC sought feedback from healthcare providers and developers of EHRs. The comments and recommendations received from the National Academy of Medicine, the National Quality Forum, the American Medical Informatics Association, the Electronic Health Record Association and other organizations have been used to develop new best practices that healthcare providers should adopt.

The SAFER Guides include checklists and recommendations for healthcare organizations along with note templates that can be used to improve the safety and usability of EHRs. ONC says the guides have been developed to help reduce data-related burdens.

The guides now cover ransomware prevention strategies and mitigations to reduce the impact of ransomware attacks, including how to manage downtime following ransomware attacks and how to respond when EHR systems are slow or inaccessible.

The updated SAFER Guides can help organizations with EHR contingency planning to ensure compliance with that aspect of the HIPAA Security Rule. The SAFER guides now include an EHR contingency planning self-assessment to help in this regard.

The guides also include a new recommendation to the Test Results and Follow-Up Reporting Guide to help healthcare organizations communicate abnormal results to patients. The update incudes advice ONC received from the National Academy of Medicine.

To date, more than 52,000 users have downloaded the SAFER Guides and many EHR developers are now using the guides to help their customers set up their EHR systems and improve both safety and usability.

ONC says the SAFER Guides are particularly useful for technical assistance providers to help smaller healthcare organizations improve care quality and participate in the Medicare Quality Payment Program.

The post SAFER Guides Updated by ONC: Ransomware Prevention and Mitigations Now Included appeared first on HIPAA Journal.

What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?

Posted by HIPAA Journal

Ransomware attacks on healthcare providers are occurring with alarming frequency. Figures from the FBI suggest as many as 4,000 ransomware attacks are occurring every day.

Healthcare organizations are targeted because they hold large volumes of data and access to those data is required to provide medical services to patients. Without access to patients’ health information, healthcare services can be severely disrupted. Such reliance on data makes healthcare providers attractive targets as they are more likely than other companies to give in to ransom demands to obtain keys to unlock their data.

All businesses, and healthcare organizations especially, should implement a number of defenses to prevent ransomware attacks. Policies and procedures should also be developed to ensure that in the event of an attack, business operations are not severely disrupted and data can be recovered quickly.

There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although there are a number of actions that can be taken to improve resilience against ransomware attacks and ensure a fast recovery can be made at minimal cost.

How to Prevent Ransomware Attacks

Listed below are some of the steps that healthcare providers should take to improve their defenses against ransomware:

  • Deploy and configure an anti-spam solution – Consider all of the email attachments that are likely to be required by employees and block all others, especially JavaScript (JS) and Visual Basic (VBS) files, executables (.exe), screensaver files (SCR)
  • Configure computers to display file extensions. Double extensions are often used to trick end users into believing files are harmless. Invoice.xlsx.scr for example. Displaying file extensions will help users to identify malicious files
  • Ensure Office installations are configured to block macros, or at least ensure macros must be run manually. Make sure all employees are warned of the dangers of enabling and running macros
  • Ransomware infections often occur via Windows PowerShell. Unless PowerShell is essential, consider disabling it
  • Ensure all software is kept up to date and patches are applied promptly
  • Segment your network – An attack on one device should not allow all of the company’s data to be encrypted
  • Provide training to all employees on security best practices and instruct them never to open email attachment – or visit links – contained in emails from unknown senders
  • Consider an Internet filtering solution that can be used to block end users from visiting malicious websites
  • Ensure anti-virus software is installed and virus definitions are set to update automatically. Consider installing a popup blocker in web browsers
  • Block all unused ports on computers
  • Train all staff members on basic cybersecurity and best practices
  • Conduct dummy phishing email tests to ensure training has been effective
  • Ensure all employees are trained on the correct response to a potential attack. Ensure staff members are made aware of the importance of reporting any suspicious emails and how to respond if they believe they may have inadvertently installed ransomware
  • Ensure that policies and procedures are developed that can be instantly implemented in the event of an attack. Fast reaction can limit the harm caused and will ensure the fastest possible recovery from an attack
  • Consider encrypting data. While this will not prevent a ransomware attack, if an attack does occur and encrypted data are encrypted by ransomware, patient notifications will not need to be issued and a breach report will not need to be submitted to Office for Civil Rights

Most important of all is to ensure data are backed up daily. Backups should be stored securely in the cloud. Local backups should be stored on air-gapped devices. Backup drives should not be left connected after backups have been performed. Backup drives can also be encrypted by ransomware.

Reporting Ransomware Attacks and Notifying Patients

HIPAA Rules require ransomware attacks to be reported if the protected health information of patients has been accessed or encrypted, unless the covered entity can demonstrate there was a low probability that patient data were compromised in an attack.

While some healthcare organizations have disclosed ransomware attacks, many are not reporting the incidents. The failure to report a ransomware attack and notify patients that their ePHI has been compromised can potentially result in financial penalties for noncompliance with HIPAA Rules.

To avoid a HIPAA penalty, a covered entity must be able to demonstrate there was a low probability of patient data being accessed or copied during an attack. The Department of Health and Human Services’ Office for Civil Rights released guidance for covered entities on ransomware infections last year. In the guidance, covered entities are advised of the steps that should be taken following a ransomware attack and the criteria for determining whether patient notifications must be issued. The guidance can be downloaded/viewed on this link.

The post What Can Small Healthcare Providers Do To Prevent Ransomware Attacks? appeared first on HIPAA Journal.

WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks

Posted by HIPAA Journal

WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information.

The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a cyberattack.

WEDI points out the seriousness of the threat faced by the healthcare industry. Cyberattacks are costing the healthcare industry around $6.2 billion each year, with the average cost of a healthcare data breach around $2.2 million.

Cyberattacks and other security incidents having risen sharply in recent years. More records are now being exposed than at any other time in history and the number of healthcare data incidents being reported reached record levels last year.

The Department of Health and Human Services’ Office for Civil Rights received 315 reports of major healthcare data breaches last year and recent research by Fortinet showed that in the final quarter of 2016, the U.S. healthcare industry was being attacked more than 700,000 times per minute.

The healthcare industry is in a unique position. Healthcare organizations hold data that is more valuable to cybercriminals that held by other industries. Healthcare organizations also typically have a much larger attack surfaces to defend and more attack vectors to block.

WEDI points out that “attack surfaces have multiplied as organizations cobbled together a health information technology (health IT) infrastructure comprised of new components, legacy hardware and antiquated software from multiple vendors.”

Yet while healthcare IT systems require increased investment, many healthcare organizations are relying on basic security tools to defend their networks and keep data secure. Those tools focus on “antivirus, malware and firewall vulnerabilities, but lack a deeper set of prevention, encryption, detection, authentication and protection strategies.”

In the report, WEDI explores the most common types of threat adversaries, their characteristics and the level of threat that each poses. The report also details the types of vulnerabilities and attacks that most commonly occur, including zero-day vulnerabilities in software, phishing, spear phishing and whaling attacks, and malicious software such as viruses, worms, malware and ransomware.

WEDI sought advice from industry stakeholders in roundtable discussions between November 2015 and April 2016 and identified best practices that can be adopted by healthcare organizations to mitigate risk and keep networks and data secure.

WEDI suggests a cultural change is required and healthcare cybersecurity must have a higher profile. That process should start by raising awareness and educating stakeholders of the unique threats faced by the healthcare industry and the cost of cyberattacks and other data breaches.

Cybersecurity must become a C-suite matter, not an area dealt with by IT departments. Strategies must be effectively planned and sufficient resources devoted to protecting networks from attack. WEDI suggests healthcare organizations should also adopt cybersecurity frameworks to improve reliance against cyberattacks and apply the lessons learned from other industries.

The post WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

Posted by HIPAA Journal

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

Posted by HIPAA Journal

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed.

Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data.

When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed.

As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security solution that is effective across multiple cloud environments is not only critical to securing patient data, but to remaining HIPAA compliant.” However, the lack of encryption is a cause for concern.

Health Insurance Portability and Accountability Act (HIPAA) Rules permit the use of cloud services for storing and processing ePHI. However, before any cloud service is used, covered entities are required to conduct a comprehensive risk assessment to assess threats to the confidentiality, integrity, and availability of ePHI.

Covered entities must make sure that appropriate technical safeguards are employed to ensure the confidentiality of cloud-stored ePHI is preserved, and data encryption must be considered. If a decision not to use encryption for cloud-stored data is made, the reason for that decision must be documented, along with the alternative controls that are put in place to provide a similar level of protection.

HHS pointed out in last year’s cloud computing guidance for HIPAA-covered entities that encryption can significantly reduce the risk of ePHI being accessed, exposed, or stolen.  That said, HHS also explained that encryption alone is not sufficient to ensure the confidentiality, integrity, and availability of ePHI stored in the cloud.

Encryption may cover the confidentiality aspect, but it will do nothing to ensure that ePHI is always available, nor will it safeguard the integrity of ePHI. Alternative controls must be put in place to ensure ePHI can always be accessed, while access controls must be used to ensure the integrity of ePHI is maintained. The use of encryption alone to safeguard ePHI may therefore constitute a violation of the HIPAA Security Rule.

Healthcare organizations that choose to use cloud services provided by a separate entity must ensure that the cloud service provider is aware of its responsibilities with respect to ePHI. Cloud service providers are classed as business associates of covered entities, and as such, they are required to abide by HIPAA Rules. Healthcare organizations must obtain a signed business associate agreement from each cloud service provider used, if the service is used to store any ePHI. HHS has also explained that even if ePHI is stored in the cloud and the cloud service provider does not hold a key to decrypt the data, the cloud service provider is still classed as a HIPAA-business associate.

The post Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud appeared first on HIPAA Journal.