HIPAA News for Small and Mid-Sized Practices

Is FaceTime HIPAA Compliant?

Posted by HIPAA Journal

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate protected health information (PHI) without violating HIPAA Rules?

In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary.

Will Apple Sign A BAA for FaceTime?

An extensive search of the Apple website has revealed no sign that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only mention of its services in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be used by healthcare providers or their business associates to create, receive, maintain or transmit PHI.

Since Apple is not prepared to sign a business associate agreement for FaceTime, that would indicate FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be signed by business associates. So, is Apple a business associate?

The HIPAA Conduit Exception Rule

The HIPAA Conduit Exception Rule applies to organizations that act as conduits through which PHI is sent. The HIPAA Conduit Exception Rule covers entities such as the US Postal Service, some courier companies, and their electronic equivalents. Internet Service Providers (ISPs) fall under the description of “electronic equivalents,” as do telephone service providers such as AT&T. But what about FaceTime?

There is some debate about whether FaceTime is covered by the HIPAA Conduit Exception Rule. In order to be considered as a conduit, the service provider must not store any PHI, must not access PHI, and not have the key to unlock encryption.

The Office for Civil Rights has confirmed on its website that cloud service providers are generally not considered conduits, even if the CSP does not access ePHI, or cannot view the information because ePHI is encrypted and no key is held to unlock the encryption. That is because the HIPAA Conduit Exception Rule only applies to transmission-only services, where any ePHI storage is only transient. That is not the case with CSPs.

Apple has confirmed that all communications through FaceTime are protected by end to end encryption. Access controls are in place, via Apple IDs, to ensure the service can only be used by authorized individuals. Apple also does not store any information sent via FaceTime. FaceTime is a peer-to-peer communication channel, and voice and audio communications are transmitted between the individuals involved in the session. Apple also cannot decrypt sessions.

Apple says, “FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.”

Is FaceTime HIPAA Compliant?

So, is FaceTime HIPAA compliant? No communications platform can be truly HIPAA compliant as HIPAA compliance is about users, not technology. It would be possible to use FaceTime in a noncompliant way, such as communicating PHI with an individual who is not authorized to have the information. However, protections are in place to ensure FaceTime can be used in a HIPAA compliant fashion.

The question is FaceTime HIPAA compliant depends entirely on whether it is classed as a conduit, since Apple will not sign a BAA. In our opinion, FaceTime could be classed as a conduit. The US Department of Veteran Affairs also believes FaceTime is HIPAA compliant and allows its use, which shows it is confident that the service is classed as a conduit.

However, other companies that provide video conferencing platforms do not feel the same way, and offer to sign BAAs with HIPAA-covered entities. Therefore, our advice is to use one of those business solutions rather than the consumer-focused FaceTime and err on the side of caution.

The post Is FaceTime HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities

Posted by HIPAA Journal

The Office for Civil Rights has sent an email update on the Spectre and Meltdown chip vulnerabilities, urging HIPAA-covered entities to mitigate the vulnerabilities as part of their risk management processes. The failure to address the computer chip flaws could place the confidentiality, integrity, and availability of protected health information at risk.

HIPAA-covered entities have been advised to read the latest updates on the Spectre and Meltdown chip vulnerabilities issued by the Healthcare Cybersecurity and Communications Integration Center (HCCIC).

What are Spectre and Meltdown?

Spectre and Meltdown are computer chip vulnerabilities present in virtually all computer processors manufactured in the past 10 years. The vulnerabilities could potentially be exploited by malicious actors to bypass data access protections and obtain sensitive data, including passwords and protected health information.

Meltdown is an attack that exploits a hardware vulnerability (CVE-2017-5754) by tricking the CPU into speculatively loading data marked as unreadable or “privileged,” allowing side-channel exfiltration. Spectre is an attack involving two vulnerabilities (CVE-2017- 5753, CVE-2017-5715) in the speculative execution features of CPUs. The first vulnerability is exploited to trick the CPU into mispredicting a branch of code of the attacker’s choosing, with the second used to trick the CPU into speculatively loading the memory allocated to another application on the system. The Meltdown and Spectre chip vulnerabilities can be exploited to gain access to sensitive data, including passwords, cryptographic keys used to protect PII, PHI, or PCI information handled by an application’s database.

Meltdown and Spectre affect computers running on Windows, Mac, Linux and other operating systems. Eradicating the vulnerabilities means replacing chips on all vulnerable devices; however, operating system vendors have been developing patches that will prevent the vulnerabilities from being exploited. Updates have also been made to web browsers to prevent web-based exploitation of the vulnerabilities.

Following the disclosure of the vulnerabilities, HCCIC alerted healthcare organizations about the risk of attack, with the vulnerabilities categorized as a medium threat since local access is generally required to exploit the flaws. However, potentially the flaws can be exploited remotely if users visit a specially crafted website. Browsers are susceptible due to improper checks on JavaScript code, which could lead to information disclosure of browser data.

Mitigating the Threat of Spectre and Meltdown Attacks

Patching operating systems and browsers will mitigate the vulnerabilities, but there may be a cost. The patches can affect system performance, slowing computers by 5-30%. Such a reduction would be noticeable when running high demand computer applications.

There have also been several compatibility issues with anti-virus software and other programs. It is therefore essential for patches to be thoroughly tested before implementation, especially on high value assets and systems containing PII and PHI.

Due to the compatibility issues, Microsoft is only releasing updates for computers that are running anti-virus software that has been confirmed as compatible with the patch. If anti-virus software is not updated, computers will remain vulnerable as the update will not take place. Most anti-virus software companies have now updated their programs, but not all. Kevin Beaumont is maintaining a list of the patch status of AV software.

Web browsers must also be updated to the latest versions. Microsoft has updated Internet Explorer 11 and Microsoft Edge, and Firefox (57.0.4) and Safari (11.0.2) include the update. Google Chrome has also been patched. Healthcare organizations should ensure they are running the latest versions of browsers on all devices to prevent data leakage and operating systems should be patches as soon as possible. One of the main challenges for healthcare organizations is identifying all vulnerable devices – including computers, medical devices and accessory medical equipment – and ensuring they are fully patched.

The vulnerabilities also affect cloud service providers, as their servers also contain computer chips. There could be leakage of PII and PHI from cloud environments if patches have not been applied.

Amazon AWS and Azure have already been patched to protect against Meltdown and Spectre. Healthcare organizations using other managed cloud service providers or private cloud instances should check that they have been patched and are protected against Meltdown and Spectre.

The post HIPAA Covered Entities Urged to Address Spectre and Meltdown Chip Vulnerabilities appeared first on HIPAA Journal.

The HIPAA Conduit Exception Rule and Transmission of PHI

Posted by HIPAA Journal

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance.

The HIPAA Omnibus Final Rule and Business Associates

On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also confirmed that most data transmission service providers are also classed as business associates.

What is the HIPAA Conduit Exception Rule?

The HIPAA Conduit Exception Rule is detailed in the HIPAA Privacy Rule, but was defined in the HIPAA Omnibus Final Rule. The Rule allows HIPAA-covered entities to use certain vendors without having to enter into a business associate agreement. The HIPAA Conduit Exception Rule is narrow and excludes an extremely limited group of entities from having to enter into business associate agreements with covered entities. The Rule applies to entities that transmit PHI but do not have access to the transmitted information and do not store copies of data. They simply act as conduits through which PHI flows.

HIPAA Conduit Exception Rule covers organizations such as the US Postal Service and certain other private couriers such as Fed-Ex, UPS, and DHL as well as their electronic equivalents. Companies that simply provide data transmission services, such as internet Service Providers (ISPs), are considered conduits.

The HIPAA Conduit Exception Rule is limited to transmission-only services for PHI. If PHI is stored by a conduit, the storage must be transient in nature, and not persistent.

It does not matter if the service provider says they do not access transmitted information. To be considered a conduit, the service provider must not have access to PHI, must only store transmitted information temporarily, and should not have a key to unlock encrypted data.

Vendors that are often misclassified as conduits are email service providers, fax service providers, cloud service providers, and SMS and messaging service providers. These service providers are NOT considered conduits and all must enter into a business associate agreement with a covered entity prior to the service being used in conjunction with any PHI.

Some service providers claim that they are conduits when they are not, in order to avoid having to sign a business associate agreement. Certain fax service providers have claimed they are conduits, and while they appear at face value to be an electronic equivalent to an organization such as the US Postal Service, they are not covered by the HIPAA Conduit Exception Rule. Fax services do not simply send documents from the sender to the recipient. Faxes are stored, and the storage is not considered transient.

Penalties for Misclassifying a Business Associate as a Conduit

Any vendor that has routine access to PHI is considered a business associate (We have covered the definition of a HIPAA business associate on this page). All business associates must sign a business associate agreement with the HIPAA-covered entity before PHI is provided or access to PHI is granted.

Misclassifying a vendor as a conduit rather than a business associate can result in a significant financial penalty, since PHI will have been disclosed without first entering into a business associate agreement.

The Department of Health and Human Services’ Office for Civil Rights has financially penalized many covered entities that have been discovered to have disclosed PHI to a vendor without obtaining a BAA.

In 2017, the Center for Children’s Digestive Health settled with OCR for $31,000 to resolve business associate agreement failures. In 2016, Care New England Health System settled its HIPAA violation case for $400,000, North Memorial Health Care of Minnesota paid $1,550,000 and Oregon Health & Science University settled for $2,700,000.

The post The HIPAA Conduit Exception Rule and Transmission of PHI appeared first on HIPAA Journal.

Summary of Healthcare Data Breaches in December 2017

Posted by HIPAA Journal

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.

 

December 2017 Healthcare Data Breaches

 

Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.

 

Records Exposed in December 2017 Healthcare Data Breaches

 

December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.

 

December 2017 Healthcare Data Breaches by Covered Entity Type

Causes of Healthcare Data Breaches in December 2017

As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.

 

December 2017 healthcare data breaches by incident type

 

While hacking incidents usually result in the greatest number of records being exposed/stolen, this month saw a major increase in records exposed due to the theft of portable electronic devices. The theft of devices containing PHI – and paper records – resulted in 122,921 patients’ protected health information being exposed. The mean number of records exposed in theft incidents was 20,487 and the median was 15,857 – Both higher than any other cause of data breach.

 

Causes of Healthcare Data Breaches (Dec 2017)

 

Records Exposed by Breach Type (Dec 2017)

 

Network server incidents were the most numerous in December with 12 incidents, although there were 9 incidents involving paper records, showing that while healthcare organizations must ensure appropriate technological defenses are in place to protect electronic data, physical security is also essential to ensure paper records are secured.

 

Location of Breached PHI (Dec 2017)

 

10 Largest Healthcare Data Breaches in December 2017

In December, there were 9 data breaches that impacted more than 10,000 individuals reported to the Office for Civil Rights by HIPAA covered entities. In contrast to past months when hacking incidents dominated the top ten breach list, there was an even spread between hacking incidents, unauthorized access/disclosures, and theft of healthcare records and electronic devices.

The largest data breach reported in December affected Oklahoma Department of Human Services. However, this was not a recent data breach. The breach occurred in April 2016, but a breach report was not submitted to the Office for Civil Rights at the time of discovery. It took 18 months after the 60-day deadline for the breach to be reported.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois Healthcare Provider 22000 Loss
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

December 2017 Healthcare Data Breaches by State

California experienced the most healthcare data breaches in December with 5 reported incidents, followed by Michigan with 4 data breaches.

Eight states experienced two data breaches each – Florida, Illinois, Minnesota, New England, Nevada, New York, Philadelphia and Texas.

13 states each had one reported breach: Colorado, Georgia, Iowa, Indiana, Massachusetts, Missouri, New Jersey, North Carolina, Ohio, Oklahoma, Oregon, Tennessee, and West Virginia.

Data source: Department of Health and Human Services’ Office for Civil Rights.

The post Summary of Healthcare Data Breaches in December 2017 appeared first on HIPAA Journal.

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

Posted by HIPAA Journal

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching.

HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year.

The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018.

A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,” such as encryption. A breach of encrypted PHI is not reportable unless the key to unlock the encryption is also reasonably believed to have also been compromised.

Covered entities should be aware that ransomware incidents are usually reportable HIPAA data breaches, even if PHI has not been stolen in the attack. To avoid reporting a ransomware incident, a covered entity must be able to demonstrate a low probability of PHI being compromised in the attack. That determination must be based on a risk assessment (See 45 CFR § 164.402)

While covered entities can submit details of all ‘small’ PHI breaches at the same time, each breach must be reported as a separate event. They can not all be uploaded to the breach portal together.

While the HIPAA Breach Notification Rule allows covered entities additional time to report data breaches impacting fewer than 500 individuals, notifications for individuals impacted by those data breaches cannot be delayed. They must be issued within 60 days of the discovery of the breach, and without unnecessary delay, regardless how many individuals have been impacted by the breach.

It is a good best practice to report all breaches of PHI within 60 days of discovery. Oftentimes, full information about the breach is not available at the time of reporting, but it is possible to add further information to the OCR data breach reports when further information becomes available. If the number of individuals affected by the breach has not been confirmed, estimates should be provided. The final total can then be submitted to OCR as an update to the breach report when the number of individuals impacting has been determined.

The penalties for the late reporting of data breaches can be severe, and OCR made it clear in January 2017 that ignoring the deadline for reporting breaches, or unnecessarily delaying breach reports, is a HIPAA violation that will not be ignored. Presense Health became the first covered entity to be fined solely for delaying breach notifications and settled the HIPAA violation with OCR for $475,000.

OCR has yet to issue a financial penalty to a covered entity for the late reporting of small data breaches, but since OCR tends to set examples with its breach settlements, 2018 could well see the first penalty issued.

To avoid a HIPAA penalty, ensure all small breaches of PHI are reported to OCR between now and the end of February 2018 and no later than midnight on March 1.

The post Deadline for Reporting 2017 HIPAA Data Breaches Approaches appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

Posted by HIPAA Journal

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.

What is Individually Identifiable Health Information?

Posted by HIPAA Journal

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule?

What is Individually Identifiable Health Information?

Before answering the question, what is individually identifiable health information, it is necessary to define health information.

HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity.

Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual.

Individually identifiable health information is a subset of health information, and as the name suggests, is health information that can be linked to a specific person, or if it would be reasonable to believe that an individual could be identified from the information. (See 45 CFR 46.160.103).

The HIPAA Privacy Rule places restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not allow an individual to be identified.

If a HIPAA-covered entity has a data set containing individually identifiable health information, before the information can be shared with an organization or individual for a reason that would otherwise be prohibited under the HIPAA Privacy Rule, the data must first be de-identified.

De-identifying health information requires the following 18 identifiers to be removed from the data set prior to sharing:

  1. Full name or last name and initial(s)
  1. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
  2. Dates directly related to an individual, other than year
  3. Phone Numbers
  4. Fax numbers
  5. Email addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Health insurance beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers
  12. Device identifiers and serial numbers;
  13. Web Uniform Resource Locators (URLs)
  14. IP addresses
  15. Biometric identifiers, including finger, retinal and voice prints
  16. Full face photographic images and any comparable images
  17. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Further information on how to deidentify health information can be viewed on this link.

The post What is Individually Identifiable Health Information? appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2017

Posted by HIPAA Journal

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches.

2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen.

2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations fared in 2017? Was 2017 another record-breaking year?

Healthcare Data Breaches Increased in 2017

The mega data breaches of 2015 were fortunately not repeated in 2017, and the decline in massive data breaches continued in 2017.

Last year, there were three breaches reported that impacted more than one million individuals and 14 breaches of more than 100,000 records.

In 2017, there was only one reported data breach that impacted more than 500,000 people and 8 breaches that impacted 100,000 or more individuals. The final total for individuals impacted by breaches last year was 14,679,461 – considerably less than the 112,107,579 total the previous year.

The final figures for 2017 cannot yet be calculated as there is still time for breaches to be reported to OCR. The HIPAA Breach Notification Rules allows covered entities up to 60 days to report data breaches of more than 500 records, so the final figures for 2017 will not be known until March 1, 2018. However, based on current data, 2017 has been a reasonably good year in terms of the number of exposed healthcare records. The current total stands at 3,286,498 records – A 347% reduction in breached records year on year.

While it is certainly good news that the severity of breaches has reduced, that only tells part of the story. Breaches of hundreds of thousands of records have reduced, but breaches of more than 10,000 records have remained fairly constant year over year. In 2015, there were 52 breaches of 10,000 or more records. That figure jumped to 82 in 2016. There were 78 healthcare data breaches in 2017 involving more than 10,000 records.

The bad news is there has been a significant rise in the number of healthcare data breaches in 2017.  As of January 4, 2017, there have been 342 healthcare security breaches listed on the OCR breach portal for 2017. It is likely more incidents will be added in the next few days.

The final total for 2015 was 270 breaches, and there were 327 breaches reported in 2016. The severity of healthcare security incidents may have fallen, but the number of incidents continues to rise year on year.

 

reported healthcare data breaches in 2017

 

Unfortunately, there is little evidence to suggest that the annual rise in healthcare data breaches will stop in 2018. Many cybersecurity firms have made predictions for the coming year, and they are united in the view that healthcare data breaches will continue to increase.

The 20 Largest Healthcare Breaches of 2017

The list of the 20 largest healthcare data breaches of 2017 is listed below.

Position Breached Entity Entity Type Records Exposed Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Airway Oxygen, Inc. Healthcare Provider 500,000 Hacking/IT Incident
3 Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
4 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
5 Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
6 Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
7 Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
8 McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
9 Harrisburg Gastroenterology Ltd Healthcare Provider 93,323 Hacking/IT Incident
10 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
11 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
12 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
13 Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
14 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
15 Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
16 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
17 Enterprise Services LLC Business Associate 56,075 Unauthorized Access/Disclosure
18 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
19 Network Health Health Plan 51,232 Hacking/IT Incident
20 Oklahoma Department of Human Services Health Plan 47,000 Hacking/IT Incident

The Largest Healthcare Data Breaches of 2017 Were Due to Hacking

One thing is abundantly clear from the list of the largest healthcare data breaches of 2017 is hacking/IT incidents affect more individuals than any other breach type. Hacking/IT incidents accounted for all but three of the largest healthcare data breaches of 2017.

In 2016, hacking incidents only accounted for 11 out of the top 20 data breaches and 12 of the top 20 in 2015. Hacking incidents therefore appear to be rising.

 

healthcare data breaches in 2017 (hacking)

 

The rise in hacking incidents can partly be explained by the increase in ransomware attacks on healthcare providers in 2017. Healthcare organizations are also getting better at discovering breaches.

Other Major Causes of Healthcare Data Breaches in 2017

Unauthorized access/disclosures continue to be a leading cause of healthcare data breaches, although there was a slight fall in numbers of these incidents in 2017. That decrease is offset by an increase in incidents involving the improper disposal of physical records and electronic devices used to store ePHI.

 

healthcare data breaches of 2017 (Unauthorized access/disclosures)

 

The use of encryption for stored data is more widespread, with many healthcare organizations having implemented encryption on all portable storage devices and laptops, which has helped to reduce the exposure of ePHI when electronic devices are stolen.

 

Healthcare Data Breaches of 2017 (loss/theft)

Minimizing the Risk of Healthcare Data Breaches

This year saw OCR publish the preliminary findings of its HIPAA compliance audits on HIPAA-covered entities. The audits revealed there is still widespread non-compliance with HIPAA Rules.

One of the biggest problems was not a lack of cybersecurity defenses, but the failure to conduct an enterprise-wide risk analysis.

Even with several layers of security, vulnerabilities are still likely to exist. Unless a comprehensive risk analysis is performed to identify security gaps, and those gaps are addressed, it will only be a matter of time before they are exploited.

Complying with HIPAA Rules will not prevent all data breaches, but it will ensure healthcare organizations achieve at least the minimum standard for data security, which will prevent the majority of healthcare data breaches.

There is a tendency to invest cybersecurity budgets in new technology, but it is important not to forget the basics. Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly, if secure passwords had been chosen, and if cloud storage services and databases had been configured correctly. Many data breaches were caused as a result of employees leaving unencrypted laptops in risky locations – in unattended vehicles for instance.

Phishing remains one of the main ways that malicious actors gain access to protected health information, yet security awareness training is still not being provided frequently. As a result, employees are continuing to fall for phishing and social engineering scams. Technological solutions to block phishing emails are important, but healthcare organizations must also educate employees about the risks, teach them how to recognize scams, and reinforce training regularly. Only then will organizations be able to reduce the risk from phishing to an acceptable and appropriate level.

Insiders continue to be a major threat in healthcare. The value of data on the black market is high, and cash-strapped healthcare employees can be tempted to steal data to sell to identity thieves. Healthcare organizations can hammer the message home that data theft will be discovered and reported to law enforcement, but it is the responsibility of healthcare organizations to ensure policies and technologies are implemented to ensure that the unauthorized accessing of records – theft or snooping – is identified rapidly.  That means frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics.

2017 was a bad year for ransomware attacks and extortion attempts on healthcare organizations. There is no sign that these attacks will slow in 2018, and if anything, they are likely to increase. Ensuring data is backed up will allow organizations to recover files in the event of an attack without having to pay a ransom. The rise in sabotage attacks – NotPetya for example – mean data loss is a real possibility if backups are not created.

By getting the basics right and investing in new technologies, it will be possible for the year on year rise in data breaches to be stopped. But until healthcare organizations get the basics right and comply with HIPAA Rules, healthcare data breaches are likely to continue to rise.

The post Largest Healthcare Data Breaches of 2017 appeared first on HIPAA Journal.

CMS Clarifies Position on Use of Text Messages in Healthcare

Posted by HIPAA Journal

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy.

SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI.

The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms.

In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information being transmitted. This resulted in the no texting determination.”

In December, the Health Care Compliance Association (HCCA) published an article questioning the stance of the CMS. HCCA said in its Report on Medicare Compliance, that at least two hospitals had received emails from the CMS explaining all forms of text messaging were prohibited.

Nina Youngstrom, Managing Editor of the Report on Medicare Compliance, said in the article that several compliance officers and healthcare attorneys were horrified about the position of the CMS. One attorney said a total ban would be “Like going back to the dark ages.”

CMS explained that concern about text messages in healthcare was not just about transmission security. There was the potential for a lack of access controls on the senders’ and receivers’ devices, stored data may not necessarily be secure and encrypted, and the privacy of patients is not guaranteed. Another concern was information transmitted via text messages also needs to be entered into the patient record and made available for retrieval.

Last year, the Joint Commission relaxed its ban on the use of text messages in healthcare for sending patient orders, only to later backtrack and reinstate the ban. The Joint Commission’s current position is the use of text messaging in healthcare is permitted, provided a secure messaging platform is used. However, the ban on the use of text messages for sending orders for patient care remains in place.

The CMS appeared to be saying no to all forms of text messaging, even though a large percentage of hospitals have switched over to secure text messaging platforms and are finally replacing their outdated pagers. Such a ban would therefore not be too dissimilar to implementing a ban on email, given how text messaging is so extensively used in healthcare.

A recent survey conducted by the Institute for Safe Medication Practices (ISMP) confirms this. In its survey of 788 healthcare professionals, 45% of pharmacists and 35% percent of nurses said texting was used in their facilities. 53% said there was a policy in place prohibiting the use of text messages for patient orders, but despite the Joint Commission ban, 12% said texting patient orders was allowed – 8% only when a secure platform was used and 3% said text messages were permitted under any circumstances.

CMS Confirms The Use of Text Messages in Healthcare is Permitted

On December 28, 2017, a month after the emails were sent, the CMS sent a memo clarifying its position on the use of text messages in healthcare, confirming there is not a total ban in place.

The CMS explained that the ban on the use of all forms of text messaging, including secure text messaging systems, remains in place for orders by physicians or other health care providers. “The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs),” specifically stating §489.24(b) and §489.24(c) apply.

Order entries should be made by providers using Computerized Provider Order Entry (CPOE), or via hand written orders. The CMS explained that, “An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”

The CMS accepts that text messages are an important means of communication in healthcare, and that text messages are now essential for effective communication between care team members. However, in order to comply with the CoPs and CfCs, healthcare organizations must use and maintain text messaging systems/platforms that are secure.

Those platforms must encrypt messages in transit and healthcare organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that “It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”

The stance of the CMS is therefore aligned with that of the Joint Commission. Secure text messaging platforms can be used in healthcare, just not for texting orders. Even though secure text messaging meet HIPAA requirements for privacy and security, the ban remains in place over concerns about inputting orders sent by text messages into the EHR. CPOE is still the preferred method of entry to ensure accuracy.

The post CMS Clarifies Position on Use of Text Messages in Healthcare appeared first on HIPAA Journal.