HIPAA News for Small and Mid-Sized Practices

Is AWS HIPAA Compliant?

Posted by HIPAA Journal

Is AWS HIPAA compliant? Amazon Web Services has all the protections to satisfy the HIPAA Security Rule and Amazon will sign a business associate agreement with healthcare organizations. So, is AWS HIPAA compliant? Yes. And No. AWS can be HIPAA compliant, but it is also easy to make configuration mistakes that will leave protected health information (PHI) unprotected and accessible by unauthorized individuals, violating HIPAA Rules.

Amazon Will Sign a Business Associate Agreement for AWS

Amazon is keen for healthcare organizations to use AWS, and as such, a business associate agreement will be signed. Under that agreement, Amazon will support the security, control, and administrative processes required under HIPAA.

Previous, under the terms of the AWS BAA, the AWS HIPAA compliance program required covered entities and business associates to use Amazon EC2 Dedicated Instances or Dedicated Hosts to process Protected Health Information (PHI), although that is now no longer the case.

As part of its efforts to help healthcare organizations use AWS safely and securely without violating HIPAA Rules, Amazon has published a 26 page guide – Architecting for HIPAA Security and Compliance on Amazon Web Services – to help covered entities and business associates get to grips with securing their AWS instances, and setting access controls.

AWS HIPAA Compliance is Something of a Misnomer

Amazon supports HIPAA compliance, and AWS can be used in a HIPAA compliant way, but no software or cloud service can ever be truly HIPAA compliant. As with all cloud services, AWS HIPAA compliance is not about the platform, but rather how it is used.

The Amazon Simple Storage Service (S3) that is provided through AWS can be used for data storage, data analysis, data sharing, and many other purposes. Data can be accessed from anywhere with an Internet connection, including via websites, and mobile apps. AWS has been developed to be secure, otherwise no one would use the service. But it has also been developed to make data easy to access, by anyone with the correct permissions. Make a mistake configuring users or setting permissions and data will be left exposed.

Just because AWS is HIPAA compliant, it does not mean that using AWS is free from risk, and neither that a HIPAA violation will not occur. Leaving AWS S3 buckets unprotected and accessible by the public is a clear violation of HIPAA Rules. It may seem obvious to secure AWS S3 buckets containing PHI, but this year there have been multiple healthcare organizations that have left their PHI open and accessible by anyone.

Amazon S3 buckets are secure by default. The only way they can be accessed is by using the administrator credentials of the resource owner. It is the process of configuring permissions and providing other users with access to the resource that often goes awry.

When is AWS not HIPAA Compliant?

When is AWS HIPAA compliant? When a BAA has been signed, users have been instructed on the correct way to use the service, and when access controls and permissions have been set correctly. Misconfigure an Amazon S3 bucket and your data will be accessible by anyone who knows where to look.

Documentation is available on the correct way to configure Amazon S3 services and manage access and permissions. Unfortunately, since there are several ways to grant permissions, there are also several points that errors can occur, and simple mistakes can have grave consequences.

On numerous occasions, security researchers have discovered unprotected AWS S3 buckets and have alerted healthcare organizations that PHI has been left unprotected. However, security researchers are not the only ones checking for unsecured data. Hackers are always on the prowl. It is far easier for a hacker to steal data from cloud storage services that have had all protections removed than it is to attack organizations in other ways.

One of the mistakes that has been made time and again is setting access controls to allow access by ‘authenticated users.’ That could be taken to mean anyone who you have authenticated to have access to your data. However, that is not Amazon’s definition of an authenticated user. An authenticated user is anyone with an AWS account, and anyone can obtain an AWS account free of charge.

How Common are AWS Misconfigurations?

AWS misconfigurations are very common. So much so, that Amazon recently emailed users who had potentially misconfigured their S3 buckets to warn them that data could be accessed by anyone.

Amazon said in its email, “We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet,” going on to explain, “While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.”

Some of those public disclosures have been by healthcare organisations, but the list is long and varied, including military contractors, financial institutions, mobile carriers, entertainment companies, and cable TV providers. One data analytics firm left data unprotected, exposing the records of 200 million voters. Verizon exposed the data of between 6 and 14 million customers, and World Wide Entertainment exposed the data of 3 million individuals. Patient Home Monitoring, a HIPAA covered entity, left 47GB of data unprotected.

There is no excuse for these oversights. Checking for unprotected AWS buckets is not only a quick and easy process, software can be used free of charge for this purpose. A tool has been developed Kromtech called S3 Inspector that can be used to check for unsecured S3 buckets.

Is AWS HIPAA Compliant?

So, in summary, is AWS HIPAA compliant? Yes, it can be, and AWS offers healthcare organizations huge benefits.

Can the use of AWS violate HIPAA Rules and leave PHI unprotected? Very easily.

Would misconfiguration of AWS lead to a HIPAA violation penalty? That is a distinct possibility. AWS is secure by default. Only if settings are changed will stored data be accessible. It would be hard to argue with OCR auditors that manually changing permissions to allow anyone to access a S3 bucket containing PHI is anything other than a serious violation of HIPAA Rules.

The post Is AWS HIPAA Compliant? appeared first on HIPAA Journal.

New Tool Helps Healthcare Organizations Find HIPAA Compliant Business Associates

Posted by HIPAA Journal

Healthcare organizations are only permitted to use business associates that agree to comply with HIPAA Rules and sign a business associate agreement, but finding HIPAA compliant business associates can be a challenge.

Searching for HIPAA compliant business associates is time consuming, although identifying vendors willing to follow HIPAA Rules is only part of the process. Business associate agreements must then be assessed, often incurring legal fees, and healthcare organizations must obtain assurances from new business associate that appropriate safeguards have been implemented to ensure the confidentiality, integrity, and availability of any PHI they provide.

It is also challenging for vendors that wish to take advantage of the opportunities in the healthcare industry. They must be able to demonstrate they have implemented appropriate safeguards and need to provide reassurances that their products and services support HIPAA-compliance.

A solution has now been developed that resolves the issues for both parties and streamlines the process of finding HIPAA compliant business associates. Would-be business associates can also use the solution to prove that they have the necessary safeguards in place to ensure their products and services can be used without violating HIPAA Rules.

The HIPAA Alliance Marketplace is a closed ecosystem founded by the Compliancy Group, which serves as a repository for HIPAA-compliant vendors that can be used to connect medical professionals with trusted vendors.

HIPAA-covered entities can enroll and search the Marketplace for a broad range of service providers, including IT and Managed Service Providers (MSPs), medical billing and collections firms, software and application developers, cloud computing platforms, insurers, printing and mailing vendors, practice management firms, and EHR providers.

In order for a vendor to be included in the HIPAA Alliance Marketplace, they are first subjected to a strict vetting process, in which their services and solutions are assessed against HIPAA Rules. If the audit is passed, the vendor is issued with a HIPAA Seal of Compliance – a reassurance that the vendor has been thoroughly assessed and is a trusted supplier.

“The HIPAA Alliance Marketplace is the only tool of its kind for the health care market today,” said Marc Haskelson, President and CEO of Compliancy Group on the launch of their new HIPAA Alliance Marketplace. “In this climate of data breaches, ransomware, and cyber-security threats, health care providers can rely on the HIPAA Alliance Marketplace to find HIPAA compliant vendors with the security and privacy infrastructure in place to keep their data safe. Vendors can confidently execute Business Associate Agreements with their clients, and providers can be confident in their choice of vendors vetted and verified by the HIPAA Seal of Compliance.”

The post New Tool Helps Healthcare Organizations Find HIPAA Compliant Business Associates appeared first on HIPAA Journal.

Bad Rabbit Ransomware Spread Via Fake Flash Player Updates

Posted by HIPAA Journal

A new ransomware threat has been detected – named Bad Rabbit ransomware – that has crippled businesses in Russia, Ukraine, and Europe. While Bad Rabbit ransomware attacks do not appear to have been conducted in the United States so far, healthcare organizations should take steps to block the threat.

There are similarities between Bad Rabbit ransomware and NotPetya, which was used in global attacks in June. Some security researchers believe the new threat is a NotPetya variant, others have suggested it is more closely related to a ransomware variant called HDDCryptor. HDDCryptor was used in the ransomware attack on the San Francisco Muni in November 2016.

Regardless of the source of the code, it spells bad news for any organization that has an endpoint infected. Bad Rabbit ransomware encrypts files using a combination of AES and RSA-2048, rendering files inaccessible. As with NotPetya, changes are made to the Master Boot Record (MBR) further hampering recovery. This new ransomware threat is also capable of spreading rapidly inside a network.

The recent wave of attacks started in Russia and Ukraine on October 24, with attacks also reported in Bulgaria, Germany, Turkey, and Japan. ESET and Kaspersky Lab have analyzed the new ransomware variant and have established that it is being spread by drive-by downloads, with the ransomware masquerading as a Flash Player update.

The actors behind this latest campaign appear to have compromised the websites of several news and media agencies, which are being used to display warnings about an urgent Flash Player update. No exploits are believed to be involved. User interaction is required to download and run the ransomware.

Users that respond to the Flash Player warning download a file named “install_flash_player.exe.” Running that executable will launch the ransomware. After files have been encrypted and the MBR has been altered, the ransomware reboots the infected device and the ransom note is displayed.

The ransom amount is 0.5 Bitcoin ($280) per infected device. Victims must pay the ransom within 40 hours or the ransom will increase. Whether payment of the ransom allows files to be recovered is uncertain.

The ransomware is also spreading within networks via SMB, although no NSA exploits are believed to be used. Instead, the ransomware scans for network shares and uses Mimikatz to harvest credentials. The ransomware also cycles through a list of commonly used usernames and passwords. If the correct credentials are found, a file called infpub.dat is dropped and executed using rundll.exe. This process allows the ransomware to spread quickly within a network.

There have been at least 200 infections as of this morning, including the Kiev Metro, Odessa International Airport in Ukraine, the Ministry of Infrastructure of Ukraine, and the Russian Interfax and Fontanka news agencies.

Indicators of compromise have been released by Kaspersky Lab and ESET.

It is possible to vaccinate devices to prevent Bad Rabbit ransomware attacks. Kaspersky Lab suggestsrestricting execution of files with the paths c:\windows\infpub.dat and C:\Windows\cscc.dat.” Alternatively, create those two files in the C:\\Windows\ directory and remove all permissions on those files for all users.  

The post Bad Rabbit Ransomware Spread Via Fake Flash Player Updates appeared first on HIPAA Journal.

FirstHealth Attacked with New WannaCry Ransomware Variant

Posted by HIPAA Journal

FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has been attacked with a new WannaCry ransomware variant.

WannaCry ransomware was used in global attacks in May this year. More than 230,000 computers were infected within 24 hours of the global attacks commencing. The ransomware variant had wormlike properties and was capable of spreading rapidly and affecting all vulnerable networked devices. The campaign was blocked when a kill switch was identified and activated, preventing file encryption.  However, FirstHealth has identified the malware used in its attack and believes it is a new WarnnaCry ransomware variant.

The FirstHealth ransomware attack occurred on October 17, 2017. The ransomware is believed to have been introduced via a non-clinical device, although investigations into the initial entry point are ongoing to determine exactly how the virus was introduced.

FirstHealth reports that its information system team detected the attack immediately and implemented security protocols to prevent the spread of the malware to other networked devices. While the attack was detected rapidly, the ransomware did spread to other devices in the same work areas.

FirstHealth has issued a statement confirming the ransomware attack did not involve the encryption of patient information, and reports that its Epic EHR was unaffected. However, access to its Epic system has been blocked as part of its security protocol to prevent the encryption of patient data and the system is still inaccessible. The MyChart service is online, but no information has been uploaded to the system since the attack occurred.

Even though the attack was limited it has caused considerable disruption. FirstHealth has the arduous task of individually checking 4,000 devices spread across 100 locations to confirm they have not been infected with the virus – a process that will take a considerable amount of time.

FirstHealth is continuing to provide medical services to patients, although the health network has had to cancel some appointments and patients are experiencing delays due to the lack of access to its systems. FirstHealth said, “Our team is working tirelessly to remediate the virus and get our system back up to be fully operational.”

FirstHealth says a patch to address the vulnerability exploited by the new Wannacry ransomware variant has been developed and the patch is being applied on all vulnerable devices. FirstHealth said, “This patch will be added to anti-virus software available for others in the industry to apply to their systems,” suggesting it is not the same patch (MS17-010) that was made available by Microsoft in March to block the SMB flaw that the May 2017 WannaCry attacks exploited.

The post FirstHealth Attacked with New WannaCry Ransomware Variant appeared first on HIPAA Journal.

Employees Sue Lincare Over W2 Phishing Attack

Posted by HIPAA Journal

In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data.

The W2 forms of thousands of employees were emailed to a fraudster by an employee of the human resources department. The HR department employee was fooled by a business email compromise (BEC) scam. While health data was not exposed, names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker.

This year has seen an uptick in W2 phishing scams, with healthcare organizations and schools extensively targeted by scammers. The scam involves the attacker using a compromised company email account – or a spoofed company email address – to request copies of W2 forms from HR department employees.

Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits, although it is relatively rare for employees to take legal action against their employers. Lincare is one of few companies to face a lawsuit for failing to protect employee data.

Three former Lincare employees whose PII was disclosed in February have been named in a class-action lawsuit against the firm. The plaintiffs are seeking damages for the exposure of their PII, credit monitoring and identity theft protection services for 25 years, and 25 years of coverage by an identity theft insurance policy. Lincare previously offered 24 months of complimentary credit monitoring and identity theft protection services to employees affected by the incident.

The plaintiffs claim Lincare was negligent for failing to implement “the most basic of safeguards and precautions,” such as training its employees how to identify phishing scams. The plaintiffs allege the HR employee failed to authenticate the validity of the request for W2 forms, instead just attaching the information and replying to the email.

In the lawsuit, the plaintiffs argue that had simple security measures been adopted by Lincare the breach could have been easily prevented. Those measures include the use of advanced spam filters, providing information security training to staff, implementing data security controls that prohibit employees having on-demand access to PII, adding multiple layers of computer system security and authentication, and ensuring PII was only sent in encrypted form.

The risk of the PII being used to commit fraud is not theoretical. The attacker has already used the stolen data to apply for credit and loans. The lawsuit points out that Lincare sent an email to staff on April 21 saying, “Current and/or former employees affected by the data breach had already had their PII used by a third party or parties as part of a fraudulent scheme to obtain federal student loans through the Department of Education’s Free Application for Federal Student Aid.”

The question that the courts will need to answer is to what extent Lincare is liable for the attack, whether additional safeguards should have implemented and whether there was an implied agreement that the company would keep employee information secure.

The post Employees Sue Lincare Over W2 Phishing Attack appeared first on HIPAA Journal.

Termination for Nurse HIPAA Violation Upheld by Court

Posted by HIPAA Journal

A nurse HIPAA violation alleged by a patient of Norton Audubon Hospital culminated in the termination of the registered nurse’s employment contract. The nurse, Dianna Hereford, filed an action in the Jefferson Circuit Court alleging her employer wrongfully terminated her contract on the grounds that a HIPAA violation had occurred, when she claims she had always ‘strictly complied with HIPAA regulations.’

The incident that resulted in her dismissal was an alleged impermissible disclosure of PHI. Hereford had been assigned to the Post Anesthesia Care Unit at Norton Audubon Hospital and was assisting with a transesophageal echocardiogram. At the time of the alleged HIPAA violation, the patient was in an examination area that was closed off with a curtain. Hereford was present along with a physician and an echocardiogram technician.

Alleged Improper Disclosure of Sensitive Health Information

Before the procedure took place, Hereford performed a ‘Time-Out’ to ensure the patient understood what the procedure would entail, checked to make sure the site of the procedure was clearly marked and made sure appropriate diagnostic tools were available. Hereford also told the technician and the physician that they should wear gloves because the patient had hepatitis C.

After the procedure the patient filed a complaint, alleging Hereford had spoken sufficiently loudly so that other patients and medical staff in the vicinity would have heard that she had hepatitis C. While the complaint was investigated Hereford was placed on administrative leave, and was later terminated for the HIPAA violation – An unnecessary disclosure of confidential health information.

In her action for unfair dismissal, Hereford claimed this was an ‘incidental disclosure’, which is not a violation of HIPAA Rules. Hereford also obtained the professional opinion of an unemployment insurance referee that a HIPAA violation had not occurred. She also claimed defamatory statements had been made about her to the Metropolitan Louisville Healthcare Consortium.

Norton filed a motion to dismiss or, as an alternative, a motion for summary judgement. The Circuit Court granted the motion to dismiss the claim for wrongful termination, as it was deemed there was an unnecessary disclosure of PHI as a physician should not need to be reminded to wear gloves for a procedure to prevent the contraction of an infectious disease. However, the motion to dismiss the defamation claim was denied.

Norton sought summary judgement on the defamation claim and in October 2015, the defamation claim was dismissed with prejudice. The court determined that speaking the truth about the nurse HIPAA violation being the reason for termination could not have defamed Hereford.

Appeals Court Confirms Nurse HIPAA Violation

Hereford subsequently took her case to the Kentucky Court of Appeals. The Court of Appeals found that Hereford could not rely on HIPAA for a wrongful discharge claim as “HIPAA’s confidentiality provisions exist to protect patients and not healthcare employees.”

With respect to the wrongful dismissal claim, the court based its decision on the minimum necessary standard, which requires any disclosure of PHI to be limited to the minimum necessary to accomplish the necessary purpose – 45 CFR 164.502 – explaining, “Under “HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning.” The court concluded a nurse HIPAA violation had occurred. The Court of Appeals also found the decision of the lower court to dismiss the defamation claim to be correct as there could be no defamation when the Metropolitan Louisville Healthcare Consortium was told the truth about the reason for dismissal.

What Are the Potential HIPAA Violation Penalties for Nurses?

HIPAA violation penalties for nurses who breach HIPAA Rules are tiered, based on the level of negligence. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules.

The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The penalty amounts are determined by the Department of Health and Human Services, or by state attorneys general when they decide to issue penalties for HIPAA violations.

What is the Maximum HIPAA Violation Penalty for Nurses

The maximum penalty for a single HIPAA violation is $50,000 per violation or per record, with an annual maximum of $1.5 million per violation category.

Serious violations of HIPAA Rules can warrant criminal charges for HIPAA violations, and in addition to financial penalties jail time is possible. Criminal violations of HIPAA Rules are handled by the U.S. Department of Justice.

Nurses who knowingly obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and up to one year in jail. If an offense is committed under false pretenses, the criminal penalties rise to a fine of up to $100,000 and up to 5 years in jail. If there is intent to sell, transfer, or illegally use PHI for personal gain, commercial advantage, or malicious harm, the maximum penalty is a fine up to $250,000 and up to 10 years in jail.

When there has been aggravated identity theft, the Identity Theft Penalty Enhancement Act requires a mandatory minimum prison term of two years

Nurse HIPAA Violation Cases

Listed below are some of the recent nurse HIPAA violation cases covered on HIPAA Journal.

Glendale Adventist Medical Center Nurse Fired for HIPAA Violation

Minnesota BCBS Nurse Accused of Unauthorized Accessing of Minnesota Board of Pharmacy Database

Virginia Nurse Charged with Bank Fraud and Identity Theft

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

Minnesota Hospital Fires 32 Over HIPAA Violation

Employees Fired over Sharing of Degrading Photos of Patients on Snapchat

The post Termination for Nurse HIPAA Violation Upheld by Court appeared first on HIPAA Journal.

HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California

Posted by HIPAA Journal

The Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires.

As was the case with the waivers issued after Hurricanes Irma and Maria, the limited waiver of HIPAA sanctions and penalties only applies when healthcare providers have implemented their disaster protocol, and then only for a period of up to 72 hours following the implementation of that protocol. In the event of the public health emergency declaration ending, healthcare organizations must then comply with all provisions of the HIPAA Privacy Rule for all patients still under their care, even if the 72-hour period has not yet ended.

Whenever the HHS issued a limited waiver of HIPAA sanctions and penalties, healthcare organizations must still comply with the requirements of the HIPAA Security Rule and the Privacy Rule is not suspended.  The HHS simply exercises its authority under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) (7) of the Social Security Act, and will not impose sanctions or penalties against healthcare organizations for the following provisions of the HIPAA Privacy Rule:

  • 45 CFR 164.510(b) – The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • 45 CFR 164.510(a) – The requirement to honor a request to opt out of the facility directory.
  • 45 CFR 164.520 – The requirement to distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

Even in emergency situations, the HIPAA Privacy Rule permits HIPAA-covered entities to share patients’ PHI to assist in disaster relief efforts and to help ensure patients receive the care they need.

PHI may also be disclosed for the purpose of providing treatment to patients, in order to coordination patient care, or when referring patients to other healthcare providers.  PHI can be shared for public health activities to allow organizations to carry out their public health missions. Disclosures can be made to family members, friends, and other individuals involved in a patients’ care, as necessary, to identify, locate, or notify family members of the patient’s location, condition, or loss of life. Disclosures can be made to anyone, as necessary, to prevent or lessen a serious injury and disclosures can be made to the media about a patient’s general health status and limited facility directory information can also be disclosed for a named patient, provided the patient has not objected to such disclosures.

In all cases, the ‘minimum necessary’ standard applies. Information should be restricted to the minimum necessary information to achieve the specific purpose for which it is disclosed.

Further information on the waiver can be found in the HHS bulletin on this link.

The post HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in California appeared first on HIPAA Journal.

Q3, 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 resulted in the theft/exposure of 1,767,717 individuals’s PHI. Up until the end of September, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches.

Q3 Data Breaches by Covered Entity

Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities.

There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228.

The Ten Largest Healthcare Data Breaches in Q3, 2017

The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in Q3 were attributed to hacking/IT incidents.

Covered Entity Entity Type Number of Records Breached

Type of Breach
Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
Network Health Health Plan 51,232 Hacking/IT Incident
St. Mark’s Surgical Center, LLC Healthcare Provider 33,877 Hacking/IT Incident
Sport and Spine Rehab Healthcare Provider 31,120 Hacking/IT Incident

Main Cause of Healthcare Data Breaches in Q3, 2017

For much of 2017, the main cause of healthcare data breaches was unauthorized disclosures by insiders, although in Q3, 2017, hacking was the biggest cause of healthcare data breaches. These incidents involve phishing attacks, malware and ransomware incidents, and the hacking of network servers and endpoints. These hacking incidents involved the exposure/theft of considerably more data than all of the other breach types combined. In Q3, 1,767,717 healthcare records were exposed/stolen, of which 1,578,666 – 89.3% – were exposed/stolen in hacking/IT incidents.

Location of Breached PHI

If vulnerabilities exist, it is only a matter of time before they will be discovered by hackers. It is therefore essential for HIPAA covered entities and their business associates conduct regular risk assessments to determine whether any vulnerabilities exist. Weekly checks should also be conducted to make sure the latest versions of operating systems and software are installed and no patches have been missed. Misconfigured servers, unsecured databases, and the failure to apply patches promptly resulted in 31 data breaches in Q3, 2017.

In Q3, 34 incidents were reported that involved email. While some of those incidents involved misdirected emails and the deliberate emailing of ePHI to personal email accounts, the majority of those breaches saw login details disclosed or ransomware/malware installed as a result of employees responding to phishing emails.  The high number of phishing attacks reported in Q3 shows just how important it is to train employees how to recognize phishing emails and how to report suspicious messages. Training should be an ongoing process, involving classroom-based training, CBT sessions, and phishing simulations, with email updates sent to alert employees to specific threats.

The post Q3, 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Is Skype HIPAA Compliant?

Posted by HIPAA Journal

Text messaging platforms such as Skype are a convenient way of quickly communicating information, but is Skype HIPAA compliant? Can Skype be used to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rules?

There is currently some debate surrounding Skype and HIPAA compliance. Skype includes security features to prevent unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype satisfy all requirements of HIPAA Rules?

This article will attempt to answer the question, Is Skype HIPAA compliant?

Is Skype a Business Associate?

Is Skype a HIPAA business associate? That is a matter that has been much debated. Skype could be considered an exception under the Conduit Rule – being merely a conduit through which information flows. If that is the case, a business associate agreement would not be necessary.

However, a business associate agreement is necessary if a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity or one of its business associates. Skype does not create PHI, but it does ‘receive’ and transmit PHI. That said, messages are encrypted and are not accessed by Microsoft.  But can Microsoft access the contents of messages? Does Microsoft hold a key to unlock the encryption?

Microsoft does comply with law enforcement requests and will supply information to law enforcement. Information is only disclosed when required to so do by law, if a subpoena or court order is issued for example.

For that to happen, data must first be decrypted. It is unclear whether providing information to law enforcement, and being able to decrypt messages, would mean Skype would satisfy the requirements of the conduit exception. Skype is also not a common carrier, it is software-as-service. While this has been debated, it is our opinion that Skype is classed as a business associate and a business associate agreement is required.

Microsoft will sign a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business MAY be included in that agreement. If a business associate agreement has been obtained from Microsoft, covered entities must check it carefully to make sure if it does include Skype for Business. Microsoft has previously explained that not all BAAs are the same.

Skype and HIPAA Compliance: Encryption, Access, and Audit Controls

HIPAA does not demand the use of encryption for ePHI, although encryption must be considered. If encryption is not used, an alternative, equivalent safeguard must be implemented in its place. In the case of Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is satisfied.

However, Skype does not necessarily include appropriate controls for backing up of messages (and ePHI) communicated via the platform, and neither does it maintain a HIPAA-compliant audit trail. Skype for Business can be made HIPAA compliant, if the Enterprise E3 or E5 package is purchased. These include the ability to create an archive that stores all communications. Other versions would not satisfy HIPAA Rules.

Is Skype HIPAA Compliant?

So, is Skype HIPAA compliant? No. Is Skype for Business HIPAA compliant? It can be, if the Enterprise E3 or E5 package is purchased. In the case of the latter, it is down to the covered entity to ensure Skype is HIPAA compliant. That means a business associate agreement must be obtained from Microsoft prior to using Skype for Business to send any ePHI. Skype must also be configured carefully. In order to be HIPAA compliant Skype must maintain an audit trail and all messages must be backed up securely and all communications saved.

Access controls must also be applied on all devices that use Skype to prevent unauthorized disclosures of ePHI. Controls must also be set to prevent any ePHI from being sent outside the organization. Covered entities must also receive satisfactory assurances that in the event of a breach, they will be notified by Microsoft.

Even with a BAA and the correct package, there is still considerable potential for HIPAA Rules to be violated using Skype for Business. Since there are many secure text messaging options available to covered entities, including platforms that have been built specifically for use by the healthcare industry, they may prove to be a better choice. With those platforms, HIPAA compliance is made much more straightforward and it is far harder to accidentally violate HIPAA Rules.

The post Is Skype HIPAA Compliant? appeared first on HIPAA Journal.