HIPAA News

32% of Healthcare Employees Have Received No Cybersecurity Training

Posted August 21, 2019 by HIPAA Journal

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches.

The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada.

The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace.

Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA.

Even when training is provided, it is often insufficient. 11% of respondents said they received cybersecurity training when they started work but had not received any training since. 38% of employees said they were given cybersecurity training each year, and a fifth (19%) of healthcare employees said they had been provided with cybersecurity training but did not feel they had been trained enough.

32% of respondents said they had been provided with a copy of their organization’s cybersecurity policy but had only read it once and 1 in 10 managers were not aware if their company had a cybersecurity policy. 40% of healthcare workers in the United States were unaware of the cybersecurity measures protecting IT devices at their organization.

Training on HIPAA also appears to be lacking. Kaspersky Lab found significant gaps in employees’ knowledge of regulatory requirements. For instance, 18% of respondents were unaware what the Security Rule meant and only 29% of respondents were able to identify the correct meaning of the HIPAA Security Rule.

Kaspersky Lab researchers recommend hiring a skilled IT team that understands the unique risks faced by healthcare organizations and has knowledge of the tools that are required to keep protected health information safe and secure.

It is also essential to address data security and regulatory knowledge gaps. IT security leaders must ensure that every member of the workforce receives regular cybersecurity training and is fully aware of the requirements of HIPAA.

It is also important to conduct regular assessments of security defenses and compliance. Companies that fail to regularly check their cyber pulse can identify and address vulnerabilities before they are exploited by hackers and cause a costly data breach.

The post 32% of Healthcare Employees Have Received No Cybersecurity Training appeared first on HIPAA Journal.

Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case

Posted August 12, 2019 by HIPAA Journal

A preliminary settlement has been proposed by Allscripts Healthcare Solutions to resolve alleged violations of HIPAA, the HITECH Act’s electronic health record (EHR) incentive program, and the Anti-Kickback Statute related to the electronic health record (EHR) company Practice Fusion, which was acquired by Allscripts in 2018.

Prior to the acquisition, Practice Fusion has been investigated by the Attorney’s Office for the District of Vermont in March 2017 and had provided documentation and information. Between April 2018 and January 2019, the company received further requests for documents and information through civil investigative demands and HIPAA subpoenas.

Then in March 2019, the company received a grand jury subpoena over a Department of Justice (DOJ) investigation into the business practices of Practice Fusion, potential violations of the Anti-Kickback Statute, HIPAA, and the payments received under the HHS EHR incentive program. Scant information has been released about the nature of the alleged violations by Practice Fusion.

The proposed settlement will see Allscripts pay $145 million to the DOJ to resolve the company and Practice Fusion of all civil and criminal liability related to the investigation. Allscripts President Rick Poulton hopes the settlement will be sufficient to resolve the case. Since Practice Fusion was acquired, Allscripts has had to devote an increasing amount of resources the investigation. Poulton wants to reach an agreement as soon as possible so the company can move on.

“While the amount we have agreed to pay of $145 million is not insignificant, it is in line with other settlements in the industry, and we are happy to have reached the agreement in principle,” said Poulton. “We will work with the DOJ to finalize the details of the settlement over the coming months”.

Last year, the HHS agreed a settlement with EHR vendor eClinicalWorks over alleged false claims related to the HITECH Act EHR incentive program. eClinicalWorks paid $155 million to resolve the case.

The post Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case appeared first on HIPAA Journal.

HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

Posted July 17, 2019 by HIPAA Journal

The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties in Louisiana due to the devastation likely to be caused by Tropical Storm Barry as it made landfall on July 13 as a hurricane. The HHS announced the public health emergency in Louisiana on Friday July 12, 2019.

The waiver only applies to healthcare organizations in the emergency area and only for the length of time stated in the declaration. The waiver only applies to specific provisions of the HIPAA Privacy Rule and only for a maximum period of 72 hours after the hospital has implemented its emergency protocol.

Once the time period for the waiver ends, healthcare providers will be required once again to comply with all aspects of the HIPAA Privacy Rule, even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired.

While a waiver has been issued, the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they require. That includes sharing some health information with friends, family members and other individuals directly involved in a patient’s care.

The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.

During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA covered entities are waived for the following aspects of the HIPAA Privacy Rule:

The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
The patient’s right to request confidential communications. See 45 CFR 164.522(b).

“We are working closely with state health and emergency management officials to anticipate the communities’ healthcare needs and be ready to meet them,” said Secretary Azar. The HHS emergency declaration and limited HIPAA waiver can be viewed on this link (PDF).

The post HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana appeared first on HIPAA Journal.

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Posted July 10, 2019 by HIPAA Journal

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry.

Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data.

Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market.

April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become.

Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are required to protect against cyberattacks.

Protecting against cyberattacks while ensuring compliance with HIPAA can be a challenge and oversights could easily lead to a costly breach or regulatory fine.

In the latest Compliancy Group webinar, compliancy experts will walk you through the inns and outs of the regulations and you can find out more about cybersecurity with respect to the requirements of HIPAA and HITECH.

Webinar:

Ransomware, Malware, Phishing, Oh My!

Wednesday, July 10th

2:00 ET/11:00 PT

Advance Registration

The post Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

Posted June 20, 2019 by HIPAA Journal

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	Inmediata Health Group, Corp.	Healthcare Clearing House	1,565,338	Unauthorized Access/Disclosure
2	Talley Medical Surgical Eyecare Associates, PC	Healthcare Provider	106,000	Unauthorized Access/Disclosure
3	The Union Labor Life Insurance Company	Health Plan	87,400	Hacking/IT Incident
4	Encompass Family and internal medicine group	Healthcare Provider	26,000	Unauthorized Access/Disclosure
5	The Southeastern Council on Alcoholism and Drug Dependence	Healthcare Provider	25,148	Hacking/IT Incident
6	Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center	Healthcare Provider	16,819	Hacking/IT Incident
7	Takai, Hoover, and Hsu, P.A.	Healthcare Provider	16,542	Unauthorized Access/Disclosure
8	Hematology Oncology Associates, PC	Healthcare Provider	16,073	Hacking/IT Incident
9	Acadia Montana Treatment Center	Healthcare Provider	14,794	Hacking/IT Incident
10	American Baptist Homes of the Midwest	Healthcare Provider	10,993	Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks. Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states. Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development

Posted June 17, 2019 by HIPAA Journal

One of the requirements of the HIPAA Administrative Simplification Rules was the development of a national identifier for all patients. Such an identifier would be used by all healthcare organizations to match patients with health records from multiple sources and would improve the reliability of health information and ensure it could be shared quickly and efficiently.

That national patient identifier has failed to materialize. For the past two decades, the Department of Health and Human Services has been prohibited from using funds to develop or promote a unique patient identifier system out of concerns over privacy and security of patient data.

Just as was the case in 1996, the benefits of using national patient identifiers remain and the need for such a system is greater than ever. Many hospitals, healthcare and health IT groups have been urging Congress to lift the HHS ban due to the benefits that would come from using a national identifier.

They argue it would make it much easier to match medical information from multiple sources with the correct patient and the potential for errors would be greatly reduced. Together with the cost savings, adoption of a national patient identifier would improve the quality of care provided to patients and patient safety.

Now, 20 years after the ban was put in place, it is closer to being lifted. The U.S. House of Representatives recently voted on several amendments to a $99.4 billion HHS appropriations bill. The amendment calling for the lifting of the ban was proposed by Rep. Bill Foster (D-Ill.) and was passed on Wednesday 12, June in a 246 to 178 vote. Until now, neither chamber in Congress has ever voted to lift the ban.

“For the last 21 years, this misguided policy has been in place, and thousands of Americans have died due to getting the wrong drug to the wrong patient or due to incorrect or incomplete electronic medical records, all arising from the inability to simply and correctly merge health records from different systems,” said Rep. Foster.

The passing of the amendment is the first step toward a national identifier being developed, but there are plenty of hurdles to overcome before the ban is finally lifted. The appropriations bill must first be passed, and the senate would need to give its approval, then the president would need to sign the bill into law.

Even though the benefits of a national patient identifier are clear, many privacy advocates believe the privacy and security risks are too great and that adoption of a national identifier would result in loss of control of patient data and more frequent, larger, and more damaging healthcare data breaches.

The post House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development appeared first on HIPAA Journal.

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability

Posted April 29, 2019 by HIPAA Journal

Body:

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier	Level of Culpability	Minimum Penalty per Violation	Maximum Penalty per Violation	Old Maximum Annual Penalty	New Maximum Annual Penalty
1	No Knowledge	$100	$50,000	$1,500,000	$25,000
2	Reasonable Cause	$1,000	$50,000	$1,500,000	$100,000
3	Willful Neglect – Corrective Action Taken	$10,000	$50,000	$1,500,000	$250,000
4	Willful Neglect – No Corrective Action Taken	$50,000	$50,000	$1,500,000	$1,500,000

The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI

Posted April 26, 2019 by HIPAA Journal

The DICOM image format, which has been in use for around for 30 years, contains a design ‘flaw’ that could be exploited by hackers to embed malware in image files. Were that to happen, the malware would become permanently fused with protected health information.

The DICOM file format was developed to allow medical images to be easily stored and shared. It eliminated the need for physical films and solved hardware compatibility issues. DICOM is now the standard format used for MRI and CT images and is supported by most medical imaging systems. The file format can be read by a range of devices that are used to view patient image files and diagnostic information.

DICOM images contain a section at the start of the files called a Preamble. This section is used to facilitate access to the metadata within the images and ensure compatibility with image viewers which do not support the DICOM image format. By altering the Preamble section of the file, image viewers treat DICOM images as a file type that they support, such as a jpeg, allowing the file to be opened.

This design feature is part of the reason why the DICOM file format is so useful. However, this feature can also be seen as a flaw. Markel Picado Ortiz, a security researcher at Cylera, discovered the preamble section of the file does not have restrictions on what can be added.

Ortiz has a proof-of-concept exploit for the flaw which allows an arbitrary sequence of executable code to be inserted into the image. Provided that code is less than 128 bytes, it can be inserted without affecting compliance with the DICOM standard, altering the image in any other way, or changing any PHI contained in the file. Ortiz has called the attack method PE/DICOM.

By altering the Preamble of a file, a hacker could insert executable code that masquerades as a DICOM file. The DICOM image would become an executable file, yet it would not have a file extension associated with executable files. Headers could also be added that make the file appear to be another file format, such as an executable.

Any hacker that were to use this method of incorporating malicious code would also benefit from HIPAA regulations. Files containing PHI are usually ignored by anti-malware solutions for compliance reasons. Even if they did, it would be unlikely they would detect the presence of any code in the preamble section of the files.

Detecting the malware would therefore prove difficult. Malicious code could remain undetected, but worse, the infected files would be stored within the healthcare provider’s protected environment. The file may also be shared with other healthcare providers would be unaware the files had been infected with malware.

Since the malware contains executable code, it could download other malware onto the network or give an attacker a launch pad to conduct further attacks. Files could be given worm-like properties that allow malware to be propagated throughout the network.

The potential uses of this flaw are numerous. “This [flaw] enables new and existing malware to evolve into more potent variants, optimized for successful compromise of healthcare organizations, by using the infected patient data to hide, protect and spread itself – three of the primary functions that determine the effectiveness of a malware campaign,” said Ortiz.

Were the malware to be identified, healthcare organizations would have a problem with removing the malware. The hybrid file that is created could not have the malware removed without permanently deleting the file, which would result in the permanent loss of the image and patients’ PHI. Healthcare providers may have to keep the infected file due to HIPAA regulations.

“The fusion of fully-functioning executable malware with HIPAA-protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes in ways that did not previously need to be considered,” explained Ortiz.

Unfortunately, since the flaw is present in the DICOM standard itself, it is not possible to issue a patch to correct the flaw. The solution would be for the DICOM standard to be changed to place restrictions on what can be incorporated into the Preamble, but that may prove to be a challenge and would also involve altering a feature of DICOM files that makes them so useful.

Anti-malware solutions could be developed to check for the presence of malicious code inside DICOM images, but that does not solve the issue of what is done with the files if they are determined to contain malware.

While the flaw is serous, in order for it to be exploited, an attacker would first need to have permissions to access the system on which DICOM images are stored and would also need to have permissions to execute commands. Valid Active Directory credentials would therefore be required. That said, there have been many cases of credentials being compromised that have given hackers access to healthcare networks. The flaw could also be exploited by a malicious insider with access to the network.

All healthcare organizations can do to protect against the flaw in the short term is to adopt standard cybersecurity best practices to prevent access to the network being gained, such as changing default credentials, securing the perimeter, and scanning for and addressing vulnerabilities. Network segregation will help to prevent the spread of any malware and intrusion detection systems could detect an attack before DICOM images could be changed.

What is clear is that correcting the flaw and preventing abuse is going to be a major challenge and one that will not easily be solved.

The post Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI appeared first on HIPAA Journal.

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

Posted April 16, 2019 by HIPAA Journal

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information