Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level.

As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI).

As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records.

17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand encryption for mobile devices, yet such a security measure could have prevented a high percentage of the 71 data breaches reported to OCR.

When a mobile device containing ePHI is lost or stolen, the HIPAA Breach Notification Rule requires the breach to be reported and notifications to be sent to affected individuals. If PHI has been encrypted and a device containing ePHI is lost or stolen, notifications need not be sent as it would not be a HIPAA data breach. A breach report and patient notifications are only required for breaches of unencrypted PHI, unless the key to decrypt data is also obtained.

Even though HIPAA does not demand the use of encryption, it must be considered. If the decision is taken not to encrypt data, the decision must be documented and an alternative safeguard – or safeguards – must be employed to ensure the confidentiality, integrity, and availability of ePHI. That alternative safeguard(s) must provide a level of protection equivalent to encryption.

Before the decision about whether or not to encrypt data can be made, HIPAA covered entities must conduct an organization-wide risk analysis, which must include all mobile devices. All risks associated with the use of mobile devices must be assessed and mitigated – see 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).

OCR Reminds Covered Entities of Need to Address Risks Associated with Mobile Devices

In its October 2017 Cybersecurity Newsletter, OCR reminded covered entities of the risks associated with mobile devices that are used to create, receive, maintain, or transmit ePHI. HIPAA covered entities were reminded of the need to conduct an organization-wide risk assessment and develop a risk management plan to address all mobile device security risks identified during the risk analysis and reduce them to an appropriate and acceptable level.

While many covered entities allow the use of mobile devices, some prohibit the use of those devices to create, receive, maintain, or transmit ePHI. OCR reminds covered entities that if such a policy exists, it must be communicated to all staff and the policy must be enforced.

When mobile devices can be used to create, receive, maintain, or transmit ePHI, appropriate safeguards must be implemented to reduce risks to an appropriate and acceptable level. While loss or theft of mobile devices is an obvious risk, OCR draws attention to other risks associated with the devices, such as using them to access or send ePHI over unsecured Wi-Fi networks, viewing ePHI stored in the cloud, or accessing or sharing ePHI via file sharing services.

OCR also remined covered entities to ensure default settings on the devices are changed and how healthcare employees must be informed of mobile device security risks, taught best practices, and the correct way to uses the device to access, store, and transmit ePHI.

OCR offers the following advice to covered entities address mobile security risks and keep ePHI secure at all times.

To access OCR’s guidance – Click here.

OCR’s Tips for Reducing Mobile Device Security Risks

  • Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

Penalties for Failing to Address Mobile Security Risks

The failure to address mobile device security risks could result in a data breach and a penalty for noncompliance with HIPAA Rules. Over the past few years there have been several settlements reached between OCR and HIPAA covered entities for the failure to address mobile device security risks.

These include:

Covered Entity HIPAA Violation Individuals Impacted Penalty
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3.2 million
Oregon Health & Science University Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 $2,700,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2.5 million
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000

Addressing Mobile Device Security Risks

Mobile device security risks must be reduced to a reasonable and appropriate level.  Some of the mobile device security risks, together with mitigations, have been summarized in the infographic below. (Click image to enlarge)

mobile device security risks

The post Tips for Reducing Mobile Device Security Risks appeared first on HIPAA Journal.

53% of Businesses Have Misconfigured Secure Cloud Storage Services

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI).

However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed.

A Business Associate Agreement Does Not Guarantee HIPAA Compliance

Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers.

Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly.

As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Configure your account correctly and your data will be secure. Make a mistake and data will be exposed and you could easily violate HIPAA Rules.

Misconfigured Secure Cloud Storage Services

When it comes to secure cloud storage, many organizations believe their cloud environments have been secured, but that is often not the case. How many businesses are leaving data exposed? According to a recent study by cloud threat defense firm RedLock, more than half of businesses have made mistakes that have exposed sensitive data in the cloud.

The report reveals many organizations are not following established security best practices, such as using multi-factor authentication for all privileged account users. To make matters worse, many businesses are failing to monitor their cloud environments which means data is being exposed, but not detected.

The problem appears to be getting worse. RedLock’s last analysis for Q2 revealed 40% of businesses had misconfigured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for example. A new analysis, published in its latest Cloud Security Trends Report, shows that percentage jumped to 53% between June and September 2017.

Key Findings

  • 53% of organizations have at least one exposed cloud storage service
  • 38% of users exposed data through compromised administrative user accounts
  • 81% are not managing host vulnerabilities in the cloud
  • 37% of databases accept inbound connection requests from suspicious IP addresses
  • 64% of databases are not encrypted
  • 45% of Center of Internet Security (CIS) compliance checks are failed
  • 48% of Payment Card Industry Data Security Standard (PCI DSS) compliance checks fail
  • 250 organizations were found to be leaking credentials to their cloud environments on internet-facing web servers

Cloud Misconfigurations Result in Data Breaches

One need look no further than the widespread misconfigured MongoDB installations that were discovered by hackers in January 2017. Misconfigured databases were plundered, data deleted, and ransom demands issued. More than 26,000 MongoDB databases were hijacked and held for ransom.

Is it not just small organizations that are making errors that are resulting in data exposure and data breaches. The Equifax data breach, which saw the records of more than 143 million Americans exposed, was the result of the failure to address a known vulnerability in Apache Struts; a framework that supported its dispute portal web application. Equifax CEO Richard Smith recently told the House Energy and Commerce Committee that the missed patch was due to a mistake by a single employee.

British insurance giant Aviva found out one of its cloud environments had been ‘hacked’ and was being used to mine Bitcoin. Kubernetes administration consoles were used to gain access to its cloud environment with ease. Its administration consoles lacked passwords.

RedLock is not the only company to report on the problem. IBM X-Force said it has tracked more than 1.3 billion records that were exposed as a result of misconfigured servers up to September 2017.

Training will only go so far. You can train your employees never to leave the firewall turned off, yet occasionally that happens. Bad errors can also occur in the cloud that will similarly lead to data breaches. Leave the door open to hackers and they will infiltrate cloud environments, steal data, and hold organizations to ransom.

What organizations must do is to make sure all doors have been closed and locked. Unless organizations proactively monitor their cloud environments, they will be unaware there is a problem until it is too late.

The post 53% of Businesses Have Misconfigured Secure Cloud Storage Services appeared first on HIPAA Journal.

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered.

While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach.

The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates.

Summary of the HIPAA Breach Notification Requirements

The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires covered entities and their business associates to report breaches of electronic protected health information and physical copies protected health information. A breach is defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted by HIPAA Rules.

HIPAA breaches include unauthorized access by employees as well as third parties, improper disclosures, the exposure of protected health information, and ransomware attacks. Exceptions include: Breaches of secured protected health information such as encrypted data when the key to unlock the encryption has not been obtained; “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure;” An inadvertent disclosure by a person who is authorized to access PHI, to another member of the workforce at the organization who is also authorized to access PHI; When the covered entity or business associate makes a disclosure and has a good faith belief that the information could not have been retained by the person to whom it was disclosed.

In the event of a reportable HIPAA breach being experienced, the HIPAA breach notification requirements are:

Notify Individuals Impacted – or Potentially Impacted – by the Breach

All individuals impacted by a data breach, who have had their protected health information accessed, acquired, used, or disclosed, must be notified of the breach. Breach notifications are also required for any individual who is reasonably believed to have been affected by the breach.

Breach notification letters must be sent within 60 days of the discovery of a breach unless a request to delay notifications has been made by law enforcement. In such cases, notifications should be sent as soon as that request has expired. While it is permissible to delay reporting of a breach to the HHS for breaches impacting fewer than 500 individuals (see below), that delay does not apply to notifications to breach victims.

Breach notification letters should be sent by first class mail to the last known address of breach victims, or by email if individuals have given authorization to be contacted electronically.

The HIPAA breach notification requirements for letters include writing in plain language, explaining what has happened, what information has been exposed/stolen, providing a brief explanation of what the covered entity is doing/has done in response to the breach to mitigate harm, providing a summary of the actions that will be taken to prevent future breaches, and giving instructions on how breach victims can limit harm. Breach victims should also be provided with a toll-free number to contact the breached entity for further information, together with a postal address and an email address.

Notify the Department of Health and Human Services

Notifications must be issued to the Secretary of the Department of Health and Human Services, via the Office for Civil Rights breach reporting tool. The HIPAA breach notification requirements differ depending on how many individuals have been impacted by the breach.

When the breach has impacted more than 500 individuals, the maximum permitted time for issuing the notification to the HHS is 60 days from the discovery of the breach, although breach notices should be issued without unnecessary delay. In the case of breaches impacting fewer than 500 individuals, HIPAA breach notification requirements are for notifications to be issued to the HHS within 60 days of the end of the calendar year in which the breach was discovered.

Notify the Media

HIPAA breach notification requirements include issuing a notice to the media. Many covered entities that have experienced a breach of protected health information notify the HHS, relevant state attorneys general, and the patients and health plan members impacted by the breach, but fail to issue a media notice – a violation of the HIPAA Breach Notification Rule.

A breach of unsecured protected health information impacting more than 500 individuals must be reported to prominent media outlets in the states and jurisdictions where the breach victims reside – See 45 CFR §§ 164.406. This is an important requirement, as up-to-date contact information may not be held on all breach victims. By notifying the media, it will help to ensure that all breach victims are made aware of the potential exposure of their sensitive information. As with the notifications to the HHS and breach victims, the media notification must be issued within 60 days of the discovery of the breach.

Post a Substitute Breach Notice on the Home Page of the Breach Entity’s Website

In the event that up-to-date contact information is not held on 10 or more individuals that have been impacted by the breach, the covered entity is required to upload a substitute breach notice to their website and link to the notice from the home page. The link to the breach notice should be displayed prominently and should remain on the website for a period of 90 consecutive days. In cases where fewer than 10 individuals’ contact information is not up-to-date, alternative means can be used for the substitute notice, such as a written notice or notification by telephone.

Data Breaches Experienced by HIPAA Business Associates

Business associates of HIPAA-covered entities must also comply with the HIPAA breach notification requirements and can be fined directly by the HHS’ Office for Civil Rights and state attorneys general for a HIPAA Breach Notification Rule violation.

Any breach of unsecured protected health information must be reported to the covered entity within 60 days of the discovery of a breach. While this is the absolute deadline, business associates must not delay notification unnecessarily. Unnecessarily delaying notifications is a violation of the HIPAA Breach Notification Rule.

It is usually the covered entity that will issue breach notifications to affected individuals, so any breach notification will need to be accompanied with details of the individuals impacted. It is a good practice to issue a breach notification to a covered entity rapidly, and to provide further information on the individuals impacted once the investigation has been completed. Under the terms of a HIPAA-compliant Business Associate Agreement (BAA), a business associate may be required to issue breach notifications to affected individuals.

Timeline for Issuing Breach Notifications

Breach notifications should be issued as soon as possible and no later than 60 days after the discovery of the breach, except when a delay is requested by law enforcement. Investigating a breach of protected health information can take some time, but once all the necessary information has been obtained to allow breach notifications to be sent they should be mailed.

HIPAA-covered entities must not delay sending breach notification letters. It is possible to receive a HIPAA violation penalty for delaying notifications, even if they are sent within 60 days of the discovery of the breach. There have been several recent cases of HIPAA breach notification requirements not being followed within the appropriate time frame, which can potentially result in financial penalties.

State Breach Notification Laws May Be Stricter than HIPAA

U.S. states have their own breach notification laws. Typically, notifications must be issued to breach victims promptly and a notice also submitted to the state attorney general’s office. Some states require breach notifications to be issued well within the HIPAA deadline.

Delaying breach notifications until the 60-day limit of HIPAA could well see state laws violated, leading to financial penalties from state attorneys general. State laws frequently change so it is important to keep up to date on breach notification laws in the states in which you operate.

Penalties for Violations of HIPAA Breach Notification Requirements

HIPAA covered entities must ensure the HIPAA breach notification requirements are followed or they risk incurring financial penalties from state attorneys general and the HHS’ Office for Civil Rights.

In 2017, Presense Health became the first HIPAA-covered entity to settle a case with the Office for Civil Rights solely for a HIPAA Breach Notification Rule violation – after it exceeded the 60-day maximum time frame for issuing breach notifications. Presense Health took three months from the discovery of the breach to issue notifications – A delay that cost the health system $475,000. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.

The post What are the HIPAA Breach Notification Requirements? appeared first on HIPAA Journal.

Is OneDrive HIPAA Compliant?

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant?

Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files.

Microsoft Supports HIPAA-Compliance

There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules.

That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA).

Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well as Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.

Under the terms of its business associate agreement, Microsoft agrees to place limitations on use and disclosure of ePHI, implement safeguards to prevent inappropriate use, report to consumers and provide access to PHI, on request, per the HIPAA Privacy Rule. Microsoft will also ensure that if any subcontractors are used, they will comply with the same – or more stringent – restrictions and conditions with respect to PHI.

Provided the BAA is signed prior to the use of OneDrive for creating, storing, or sharing PHI, the service can be used without violating HIPAA Rules.

Microsoft explains that all appropriate security controls are included in OneDrive, and while HIPAA compliance certification has not been obtained, all of the services and software covered by the BAA have been independently audited for the Microsoft ISO/IEC 27001 certification.

Appropriate security controls are included to satisfy the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to HIPAA standards. Microsoft uses 256-bit AES encryption and SSl/TLS connections are established using 2048-bit keys.

There is More to HIPAA Compliance Than Using ‘HIPAA-Compliant’ Services

However, just because Microsoft will sign a BAA, it does not mean OneDrive is HIPAA compliant. There is more to compliance than using a specific software or cloud service. Microsoft supports HIPAA compliance, but HIPAA compliance depends of the actions of users. As Microsoft explains, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Prior to the use of any cloud service, a HIPAA-covered entity must conduct a risk analysis and assess the vendor’s provisions and policies. A risk management program must also be developed, using policies, procedures, and technologies to ensure risks are mitigated.

Access policies must be developed and security settings configured correctly. Strong passwords should be used, external file sharing should be disabled, access should be limited to trusted whitelisted networks, and PHI must only be shared with individuals authorized to view the information. When PHI is shared, the minimum necessary standard applies. Logging should be enabled to ensure organizations have visibility into what users are doing with respect to PHI, and when employees no longer require access to OneDrive, such as when they leave the organization, access should be terminated immediately.

So, Is OneDrive HIPAA compliant? Yes and No. OneDrive can be used without violating HIPAA Rules and Microsoft supports HIPAA compliance, but ultimately HIPAA compliance is down to the covered entity, how the service is configured and used.

The post Is OneDrive HIPAA Compliant? appeared first on HIPAA Journal.

August Sees OCR Breach Reports Surpass 2,000 Incidents

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009.

As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000.

The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far in 2017.

In contrast to other industries, the biggest cause of data breaches is insiders (Protenus/databreaches.net): Both deliberate actions by ‘bad apples’ and accidental breaches as a result of simple errors and negligence. Hacking (including malware/ransomware attacks) is the second biggest cause.

Healthcare Organizations Should Not Ignore the Threat from Phishing

Many healthcare data breaches occur as a result of phishing. Research conducted by PhishMe suggests 91% of data breaches start with a phishing email, with the attackers using phishing to obtain login credentials or install malware/ransomware.

A recent Global Threat Intelligence Report released by NTT Security showed the extent to which phishing is used to distribute malware. In Q2, 2017, 67% of malware attacks saw malware delivered via phishing emails.

Jon Heimerl, manager of the Threat Intelligence communications team, pointed out that while phishing is used extensively to spread malware, it isn’t often rated as one of the biggest threats. Heimerl said, “I have not seen any studies where CISOs are saying their No. 1 concern is phishing attacks. If you went around a room, it would likely be ransomware and DDoS as the No. 1 and No. 2 things on their mind, in my view.”

Countering the threat from phishing requires software solutions to block spam emails from being delivered to end users, security awareness training to teach employees how to identify email threats, and phishing simulations to put security awareness training to the test and identify vulnerable individuals in need of further training.

New Exploit Kit and Recent Ransomware Attacks Highlight Importance of Prompt Patching

Email remains the main delivery vector for malware, although the WannaCry attacks showed that malware can easily be installed if patch management practices are poor. The ransomware attacks were made possible thanks to the release of exploits by the hacking group Shadow Brokers and poor patching practices.  Prompt patching would have protected organizations against WannaCry.

Exploit kits also pose a threat. Exploit kits are web-based tools that probe for vulnerabilities in browsers and plugins. Exploits are loaded to the kit that are used to silently download malware when a visitor to a domain hosting the kit is discovered to have a vulnerable browser.

This week, a new exploit kit has started to be offered on underground forums at cut price rates. For as little as $80 a day, cybercriminals can rent the new Disdain exploit kit and use it to spread malware. Exploit kit activity has fallen over the past 12 months, although the threat of web-based attacks should not be ignored.

The Disdain exploit kit can leverage at least 15 vulnerabilities to download malicious payloads, including vulnerabilities in Firefox (CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710), Internet Explorer (CVE-2017-0037, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551), IE and Edge (CVE-2016-7200), Adobe Flash (CVE-2016-4117, CVE-2016-1019, CVE-2015-5119), and Cisco Web Ex (CVE-2017-3823). While many of these vulnerabilities are relatively new, patches have been released to address all of the flaws.


To reduce the risk of exploit kit attacks, healthcare organizations should ensure all browsers are updated automatically and regular checks are performed to ensure all employees are using the latest versions. A web filtering solution is also beneficial to block access to domains known to be used for malware distribution, host exploit kits or phishing.

The post August Sees OCR Breach Reports Surpass 2,000 Incidents appeared first on HIPAA Journal.

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’.

Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal.

The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules.

OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form.

For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display indefinitely.

OCR Director Roger Severino said last month that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”

While the HITECH Act requires OCR to maintain the portal, the Act does not specify for how long that information must be displayed. One possibility for change would be a time limit for displaying the breach summaries. There was concern from some privacy advocates about the loss of information from the portal, which would make it hard for information about past breaches to be found for research purposes or by patients whose PHI may have been exposed.

This week, changes have been made to the breach portal. The breach list now displays all data breaches that are currently under investigation by OCR. OCR investigates all reported data breaches impacting more than 500 individuals. Currently, the list shows there are 354 active investigations dating back to July 2015.

The order of the list has also been changed so the most recent breach reports are displayed first – A much more convenient order for checking the latest organizations to report data breaches.

Data breaches that were reported to OCR more than 24 months ago along with breach investigations that have now been closed have not been lost, instead they have been moved to an archive. The archive can still be accessed through the site and is searchable, as before.

Since recent data breaches could be in the archive or main list, it has potential to make research and searches more complicated. OCR has tackled this issue by offering a research report containing the full list of breaches dating back to 2009.

The post OCR Data Breach Portal Update Highlights Breaches Under Investigation appeared first on HIPAA Journal.

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout.

In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches.

Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches.

ITRC says it is becoming much more common to withhold this information. In the first 6 months of 2017, 67% of data breach notifications and public notices did not include the number of records exposed, which is a 13% increase year on year and a substantial increase from the 10-year average of 43%. The lack of full information about data breaches makes it harder to produce meaningful statistics and assess the impact of breaches.

81.5% of healthcare industry data breach reports included the number of people impacted – a similar level to 2016. ITRC points out that does not mean healthcare organizations are failing to provide full reports, only that HITECH/HIPAA regulations do not require details of breaches of employee information to be reported.

The OCR breach portal shows healthcare industry data breaches in the year to June 30, 2017 increased by 14% year on year. 169 breaches were reported in the first six months of 2017 compared to 148 in the same period in 2016.

Hacking is Still the Biggest Cause of U.S Data Breaches

The biggest cause of U.S data breaches is still hacking according to the report, accounting for 63% of data breaches reported in the first half of the year across all industries – and increase of 5% year on year. Phishing, ransomware, malware and skimming were also included in the totals for hacking. 47.7% of those breaches involved phishing and 18.5% involved ransomware or malware.

The second biggest causes of U.S. data breaches were employee error, negligence and improper disposal, accounting for 9% of the total, followed by accidental exposure on the Internet – 7% of breaches.

The OCR breach portal shows 63 healthcare data breaches were attributed to hacking/IT incidents – 37% of the half yearly total. That represents a rise of 19% from last year.

In close second place is unauthorized access/disclosure – 58 incidents or 35% of the total. A 14% decrease year on year. In third place is loss/theft of devices – 40 incidents or 24% of all healthcare data breaches. A 4% fall year on year. The remaining 4% of healthcare data breaches – 7 incidents – were caused by improper disposal of PHI/ePHI.

Matt Cullina, CEO of CyberScout, said “All these trends point to the need for businesses to take steps to manage their risk, prepare for common data breach scenarios, and get cyber insurance protection.”

The post U.S. Data Breaches Hit Record High appeared first on HIPAA Journal.

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018.

Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought.

One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could assist and take on additional tasks.

The HITECH Act required ONC to appoint a Chief Privacy Officer; however, an alternative is for ONC to request personnel from other HHS agencies. Faced with a $22 million cut in its operating budget, ONC will turn to the HHS’ Office for Civil Rights to assist with privacy functions with the ONC only maintaining ‘limited support’ for the position of Chief Privacy Officer.

The Chief Privacy Officer has been instrumental in improving understanding of HIPAA Rules with respect to privacy since the HITECH Act was passed. Many healthcare organizations have impeded the flow of health information due to a misunderstanding of the HIPAA Privacy Rule. The Chief Privacy Officer has helped to explain that HIPAA Rules do not prevent the exchange of health information – They only ensure information is shared securely and the privacy of patients is preserved. These outreach efforts are likely to be impacted by the loss of the Office of the Chief Privacy Officer.

Rucker explained that discussions are now taking place between ONC and OCR to determine how these and other tasks will be performed, but explained that privacy and security are implicit in all aspects of the work performed by ONC and that will not change.

Cutbacks are inevitable with the trimming of the ONC’s budget but Rucker has explained that the HHS will continue to ensure privacy and security issues are dealt with and efforts to improve understanding of the HIPAA Privacy and Security Rules will also continue.

The post Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018 appeared first on HIPAA Journal.

Indiana Senate Passes New Law on Abandoned Medical Records

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers (and other covered entities) to implement reasonable administrative, technical, and physical safeguards to protect the privacy of patients’ protected health information.

HIPAA applies to electronic protected health information (ePHI) and physical records. Safeguards must be implemented to protect all forms of PHI at rest and in transit and when PHI is no longer required, covered entities must ensure it is disposed of securely.

For electronic protected health information that means data must be permanently deleted so it cannot be reconstructed and recovered. To satisfy HIPAA requirements, the Department of Health and Human Services’ Office for Civil Rights (OCR) recommends clearing, purging or destroying electronic media used to store ePHI. Clearing involves the use of software to overwrite data, purging involves degaussing or exposing media to strong magnetic fields to destroy data. Destruction of electronic media could involve pulverization, melting, disintegration, shredding or incineration.

For physical PHI, OCR recommends shredding, burning, pulping, or pulverization to render PHI unreadable and indecipherable and to ensure the data cannot be reconstructed.

If PHI is not disposed of in accordance with HIPAA Rules, covered entities can face heavy financial penalties. Those penalties are decided by OCR, although state attorneys general can also fine covered entities since the introduction of the Health Information Technology for Clinical and Economic Health (HITECH) Act.

While state attorneys general can take action against covered entities for HIPAA violations that impact state residents, few have exercised that right – Only Connecticut, Vermont, Massachusetts, New York and Indiana all done so since the passing of the HITECH Act.

Even though few states are taking action against covered entities for HIPAA violations as allowed by the HITECH Act, many states have introduced laws to protect state residents in the event of a data breach.

In Indiana, a new state law has been recently passed that allows action to be taken against organizations that fail to dispose of medical records securely.

Indiana Updates Legislation Covering Abandoned Medical Records

In Indiana, legislation has previously been introduced covering ‘abandoned records’. If medical records are abandoned, such as being dumped or disposed of without first rendering them unreadable, action can be taken against the organization concerned.

Abandoned records are those which have been “voluntarily surrendered, relinquished, or disclaimed by the health care provider or regulated professional, with no intention of reclaiming or regaining possession.” The state law previously only covered physical records, although a new Senate Bill (SB 549) has recently been unanimously passed that has expanded the definition to also include ePHI stored in databases. The definition of ‘abandoned records’ has also been expanded to include those that have been “recklessly or negligently treated such that an unauthorized person could obtain access or possession” to those records.”

While there are exceptions under SB 549 for organizations that maintain their own data security procedures under HIPAA and other federal legislation, the new law closes a loophole for organizations that are no longer HIPAA covered entities. In recent years, there have been numerous cases of healthcare organizations going out of business and subsequently abandoning patients’ files. SB 549 allows the state attorney general to take action against HIPAA covered entities that have gone out of business if they are discovered to have abandoned PHI or disposed of ePHI incorrectly.

The new legislation came into effect on July 1, 2017. The new law allows the Indiana attorney general to file actions against the organization concerned and recover the cost of securing and disposing of the abandoned records. That should serve as a deterrent and will help to keep state residents’ PHI private.

The post Indiana Senate Passes New Law on Abandoned Medical Records appeared first on HIPAA Journal.