Latest HIPAA News

51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access

The Department of Health and Human Services’ Office for Civil Rights is cracking down on noncompliance with the HIPAA Right of Access and for good reason. A recent report from Ciitizen has revealed more than half of healthcare providers (51%) are not fully compliant with this aspect of HIPAA.

This is the second such report from Ciitizen, the first having been released on August 14, 2019. For the latest report, an additional 169 healthcare providers were assessed for Right of Access compliance, bringing the total assessed providers to 210.

Acting with authorization from patients, Ciitizen made requests for copies of patients records. Each healthcare provider was then given a rating based on their response, from 5 stars being fully compliant and responding within 5 days, down to 1 or 2 stars. A 1- or 2-star rating meant that were it not for multiple escalation calls to supervisors, the provider would not have been compliant.

There is some good news in the report. More providers are complying and there is less inconsistency from employee to employee. A growing number of healthcare providers are also now providing seamless access to patient records, with the percentage having increased from 30% to 40%.

The high figure or noncompliance is not because of the failure to provide patients with copies of their medical records on request, it is mostly because there needs to be “significant intervention” before requests are processed in a compliant manner.

For instance, the main reason for a 1-star rating is patients are not being provided with copies of their medical records in the digital format of their choosing. Inconsistency is also an issue. Many patients will be provided with copies of their records within 30 days, but a significant percentage will experience problems, such as having to make contact by phone on multiple occasions.

The findings from the first report were found to be broadly comparable to the second, although a far higher percentage of providers received a 1-star rating in the second report. In Cohort I (n=51), 27% received a 1-star rating and 24% received 2 stars. In Cohort II (n-169), 51% received a 1-star rating and 5% received a 2-star rating.

This can be explained by the fact that fewer escalation attempts were made by telephone after the initial request was submitted with Cohort II. That meant that the 30-day time limit for providing records was exceeded on occasion.

For Cohort II, out of the providers that were given a 1-star rating, 86% failed to provide the records in the requested format, 20% exceeded the 30-day time frame for providing records, and 1% attempted to charge excessive fees. In Cohort I, the figures were 86% format failures, 2% fee issues, and 2% failed to send the records to the designee. All requests were processed within 30 days.

It is important to point out that copies of records were requested in a specific digital format. Ciitizen said 76% of providers receiving a 1-star rating would have received a 4- or 5-star rating if they had been allowed to send records in any digital format (CD, fax, or encrypted email).

Ciitizen chose to request a specific digital format to assess compliance and better reflect real world scenarios. For instance, many patients do not have access to a fax machine and may not have a laptop/computer with a CD drive.

Ciitizen believes the use of standard open APIs would help to ensure that records could easily be provided in the format requested by the patient.

Ciitizen points out that providers are now accepting request forms by mail, email, and fax, which makes it far easier for patients to obtain a copy of their records. To date, excessive fees have not been an issue but, in some cases, this was only due to Ciitizen successfully resolving attempts by providers to charge fees that are not permitted under HIPAA by escalating the issue to supervisors.

The detailed Ciitizen report can be viewed and downloaded on this link.

Penalties for Noncompliance with HIPAA Right of Access

The penalties for noncompliance are can be severe. Willful neglect of HIPAA Rules now carries a minimum penalty of $58,490 per violation, if no corrective action has been taken, and a maximum penalty of $1,754,698 per violation, per year. OCR calculates penalties based on the number of days the organization has not been in compliance, so the maximum possible penalty is substantial.

OCR has stated on multiple occasions that HIPAA Right of Access failures are one of its main enforcement priorities. Already this year, OCR has issued one financial penalty for noncompliance with this important aspect of HIPAA and it will not be the last.

Bayfront Health St Petersburg was fined $85,000 for HIPAA Right of Access failures in September 2019 and in 2011, Cignet Health of Prince George’s County was ordered to pay a civil monetary penalty of $4,300,000 for denying patients access to their medical records.

It doesn’t take a data breach for an investigation into patient rights violations to be initiated by OCR. The Bayfront Health St Petersburg financial penalty was in response to a single complaint from a patient who had not been provided with her medical records in a timely manner.

The post 51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access appeared first on HIPAA Journal.

Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records

Following a report in the Wall Street Journal, Google has confirmed it is collaborating with one of the largest healthcare systems in the United States, which gives it access to a huge volume of patient data.

Google has partnered Ascension, the world’s largest catholic health system and the second largest non-profit health system in the United States. Ascension operates more than 2,600 healthcare facilities in 21 states, including 150 hospitals and over 50 senior living facilities.

The collaboration has given Google access to patient health information such as names, dates of birth, medical test results, diagnoses, treatment information, service dates, and other personal and clinical information.

The project – code name Project Nightingale – had been kept under the radar prior to the WSJ Report, which claimed that at least 150 Google employees have allegedly been able to access patient data as part of the project and that access to patient data had been granted without patients or physicians being informed. Both Google and Ascension made announcements about the Project Nightingale collaboration after the WSJ story was published.

In a November 11 press release, Ascension said it “is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”

Google explained in its announcement that it had previously mentioned the collaboration in July 2019 in its Q2 earnings call, in which it stated, “Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes.”

Google explained in its November 11 blog post that collaboration with Ascension is focused on A) Shifting Ascension’s infrastructure to the Google Cloud platform; B) Helping Ascension implement G Suite productivity tools and; C) Extending tools to doctors and nurses to improve care. Google also stated that some of the tools it is working on are not yet active in clinical development and are still in the early testing stage, hence the code name, Project Nightingale.

Another goal of the collaboration is to use Google’s considerable computing capabilities to analyze patient data with a view to developing software that leverages its AI and machine learning technology to deliver more targeted care to patients.

Ascension said the it will be “Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

As a business associate of Ascension, Google has confirmed that access to patient data is legitimate and in full compliance with Health insurance Portability and Accountability Act (HIPAA) Rules. Google has signed a BAA with Ascension and has implemented appropriate safeguards to keep patient information secure and is in full compliance with all requirements of HIPAA.

Ascension has also confirmed that the partnership is “underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

While patients may be concerned that Google now has access to some of their most sensitive data, it is not standard practice for healthcare organizations to announce collaborations with third-party companies that provide services that require access to protected health information. However, a proactive announcement rather than a reactive press release may have helped allay fears and concerns.

The post Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records appeared first on HIPAA Journal.

Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach

U.S. Senator, Mark. R. Warner (D-VA) has written to the Director of the HHS’ Office for Civil Rights, Roger Severino, expressing concern over the HHS response to the mass exposure of medical images by U.S. healthcare organizations.

Sen. Warner is the Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus. This is the latest in a series of communications in which he has voiced concerns about cybersecurity failures that have compromised the personal and private information of Americans. In February, Sen. Warner demanded answers from HHS agencies, NIST, and healthcare associations about healthcare cybersecurity following the continued increase in healthcare data breaches.

His recent letter to OCR was in response to a September 17, 2019 report about the exposure of millions of Americans’ medical images that were stored in unsecured picture archiving and communications systems (PACS).

The report detailed the findings of an investigation by ProPublica, German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, which revealed almost 400 million medical images could be freely downloaded from the internet without authentication.  Sen. Warner pointed out that at the time of writing the letter, “for all U.S. territories there are 114.5 million images accessible, 22.1 million patient records, and 400,000 Social Security numbers, impacting an estimated 5 million patients in 22 states.”

Sen. Warner stated in the letter that the exposure of the medical images not only has potential to cause harm to individuals, it is also damaging to national security. The types of exposed information could potentially be used by cybercriminals in phishing campaigns and for other malicious attacks, such as those aimed at spreading malware. Flaws in the DICOM protocol could be exploited to incorporate malicious code into medical images. Nation state actors or cybercriminal groups could have downloaded the images, inserted malicious code, and then uploaded the images without being detected.

One of the U.S. firms implicated in the ProPublica report was TridentUSA Health Services and one of its affiliates, MobileX USA. In September 2019, following publication of the report, Sen. Warner wrote to TridentUSA Health Services demanding answers about its cybersecurity practices and how the data of millions of Americans, which the company was responsible for keeping private, came to be exposed online and required no password or other means of authentication to access.

In his letter to OCR, Sen. Warner explained that TridentUSA Health Services, a HIPAA-covered entity, responded to his letter and stated it had passed an HHS Security Rule audit in March 2019. That audit was passed even though at the time of the audit medical images under its control were exposed online and could be freely accessed over the internet.

“As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling,” wrote Warner.

The exposure of PACS data was reported to US-CERT by the German Federal Office for Information Security. US-CERT made contact with Greenbone Networks and confirmed the exposed data had been received and said that the matter would be reported to the HHS. Greenbone Networks had no contact from HHS and no further contact from US-CERT.

The researchers in Germany also demonstrated to Sen. Warner that even on October 15, 2019, several US-based PACS have open ports that support unencrypted communications protocols. Those unsecured PACS could be accessed without authentication and a wide range of medical images could be viewed and downloaded, including X-rays and mammograms that contain sensitive patient information such as names and Social Security numbers. Those images and personal information were still accessible freely online on the date of writing the letter (Nov 8, 2019).

“As of writing this letter, TridentUSA Health Services is not included on your breach portal website and I have seen no evidence that, once contacted by US-CERT, you acted on that information in a meaningful way,” wrote Sen. Warner.

Sen. Warner has demanded answers to 5 questions:

The post Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach appeared first on HIPAA Journal.

HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation

The U.S Department of Health and Human Services’ has increased the civil monetary penalties for HIPAA violations to take inflation into account, in accordance with the Inflation Adjustment Act.

The final rule was issued and took effect on Tuesday November 5, 2019. This rule increases the civil monetary penalties for HIPAA violations that occurred on or after February 18, 2019. Under the new penalty structure, the increases from 2018 to 2019 are detailed in the table below:

Penalty Tier Level of Culpability Minimum Penalty per Violation

(2018 » 2019)

Maximum Penalty per Violation

(2018 » 2019)

New Maximum Annual Penalty

(2018 » 2019)*

1 No Knowledge $114.29 » $117 $57,051 » $58,490 $1,711,533 » $1,754,698
2 Reasonable Cause $1,141 » $1,170 $57,051 » $58,490 $1,711,533 » $1,754,698
3 Willful Neglect – Corrective Action Taken $11,410 » $11,698 $57,051 » $58,490 $1,711,533 » $1,754,698
4 Willful Neglect – No Corrective Action Taken $57,051 » $58,490 $1,711,533 » $1,754,698 $1,711,533 » $1,754,698

Penalties for HIPAA violations that occurred prior to February 18, 2019 have increased to $159 per violation, with an annual cap of $39,936 per violation category.

Earlier this year, the HHS’ Office for Civil Rights announced that it had reduced the penalties for HIPAA violations in certain tiers after a review of the wording of the HITECH Act. The maximum penalty for a HIPAA violation in the highest tier remained at $1.711 million, per violation category per year. Prior to the review, the maximum HIPAA violation penalty was $1.711 million in all four penalty tiers.

*The notice of enforcement discretion, announced on April 30, 2019, capped the maximum annual penalties at $10,000 (Tier 1), $100,000 (Tier 2), $250,000 (Tier 3), and $1,711,533 (Tier 4). The notice of enforcement discretion stated that the reviewed penalty tiers would also be adjusted in line with inflation. The multiplier used by OCR to calculate the cost-of-living increases was based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019, which was 1.02522. That would make the new maximum penalties under the notice of enforcement discretion $10,252.20 (Tier 1), $102,522 (Tier 2), $256,305 (Tier 3), and $1,754,698 (Tier 4).

While OCR’s notice of enforcement discretion states that OCR will be adopting the new, revised penalties, this has yet to be made official and is pending further rulemaking. The notification of enforcement discretion creates no legal obligations and no legal rights, so OCR could therefore legally use the above maximum penalty amount of $1,754,698 per violation category, per year across all penalty tiers.

Full details of the new penalty structures have been published in the Federal Register for all agencies, including the FDA, ACF, HRSA, AHRQ, OIG, CMS, and OCR and can be viewed here (PDF).

The post HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation appeared first on HIPAA Journal.

Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of Health Insurance Portability and Accountability Act (HIPAA) Rules.

TX HHSC is a state agency that operates supported living centers, regulates nursing and childcare facilities, provides mental health and substance abuse services, and administers hundreds of state programs for people in need of assistance, such as individuals with intellectual and physical disabilities.

OCR launched an investigation following receipt of a breach report from the Department of Aging and Disability Services (DADS), a state agency that was reorganized into TX HHSC in September 2017. On June 11, 2015, DADS reported a security incident to OCR which stated that the electronic protected health information (ePHI) of 6,617 individuals had been exposed over the internet. The exposed information included names, addresses, diagnoses, treatment information, Medicaid numbers, and Social Security numbers.

The information was exposed during the migration of an internal CLASS/DBMD application from a private server to a public server. A flaw in the software of the application allowed ePHI to be accessed over the internet without any authentication. As a result of the flaw, private and highly sensitive information could be found and accessed through a Google search.

TX HHSC was unable to provide documentation to demonstrate compliance with three important provisions of HIPAA Rules. OCR determined that TX HHSC had violated four HIPAA provisions.

  • 45 C.F.R. § 164.308(a)(1 )(ii)(A) – Failure to conduct a comprehensive organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI
  • 45 C.F.R. § 164.312(a)(1) – Failure to implement access controls. Credentials were not required to access ePHI contained in its CLASS/DBMD
  • 45 C.F.R. § 164.312(b) – Failure to implement audit controls that recorded user access on the public server, which prevented TX HHSC from determining who had accessed ePHI in the application during the time it was exposed.
  • 45 C.F.R. § 164.502(a) – The above failures resulted in an impermissible disclosure of the ePHI of 6,617 individuals.

Under HIPAA, financial penalties are determined based on the level of culpability. OCR determined that the violations fell short of willful neglect and constituted reasonable cause – the second penalty tier. For each of the above classes of HIPAA violation, the minimum penalty for a violation is $1,000 up to a maximum financial penalty of $100,000 per year. The risk analysis failures, access controls failures, and audit control failures spanned from 2013 to 2017, hence the $1.6 million penalty.

“Covered entities need to know who can access protected health information in their custody at all times,” said OCR Director Roger Severino. “No one should have to worry about their private health information being discoverable through a Google search.”

We initially reported on the HIPAA penalty in March 2019 when it appeared that a settlement had been reached between TX HHSC and OCR over the HIPAA violations. The 86th Legislature of the State of Texas had voted to approve the settlement; however, it would appear that the proposed settlement was rejected. OCR issued a Notice of Proposed Determination on July 29, 2019.

TX HHSC did not contest the findings of OCR’s Notice of Proposed Determination and waived the right to a hearing. OCR imposed the CMP on TX HHSC on October 25, 2019.

This is the second HIPAA penalty to be announced by OCR this week. A few days ago, OCR announced a $3 million settlement had been reached with the University of Rochester Medical Center to resolve HIPAA violations related to the loss of unencrypted devices containing ePHI.

The TX HHSC CMP is the seventh HIPAA penalty of 2019. The latest CMP brings the total HIPAA fines for 2019 up to $9,949,000.

The post Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty appeared first on HIPAA Journal.

Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center

The University of Rochester Medical Center (URMC) has paid a $3 million HIPAA penalty for the failure to encrypt mobile devices and other HIPAA violations.

URMC is one of the largest health systems in New York State with more than 26,000 employees at the Medical Center and various other components of the health system, including Strong Memorial Hospital and the School of Dentistry.

The Department of Health and Human Services’ Office for Civil Rights (OCR) launched an investigation following receipt of two breach reports from UMRC – The loss of an unencrypted flash drive and the theft of an unencrypted laptop computer in 2013 and 2017.

This was not the first time OCR had investigated URMC. An investigation was launched in 2010 following a similar breach involving a lost flash drive. In that instance, OCR provided technical compliance assistance to URMC. The latest investigation uncovered multiple violations of HIPAA Rules, including areas of noncompliance that should have been addressed after receiving technical assistance from OCR in 2010.

Under HIPAA, data encryption is not mandatory. Following a risk analysis, as part of the risk management process, covered entities must assess whether encryption is an appropriate safeguard. An alternative safeguard can be implemented in place of encryption if it provides an equivalent level of protection.

In this case, URMC had assessed risk and determined that the lack of encryption posed a high risk to the confidentiality, integrity, and availability of ePHI, yet failed to implement encryption when it was appropriate and continued to use unencrypted mobile devices that contained ePHI, in violation of 45 C.F.R. § 164.31 2(a)(2)(iv).

OCR’s investigation confirmed that the ePHI of 43 patients was contained on the stolen laptop and as a result of the theft, that information was impermissibly disclosed – 45 C.F.R. §164.502(a). OCR also determined that URMC had failed to conduct a comprehensive, organization-wide risk analysis – 45 C.F.R. § 164.308(a)(1)(ii)(A) – that included all risks to the confidentiality, integrity, and availability of ePHI, and covered ePHI stored on the lost and stolen devices.

Risks had not been sufficiently managed and reduced to reasonable and acceptable level – 45 C.F.R. §164.308(a)(l)(ii)(B) – and policies and procedures governing the receipt and removal of hardware and electronic media in and out of its facilities had not been implemented – 45 C.F.R. § 163.310(d).

In addition to the $3,000,000 financial penalty, URMC is required to adopt a robust corrective action plan to address all aspects of noncompliance identified by OCR. URMC’s compliance efforts over the next two years will be scrutinized by OCR to ensure continuing compliance.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said OCR Director Roger Severino. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

This is the sixth financial penalty of 2019 that OCR has issued to resolve violations of the Health Insurance Portability and Accountability Act and it is the fourth enforcement action to cite a risk analysis failure.

The risk analysis is one of the most important elements of HIPAA compliance and a risk analysis failure is the most common HIPAA violation cited in OCRs enforcement actions.

OCR has released a risk assessment tool to help covered entities and business associates comply with this aspect of HIPAA. Further information on the HHS risk assessment tool is available on this page.

The post Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center appeared first on HIPAA Journal.

BlueKeep Vulnerability Being Actively Exploited in Real World Attacks

In May 2019, Microsoft made an announcement about a critical remote code execution vulnerability in Windows Remote Desktop Services named BlueKeep – CVE-2019-0708. As predicted by the cybersecurity community, a weaponized exploit would be developed and used in large-scale attacks. That prediction has now come true. Over the weekend, the first mass attacks using a BlueKeep exploit were discovered.

Soon after Microsoft announced the vulnerability, several security researchers developed proof-of-concept exploits for BlueKeep. One such exploit allowed a researcher to remotely take control of a vulnerable computer in just 22 seconds. The researchers held off publishing their PoC’s due to the seriousness of the threat and the number of devices that were vulnerable to attack. Initially, millions of internet-connected devices were at risk, including around a million Internet of Things (IoT) devices.

The BlueKeep vulnerability can be exploited remotely by sending a specially crafted RDP request. No user interaction is required to exploit the vulnerability. The flaw is also wormable, which means it is possible to use self-propagating malware to spread from vulnerable computer to another on the same network.

Microsoft issued multiple warnings about the vulnerability, which affects older Windows versions such as Windows 7, Windows XP, Windows Server 2003 and Windows Server 2008. Businesses and consumers were urged to apply the patch as soon as possible to prevent the vulnerability from being exploited. Warnings were also issued by the NSA, GCHQ, and other government agencies around the world. The cybersecurity community has also been warning businesses and consumers about the risk of attack, with many believing a weaponized exploit would be developed in a matter of weeks.

Even after multiple warnings had been issued, patching was slow. The patch was released 5 months ago there are still around 724,000 devices that have yet to have the patch applied. The total number of vulnerable devices will be considerably higher as scans do not include devices behind firewalls.

Following the disclosure of the vulnerability, security researcher Kevin Beaumont set up a global network of Remote Desktop Protocol (RDP) honeypots that were designed to be attacked. Weeks and months passed with no attempts made to exploit the vulnerabilities. Then on November 2, 2019 Beaumont discovered the honeypots had been attacked. First, one honeypot was attacked which caused the system to crash and reboot, followed by all the others aside from the Australian honeypot. While the attack was detected this weekend, the campaign has actually been ongoing for at least two weeks. The first attack occurred on October 23, 2019.

The crash dumps from the attacks were analyzed by security researcher Marcus Hutchins, aka MalwareTech. Hutchins was the person responsible for finding and activating a kill switch to block the WannaCry ransomware attacks in May 2017. Hutchins found artifacts in the memory indicating the BlueKeep vulnerability had been used to attack the honeypots and shellcode indicating the vulnerability was exploited to deliver a cryptocurrency miner, most likely for Monero.

Fortunately, the hackers exploiting the vulnerability appear to be unsophisticated, low-level threat actors who have not exploited the full potential of the vulnerability. The attackers have not developed a self-replicating worm and are only using the vulnerability to spread cryptocurrency mining malware on vulnerable devices with an internet-exposed RDP port. The attackers appeared to have conducted a scan for vulnerable devices and a list of IPs is being used for the attacks. The attacker(s) appears to be using a BlueKeep exploit that was published on the Metasploit framework in September.

The honeypot system and the failure to exploit the vulnerability on all 11 honeypots indicates the exploit is not working quite as planned and has not been modified to get it to work properly. However, this is a large-scale attack and at least some of the attacks have succeeded.

This is not the first time the BlueKeep vulnerability has been exploited by threat actors, as smaller more targeted attacks have been conducted and have succeeded, but it is the first mass-exploitation of BlueKeep.

Other threat actors may well discover how to unleash the full potential of the vulnerability and create a self-propagating worm. That would potentially enable all unpatched devices to be attacked, even those on internal networks. Those attacks may do more than slow down computers while cryptocurrency is mined. Wiper attacks similar to NotPetya could also potentially be conducted. The attack on the shipping firm Maersk cost around $300 million.

Preventing these attacks is simple and the advice remains the same as in May 2019 when BlueKeep was first announced. Apply Microsoft’s patch on all vulnerable computers as soon as possible.

The post BlueKeep Vulnerability Being Actively Exploited in Real World Attacks appeared first on HIPAA Journal.

HHS Releases Updated HIPAA Security Risk Assessment Tool

The HHS has updated its HIPAA Security Risk Assessment Tool and has added several new features that have been requested by users to improve usability.

The HIPAA Security Risk Assessment Tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS’ Office for Civil Rights.

The Security Risk Assessment Tool can help small to medium sized healthcare organizations conduct a comprehensive, organization-wide risk assessment to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI).

By using the tool, healthcare organizations will be able to identify and assess risks and vulnerabilities and use that information to improve their defenses against malware, ransomware, viruses, botnets and other types of cyberattack.

The risk assessment is a foundational element of compliance with the Health Insurance Portability Act Security Rule. By conducting a risk assessment, healthcare organizations can identify areas where PHI may be at risk. Any risks can then be assessed, prioritized, and reduced to a reasonable and acceptable level.

Since its initial release, the tool has been updated several times to improve usability and add additional functions. The latest version of the Risk Assessment Tool – Version 3.1 – has been released to coincide with National Cybersecurity Awareness Month and includes several user-requested improvements:

  • Threat and vulnerability validation
  • Incorporation of NIST Cybersecurity Framework references
  • Improved asset and vendor management
  • Question flagging and a new Flagged Report
  • Ability to export Detailed Reports to Excel
  • Fixes for several reported bugs to improve stability

The tool can be downloaded from the HHS for Windows devices, although the latest version is not available for Mac OS.

The HHS points out that the tool is only as useful as the work that goes into conducting and documenting a risk assessment. Use of the tool does not guarantee compliance with the risk assessment requirements of the HIPAA Security Rule and will only help HIPAA-covered entities and their business associates conduct periodic risk assessments.

The post HHS Releases Updated HIPAA Security Risk Assessment Tool appeared first on HIPAA Journal.

Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate

Healthcare data breaches lead to a reduction in the quality of care provided to patients, according to a study recently published in Health Services Research.

Researchers analyzed data from Medicare Compare which details quality measures at hospitals. Data from 2012-2016 was analyzed and compared with data from the HHS’ Office for Civil Rights on data breaches of more than 500 records over the same period. The researchers analyzed data on 3,025 Medicare-certified hospitals, 311 of which had experienced a data breach.

According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected. However, the delays were found to continue for months and years after an cyberattack was experienced.

The study showed that 3-4 years after a breach had occurred there were still delays in providing electrocardiograms to patients. The waiting time for an electrocardiograms to patients was found to be up to 2 minutes longer than before the breach occurred.

Hospitals that experienced a data breach also saw an increase in the 30‐day acute myocardial infarction mortality rate. The mortality rate at breached hospitals increased by as much as 0.36%.

The increase in mortality rate has not been attributed to the cyberattack itself, as recovery is usually possible without a few days to a few weeks after a cyberattack. The researchers suggest the delays in providing medical services following a cyberattack is due to the steps hospitals have taken to improve the security of their systems and better protect patient data, along with the increased HHS oversight that occurs after a data breach is experienced. These factors can result in a deterioration in the timeliness of care and patient outcomes.

Following a cyberattack, hospitals augment their security controls to prevent further cyberattacks from succeeding. Those measures include multi-factor authentication, stronger passwords, and other security enhancements. While these additional measures improve the security posture of hospitals and make breaches less likely to occur in the future, they can also impede clinicians.

“Over the past few years, overall improvements in AMI treatment have resulted in the 30‐day AMI mortality rate decreasing about 0.4 percentage points annually from 2012 to 2014,” wrote the researchers. “A 0.23‐0.36 percentage point increase in 30‐day AMI mortality rate after a breach effectively erases a year’s worth of improvement in the mortality rate.”

The researchers suggest hospitals should carefully evaluate the security measures they implement to prevent further breaches to ensure they do not unduly impede clinicians and negatively affect patient outcomes.

The study – Data breach remediation efforts and their implications for hospital quality – was published in the October edition of Health Services Research: DOI: 10.1111/1475-6773.13203.

The post Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate appeared first on HIPAA Journal.