Latest HIPAA News

COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign

The Cybersecurity Infrastructure and Security Agency has issued a warning about a global spear phishing campaign targeting organizations in the cold storage and supply chain that are involved with the distribution of COVID-19 vaccines.

Two of the first vaccines to be produced must be kept and low temperatures during storage and transit prior to being administered. The Pfizer/BioNTech vaccine must be kept at -94°F (-70°C) and the Moderna vaccine at -4°F (-20°C), so cold chain organizations are a key element of the supply chain.

At the start of the pandemic, IBM X-Force established a cyber threat task force to track threats targeting organizations involved in the fight against COVID-19. The task force recently published a report about an ongoing spear phishing campaign that started in September 2020 which is targeting organizations supporting the Cold Chain Equipment Optimization Platform program. The program was launched in 2015 by the United Nations Children’s Fund and partner organizations to distribute vaccines worldwide.

Phishing emails have been sent to executives in sales, procurement, information technology, and finance who are likely to be involved in efforts to support the vaccine cold chain. Targeted organizations are believed to be providers of material support to meet the transportation needs within the COVID-19 cold chain.

The phishing emails appear to have been sent by an executive at Haier Biomedical, a Chinese qualified supplier of the Cold Chain Equipment Optimization Platform program. Haier Biomedical is the only complete cold chain provider in the world, so it is an ideal target for impersonation in the campaign.

The emails intercepted by IBM X-Force researchers had malicious HTML attachments that open locally and prompt the recipients to enter their credentials in order to open the file. The captured credentials can then be used to intercept internal communications about the process, methods, and plans to distribute COVID-19 vaccines. Once credentials are obtained, the attackers can move laterally through networks, conduct cyber espionage, and steal additional information for use in further attacks.

IBM reports that the phishing campaign spans 6 countries and, so far, 10 global organizations are known to have been targeted, as well as the European Commission’s Directorate-General for Taxation and Customs Union. Targeted organizations span several industry sectors including energy, manufacturing, software, and information technology. The researchers were unable to confirm the extent to which the campaign has been successful.

Based on the precision targeting of executives in specific global organizations involved in vaccine storage and transport and the lack of a clear path to cash out, the campaign is likely being conducted by a nation state threat actor. IBM X-Force suggests that cybercriminal organizations would be unlikely to invest the time, money, and resources into such a campaign targeting so many global organizations.

IBM X-Force recommends organizations involved in the cold storage and transport chain should take steps to mitigate the risks from phishing including creating and testing incident response plans, sharing and ingesting threat intelligence, assessing their third-party ecosystems, applying a zero-trust approach to security, using multi-factor authentication across the organization, using endpoint protection and response tools, and conducting regular email security awareness training.

In addition to the threat from phishing, organizations involved in the cold storage chain should take steps to protect against ransomware attacks as they will be a likely target over the coming weeks and months. In November, the U.S. based cold storage company Americold Realty Trust was the victim of a cyberattack suspected to have involved the use of ransomware. The company was reportedly negotiating with Chicago Rockford international Airport to assist with the distribution of COVID-19 vaccines.

The post COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign appeared first on HIPAA Journal.

Researchers Describe Possible Synthetic DNA Supply Chain Attack

A team of researchers at Ben-Gurion University in Israel have described a possible bioterrorist attack scenario in which the supply chain of synthetic DNA could be compromised. DNA synthesis providers could be tricked into producing harmful DNA sequences, bypassing current security controls, and delivering those sequences to healthcare customers.

Synthetic DNA is currently produced for research purposes and is available in many ready-to-use forms. Clients of DNA synthesis providers specify the DNA sequences they require and the DNA synthesis company generates the requested sequences to order and ships them to their customers.

There are safety controls in place to prevent DNA being synthesized that could be harmful, but the Ben-Gurion University researchers point out that those safety checks are insufficient. Hackers could potentially exploit security weaknesses and inject rogue genetic information into the synthesis process, unbeknown to the customers or DNA synthesis providers. For example, rogue genetic material could be inserted that encodes for a harmful protein or a toxin.

The researchers describe an attack scenario where a bioterrorist could conduct an attack that sees harmful biological material ordered, produced, and delivered to customers, without the attacker ever having to come into contact with lab components or biological materials. The researchers say the hypothetical attack method they describe is an “end-to-end cyberbiological attack” that can be performed remotely using a computer with a carefully crafted spear phishing email that delivers a malicious browser plug-in.

An attacker could craft a spear phishing email targeting an individual and use social engineering techniques to get them to install a malicious browser plug-in on their computer. When a genuine order is placed for a specific DNA sequence, the attacker would perform a man-in-the-middle attack and change the requested DNA sequence sent to the DNA synthesis provider, without the knowledge of the person submitting the order.

Checks would be performed by the DNA synthesis company to screen out potentially dangerous sequences. Provided those checks are passed, DNA synthesis would begin, and the product would then be shipped to the customer. The sequence would be checked by the customer, but the same malicious plugin could return the requested sequence. The DNA sequence with the rogue DNA would then be used in the belief it is the sequence requested.

Source: Ben-Gurion University

The research paper describing the threat and the potential attack method – Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology – was recently published in Nature Biotechnology. The image above shows the attack process with the malicious steps detailed in red.

The Department of Health and Human Services has produced HHS Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and requires DNA synthesis providers to screen double stranded DNA. The screening process should highlight any harmful sequences and would ensure that those sequences were not released to customers; however, the researchers point out that there is currently no single, comprehensive database of all pathogenic sequences and it is potentially possible to bypass these checks.

“Currently, the software stack used to develop synthetic genes is loosely secured, allowing the injection of rogue genetic information into biological systems by a cybercriminal with an electronic foothold within an organization’s premises,” explained the researchers. The researchers also demonstrated that through the use of obfuscation, 16 out of 50 DNA samples were not detected by screening systems.

A bioterrorist attack of this nature would be complex, which limits the potential for such an attack to occur, but given the potentially devastating consequences, more rigorous security controls need to be implemented. The current safety mechanisms have been put in place to prevent the deliberate or accidental synthesis of harmful DNA, but the researchers explain that those safety mechanisms have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.

“Biosecurity researchers agree that an improved DNA screening methodology is required to prevent bioterrorists and careless enthusiasts from generating dangerous substances in their labs,” explained the researchers in the report.

The post Researchers Describe Possible Synthetic DNA Supply Chain Attack appeared first on HIPAA Journal.

HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations

On Friday last week, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) published final rules that aim to improve the coordination of care and reduce regulatory barriers. Both final rules contain safe harbor provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology to physician practices.

The CMS released the final version of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called Stark Law, and the OIG finalized revisions to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements.

Physician practices often have limited resources, which makes it difficult for them to implement solutions to address cybersecurity risks. Without the necessary protections, sensitive healthcare data could be accessed by unauthorized individuals, stolen, deleted, or encrypted by threat actors. Threat actors could also conduct attacks on small physician practices and use them to gain access to the healthcare systems to which they connect.

When the rules were first proposed, commenters emphasized the need for a safe harbor to allow non-abusive, beneficial arrangements between physicians and other healthcare providers, such donations of cybersecurity solutions to help safeguard the healthcare ecosystem. The CMS first proposed the changes in October 2019 as part of the Regulatory Sprint to Coordinated Care.

The CMS final rule clarifies the Stark Law exceptions concerning donations of electronic health record donations to physicians, expanding the EHR exception to include cybersecurity software and services. A standalone exception has also been introduced for broader cybersecurity donations, including donations of cybersecurity hardware.

“These finalized exceptions provide new flexibility for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare ecosystem, regardless of whether the parties operate in a fee-for-service or value-based payment system,” said the CMS.

The changes recognize the risk of cyberattacks on the healthcare sector and create a safe harbor for cybersecurity technology and services to protect cybersecurity-related hardware, and will help to ensure that cybersecurity software and hardware are available to all healthcare providers of all sizes.

The safe harbor applies to, but is not limited to, “software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption and email traffic filtering.” The exception also covers the “hardware that is necessary and used predominantly to implement, maintain or re-establish cybersecurity” and a broad range of cybersecurity services such as updating and maintaining software and cybersecurity training services. There is no distinction in the rule between locally installed and cloud-based cybersecurity solutions.

Under the cybersecurity exception, recipients are not required to contribute to the cost of the donated cybersecurity technology or services. Under the EHR exception, the cost contribution requirement for donations of EHR items or services is retained.

“It is our position that allowing entities to donate cybersecurity technology and related services to physicians will lead to strengthening of the entire health care ecosystem,” said the HHS.

The final rules are due to be published in the federal register on December 2, 2020 and are expected to take effect on January 19, 2021.

The post HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations appeared first on HIPAA Journal.

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud.

Healthcare data breaches Sept 2019 to Oct 2020

The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months.

Healthcare records breaches in the past 12 months

Largest Healthcare Data Breaches Reported in October 2020

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause
Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack
AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware
Presbyterian Healthcare Services Healthcare Provider Hacking/IT Incident 193,223 Phishing Attack
Sisters of Charity of St. Augustine Health System Healthcare Provider Hacking/IT Incident 118,874 Blackbaud Ransomware
Timberline Billing Service, LLC Business Associate Hacking/IT Incident 116,131 Ransomware Attack
Greenwich Hospital Healthcare Provider Hacking/IT Incident 95,000 Blackbaud Ransomware
OSF HealthCare System Healthcare Provider Hacking/IT Incident 94,171 Blackbaud Ransomware
Geisinger Healthcare Provider Hacking/IT Incident 86,412 Blackbaud Ransomware
CCPOA Benefit Trust Fund Health Plan Hacking/IT Incident 80,000 Ransomware Attack
Ascend Clinical, LLC Healthcare Provider Hacking/IT Incident 77,443 Phishing and Ransomware Attack
Centerstone of Tennessee, Inc. Healthcare Provider Hacking/IT Incident 50,965 Phishing Attack
Georgia Department of Human Services Healthcare Clearing House Hacking/IT Incident 45,732 Phishing Attack
Connecticut Department of Social Services Health Plan Hacking/IT Incident 37,000 Phishing Attack
State of North Dakota Healthcare Provider Hacking/IT Incident 35,416 Phishing Attack
AdventHealth Shawnee Mission Healthcare Provider Hacking/IT Incident 28,766 Blackbaud Ransomware

Causes of October 2020 Healthcare Data Breaches

As the above table shows, the healthcare industry in the United States has faced a barrage of ransomware attacks. Two thirds of the largest 15 data breaches reported in October involved ransomware. CISA, the FBI, and the HHS issued a joint alert in October after credible evidence emerged indicating the Ryuk ransomware gang was targeting the healthcare industry, although that is not the only ransomware gang that is conducting attacks on the healthcare sector.

Phishing attacks continue to plague the healthcare industry. Phishing emails are often used to deliver Trojans such as Emotet and TrickBot, along with the Bazar Backdoor, which act as ransomware downloaders.

Phishing and ransomware attacks are classed as hacking/IT incidents on the HHS breach portal. In total there were 46 hacking/IT incidents reported to the HHS’ Office for Civil Rights in October – 73% of all reported breaches in October – and 2,450,645 records were breached in those incidents – 97.39% of all records breached in the month. The mean breach size was 53,275 records and the median breach size was 13,069 records.

There were 12 unauthorized access/disclosure incidents reported in October involving 54,862 healthcare records. The mean breach size was 4,572 records and the median breach size was 1,731 records. There were 4 reported cases of theft of paperwork or electronic devices containing PHI. The mean breach size was 4,290 records and the median breach size was 1,293 records. One incident was reported that involved the improper disposal of computer equipment that contained the ePHI of 4,290 individuals.

causes of October 2020 Healthcare Data Breaches

The graph below shows where the breached records were located. The high number of network server incidents shows the extent to which malware and ransomware was used in attacks. Almost a third of the attacks involved ePHI stored in email accounts, most of which were phishing attacks. Several breaches involved ePHI stored in more than one location.

Location of PHI in October 2020 Healthcare Data Breaches

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in October with 54 breaches reported, followed by health plans with 3 breaches and one breach at a healthcare clearinghouse. While there were only 5 data breaches reported by business associates of covered entities, business associates were involved in 23 data breaches in October, with 18 of the incidents being reported by the affected covered entity.

October 2020 Healthcare Data Breaches by Covered Entity Type

Healthcare Data Breaches by State

October’s 63 data breaches were spread across 27 states. Connecticut was the worst affected state with 7 breaches, followed by California and Texas with 5 each, Florida, Ohio, Pennsylvania, and Virginia with 4 apiece, Iowa and Washington with 3, and Arkansas, Michigan, New Mexico, New York, Tennessee, and Wisconsin with 2. A single breach was reported in each of Georgia, Hawaii, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Missouri, North Dakota, New Jersey, and South Carolina.

HIPAA Enforcement Activity in October 2020

2020 has seen more financial penalties imposed on covered entities and business associates than any other year since the HIPAA Enforcement Rule gave OCR the authority to issue financial penalties for noncompliance.  Up to October 30, 2020, OCR has announced 15 settlements to resolve HIPAA violation cases, including 4 financial penalties in October.

The health insurer Aetna paid a $1,000,000 penalty to resolve multiple HIPAA violations that contributed to the exposure of HIV medication information in a mailing. OCR investigators found issues with the technical and nontechnical evaluation in response to environmental or operational changes affecting the security of PHI, an identity check failure, a minimum necessary information failure, insufficient administrative, technical, and physical safeguards, and an impermissible disclosure of the PhI of 18,849 individuals.

The City of New Haven, CT paid a $202,400 penalty to resolve its HIPAA case with OCR that stemmed from a failure to promptly restrict access to systems containing ePHI following the termination of an employee. That failure resulted in an impermissible disclosure of the ePHI of 498 individuals. OCR also determined there had been a risk analysis failure and a failure to issue unique IDs to allow system activity to be tracked.

Two of the penalties were issued as part of OCR’s HIPAA Right of Access enforcement initiative, with the fines imposed for the failure to provide patients with timely access to their medical records at a reasonable cost. Dignity Health, dba St. Joseph’s Hospital and Medical Center, settled its case with OCR and paid a $160,000 penalty and NY Spine settled for $100,000.

State attorneys general also play a role in the enforcement of HIPAA compliance. October saw Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC settle a multi-state action related to a breach of the ePHI of 6.1 million individuals in 2014. The investigators determined there had been a failure to implement and maintain reasonable security practices. The case was settled for $5 million.

The post October 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative.

In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records.

The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer.

The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that an individual is permitted to have the requested records sent to a nominated third party, should they so wish.

The complaint was filed with OCR more than 13 weeks after the patient’s request. OCR intervened and UCMC finally provided the lawyer with the requested records on August 7, 2019, more than 5 months after the initial request was received.

After investigating the complaint, OCR determined UCMC had failed to respond to the patient’s request for a copy of her medical records in a timely manner and a financial penalty was deemed appropriate.

In addition to the financial penalty, UCMC is required to adopt a corrective action plan that includes developing, maintaining, and revising, as necessary, written policies and procedures to ensure compliance with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. Those policies must be reviewed by OCR and implemented within 30 days of OCR’s approval.

The policies must be distributed to all members of the workforce and appropriate business associates and the policies must be reviewed and updated, as necessary, at least annually. Training materials must also be created and supplied to OCR for approval, and training provided to appropriate members of the workforce on the new policies.

UCMC is required to provide OCR with details of all business associates and/or vendors that receive, provide, bill for, or deny access to copies or inspection of records along with copies of business associate agreements, and UCMC must report all instances where requests for records have been denied. OCR will monitor UCMC closely for compliance for 2 years from the date of the resolution agreement.

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director, in a statement.

The post HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center appeared first on HIPAA Journal.

ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, sating, “At this time, we consider the threat to be credible, ongoing, and persistent.”

In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020.

Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a matter of days or even hours.

A long period between compromise and deployment gives victim organizations time to identify the compromise and take steps to eradicate the hackers from the network in time to prevent file encryption. The short duration makes this far more difficult.

“CISA, FBI, and HHS urge health delivery organizations and other HPH sector entities to work towards enduring and operationally sustainable protections against ransomware threats both now and in the future.”

A variety of techniques are now being used to deploy ransomware, including other malware variants such as TrickBot and BazarLoader, which are commonly delivered via phishing emails, as well as manual deployment after networks have been compromised by exploiting vulnerabilities.

Healthcare organizations should take steps to combat the ransomware threat by addressing the vulnerabilities that are exploited to gain access to healthcare networks. This includes conducting vulnerability scans to identify vulnerabilities before they are exploited and ensuring those vulnerabilities are addressed. Anti-spam and anti-phishing solutions should be implemented to block the email attack vector, and healthcare organizations should adopt a 3-2-1 backup approach to ensure files can be recovered in the event of an attack. The 3-2-1 approach involves 3 copies of backups, on two different media, with one copy stored securely off-site. The recent ransomware attack on Alamance Skin Center highlights the importance of this backup strategy. Patient information was permanently lost as a result of the attack when the ransom was not paid.

“Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods,” explained ASPR. “The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”

Indicators of Compromise (IoCs), suggested mitigations, and ransomware best practices are detailed in the October 28, 2020 CISA/FBI/HHS alert.

The post ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector appeared first on HIPAA Journal.

Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data.

The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29).

The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently in advanced clinical trials. One of the targeted companies has developed a COVID-19 test and the clinical research firm is involved in conducting COVID-19 vaccine trials. While the attacked companies were not named by Microsoft, cyberattacks have been reported by the Indian pharma firms Dr. Reddy’s and Lupin, and the U.S. biotech firm Moderna is known to have been attacked.

Microsoft reports that some of the attacks have been successful, although Microsoft did not say whether that means systems have been breached or if intellectual property and vaccine and research data were obtained.

The Russian Strontium group has favored brute force tactics to crack passwords for employee accounts, while the Lazarus group has been sending spear phishing emails to key employees to obtain passwords. One tactic used by the Lazarus group involves posing as recruiters and sending fake job descriptions. Cerium, which is believed to be a new North Korean hacking group, has also been using phishing emails to gain access to employee credentials. Its campaign involved impersonating the World Health Organization (WHO).

The motivation behind the attacks are clear. Research and vaccine data would give foreign countries a huge strategic advantage, with research and vaccine data potentially worth billions of dollars. These attacks appear to be solely concerned with data theft. The attacks so far do not appear to have been conducted to hamper efforts to conduct research or develop vaccines but there are many cybercriminal groups that are conducting destructive cyberattacks.

Healthcare organizations have faced a barrage of financially motivated cyberattacks by cybercriminals organizations using ransomware in recent months. Recently, CISA, the FBI, and HHS issued a joint advisory following an increase in targeted Ryuk ransomware attacks on healthcare organizations in the United States. The Ryuk and other ransomware gangs have also attacked healthcare organizations in France, Germany, Thailand, Spain, and the Czech Republic. The ransomware attack on a hospital in Germany resulted in the first known patient death due to a ransomware attack, and several attacks in the United States have resulted in major disruption and have forced hospitals to cancel elective procedures and reroute patients to alternative healthcare facilities.

Several industry groups are offering assistance to organizations in the healthcare sector such as the Health Sector Coordinating Council and Health-ISAC, and are providing indicators of compromise (IoCs) and detailed information on recent attacks to help organizations improve their defenses against cyberattacks and better defend their networks and data.

Microsoft has been taking an active role in attack prevention and has recently participated in the Paris Peace forum, a multi-stakeholder coalition working on combating these attacks, in particular to stop attacks on critical infrastructure from succeeding. Prior to the Paris Peace Forum, over 65 healthcare organizations joined the Paris Call for Trust and Security in Cyberspace. The Paris Call is largest multi-stakeholder coalition to date that addresses cybersecurity issues faced by the healthcare industry.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said Tom Burt, Microsoft Vice President for Customer Security & Trust, in a Friday blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”

The post Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development appeared first on HIPAA Journal.

Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 11th financial penalty under its HIPAA Right of Access enforcement initiative. Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology has agreed to pay a financial penalty of $15,000 to settle the case and adopt a corrective action plan to address areas of noncompliance discovered by OCR during the investigation.

OCR launched an investigation after a complaint was received from a patient in September 2018 alleging Dr. Bhayani had failed to provider her with a copy of her medical records. The patient had sent a request to the otolaryngologist in July 2018, but two months later and the records had still not been provided.

OCR contacted Dr. Bhayani and provided technical assistance on the HIPAA Right of Access and closed the complaint; however, a second complaint was received from the patient a year after the first in July 2019 claiming she had still not been provided with her medical records. OCR intervened again and the records were eventually provided to the patient in September 2020, 26 months after the initial request. HIPAA requires medical records to be provided within 30 days of a request being received.

OCR determined the failure to provide the medical records was in violation of the requirements of the HIPAA Right of Access (45 C.F.R. § 164.524). Dr. Bhayani also failed to respond to letters sent by OCR on August 2, 2019 and October 22, 2019 requesting data. The failure to cooperate with OCR’s investigation of a complaint was in violation of 45 C.F.R. §160.310(b). OCR determined the violations warranted a financial penalty. Dr. Bhayani agreed to settle the case with no admission of liability.

“Doctor’s offices, large and small, must provide patients their medical records in a timely fashion.  We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” said OCR Director Roger Severino.

The corrective action plan requires Dr. Bhayani to review and revise policies and procedures for providing individuals with access to their PHI in line with 45 C.F.R. § 164.524 and the policies must detail the methods used to calculate a reasonable, cost-based fee for providing access. Those policies must be submitted to OCR for review, and any changes requested by OCR must be implemented within 30 days. Dr. Bhayani is also required to provide privacy training to staff covering individual access to protected health information and the training materials must similarly be submitted to OCR for review and approval.

Every 90 days, Dr. Bhayani is required to send a list of all access requests to OCR, including the costs charged for dealing with the requests, along with details of any requests that have been denied. Any cases of staff members failing to comply with access requests must also be reported to OCR.

OCR will monitor Dr. Bhayani for two years from the date of the resolution agreement to ensure continued compliance with the HIPAA Right of Access.

The post Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure appeared first on HIPAA Journal.

Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced its 10th financial penalty under its HIPAA Right of Access enforcement initiative.

California-based Riverside Psychiatric Medical Group has agreed to pay a financial penalty of $25,000 to resolve a potential HIPAA Right of Access violation and will adopt a corrective action plan to ensure compliance with this important provision of the HIPAA Privacy Rule. The HHS will monitor Riverside Psychiatric Medical Group for 2 years to ensure continued compliance.

OCR launched an investigation following receipt of a complaint from a patient in March 2019 alleging Riverside Psychiatric Medical Group failed to provide a copy of her medical records after she had made several requests, with the first request made in February 2019.

OCR contacted Riverside Psychiatric Medical Group and provided technical assistance on how the practice could comply with the HIPAA Right of Access and the case was closed. A month later, in April 2019, a second complaint was received from the patient saying she had still not been provided with her medical records, despite OCR’s intervention.

OCR reopened the investigation and determined that Riverside Psychiatric Medical Group had potentially violated the HIPAA Right of Access after failing to take any action. Riverside Psychiatric Medical Group explained that the request for records included psychotherapy notes and, as such, the practice was not required to comply.

OCR explained that psychotherapy notes do not need to be provided to patients; however, in cases when requests are received, requestors must be provided with a written explanation as to why the requested records will not be provided, either entirely or in part and access should be provided to parts of medical records that do not include psychotherapy notes. Riverside Psychiatric Medical Group had not written to the patient to explain why the request had been denied.

After OCR’s second intervention, the patient was provided with a copy of her medical records in October 2019, as requested, minus the psychotherapy notes.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino in a statement about the settlement.

The post Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative appeared first on HIPAA Journal.