Latest HIPAA News

HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security

The House Committee on Energy and Commerce has urged the HHS to act on all recommendations for medical device security suggested by the Healthcare Cybersecurity Task Force, calling for prompt action to be taken to address risks.

The Cybersecurity Act of 2015 required Congress to form the Healthcare Cybersecurity Task Force to help identify and address the unique challenges faced by the healthcare industry when securing data and protecting against cyberattacks.

While healthcare organizations are increasing their spending on technologies to prevent cyberattacks, medical devices remain a major weak point and could easily be exploited by cybercriminals to gain access to healthcare networks and data.

Earlier this year, the Healthcare Cybersecurity Task Force made a number of recommendations for medical device security. However, the Department of Health and Human Services has not yet acted on all of the recommendations. The House Committee on Energy and Commerce has now urged the HHS to take action on all the Cybersecurity Task Force’s recommendations.

Last week, Greg Walden (D-Or), Chair of the House Committee on Energy and Commerce, wrote to the HHS, explaining one of the main problems with new technologies is a lack of understanding of their hardware, software, and components.

In the letter, Walden explained, “Stakeholders do not know, and often have no way of knowing, exactly what software or hardware exist within the technologies on which they rely to provide vital medical care.”

As Walden explained, the NotPetya and WannaCry ransomware attacks proved that to be the case. Those attacks leveraged a vulnerability in Windows Server Message Block (SMBv1), and following the attacks, healthcare organizations were scrambling to determine which technologies within their networks leveraged SMBv1 to allow them to mitigate risk. That task was made all the more difficult, as information on technologies that leveraged SMBv1 was lacking or was simply unavailable.

Those ransomware/wiper attacks are just two examples. It was the same situation for the SamSam ransomware attacks that leveraged a vulnerability in JBoss, while in 2015, vulnerabilities in the Telnet protocol were discovered. Telnet was used in many medical devices, although the devices that used Telnet was not abundantly clear.

“The existence of insecure or outdated protocols and operating systems within medical technologies is a reality of modern medicine. At the same time, however, this leaves healthcare organizations vulnerable to increasingly sophisticated and rapidly evolving cyber threats,” wrote Walden.

Walden pointed out that the Cybersecurity Task Force has called for a Bill of Materials as a possible solution to the problem. The Bill of Materials would exist for all medical technologies, which detail all the components, software, hardware and protocols used, and any known risks associated with those components. Such a Bill of Materials would make it much easier for healthcare organizations to make security decisions, and mitigate risk when new vulnerabilities are identified.

Having a Bill of Materials for all technologies would not completely protect the healthcare industry, but Walden explains it is a “common sense step” to improving cybersecurity in the industry as a whole.

The HHS has been urged to convene a sector-wide effort to develop a plan for the creation and deployment of BOMs. Walden called for a plan of action be provided by the HHS no later than December 15, 2017.

The post HHS Pressed to Act on Cybersecurity Task Force Recommendations for Medical Device Security appeared first on HIPAA Journal.

Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks

A recent study conducted by the Ponemon Institute has highlighted current endpoint security trends, details the ever-present threat from ransomware, and shows that fileless malware attacks are on the rise.

Each year, endpoint attacks cost the healthcare industry more than $1 billion. The high cost of mitigating attacks and the growing threat means endpoint security should be a priority for healthcare organizations. Unfortunately, many healthcare organizations are continuing to rely on traditional cybersecurity technologies, which fail to adequately protect against new threats. Further, investment in cybersecurity defenses often involves doubling down on existing technologies, rather than strategic spending on new technologies that are far more effective at reducing the risk of endpoint attacks.

The Barkly-sponsored study was conducted on 665 IT and security professionals. 54% of respondents said they had experienced at least one successful endpoint attack in the past 12 months. Ransomware attacks are rife. More than half of respondents said they had experienced at least one successful ransomware attack this year, while 40% of respondents said they had experienced multiple ransomware attacks.

Oftentimes, organizations pay the ransom to quickly regain access to their data, others are faced with no alternative but to pay the ransom. 65% of surveyed companies reported that they had paid a ransom demand to regain access to their files. The average ransom payment was $3,675.

The threat from ransomware is unlikely to go away. As long as the attacks are profitable, they will continue. A recent report from Cybersecurity Ventures suggests worldwide ransomware damages will reach $5 billion this year and will rise to $11.5 billion in 2019. To put those figures into perspective, the cost of ransomware attacks in 2015 was $325 million.

One of the most worrying endpoint security trends highlighted in the Ponemon Institute report was fileless malware.  Fileless malware attacks have increased considerably in the past 12 months. Out of all organizations that reported experiencing at least one endpoint attack, 77% said at least one of those attacks involved an exploit or fileless malware. Overall, 29% of organizations have experienced a fileless malware attack, a rise of 20% from last year. Ponemon also reports that fileless malware attacks are also 10 times more likely to succeed than other types of malware attacks.

The cost of endpoint attacks is considerable. On average, it costs $301 per employee to mitigate an attack – or $5,010,600 per company, per year, on average. The healthcare industry alone has spent $1.3 billion in the past year mitigating endpoint attacks. Those costs are broken down as 30% due to loss of productivity, 25% due to system downtime, and 23% due to theft of information assets.

Preventing endpoint attacks is seen as a major problem, with more than half of respondents (54%) not believing that endpoint attacks can actually be stopped. Antivirus solutions are necessary to prevent malware infections, although they are rarely effective against current threats such as fileless malware.

“This survey reveals that ignoring the growing threat of fileless attacks could be costly for organizations,” said Ponemon Institute Chairman and Founder Dr. Larry Ponemon. “The cost of endpoint attacks in the companies represented in this study could be as much as $5 million, making an enterprise-wise endpoint security strategy more important than ever.”

The shortfalls of AV software have led many companies to invest in new technologies such as endpoint detection and response solutions, although those solutions do not prevent attacks, only limit the harm caused when they do occur.

50% of companies said they are planning to replace or augment their current endpoint security systems with new tools, although many respondents said they are experiencing problems with endpoint security systems, such as a high false positive rate, complex management of the solutions, and even when solutions are deployed, there are many protection gaps.

The post Endpoint Security Trends and the Rising Threat of Fileless Malware Attacks appeared first on HIPAA Journal.

Patches Released to Address Critical Intel Firmware Vulnerabilities

Patches have been released to address several Intel firmware vulnerabilities that affect 6th, 7th and 8th Generation Intel Core processors, and Xeon, Atom, Apollo Lake, and Celeron processors.

While the patches have been released by Intel, it is likely to take days or weeks before they can be applied. Intel processors are used by a wide variety of PC and laptop manufacturers, which are now required to customize the patches to ensure they are compatible with their systems.

The patches were released late on Monday to fix vulnerabilities that could potentially be exploited by attackers to load and run arbitrary code outside the operating system, unbeknown to users.

If exploited, attackers could crash systems, cause system instability, or gain access to privileged system information. Millions of PCs and servers around the world have these vulnerabilities and require the patches to be applied. Most organizations around the world will have at least one device containing one of the Intel firmware vulnerabilities.

The vulnerabilities have been assigned eight CVEs, four affect Intel Manageability Engine Firmware (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712) two affect Server Platform Service 4.0.x.x (CVE-2017-5706, CVE-2017-5709), and two affect Intel Trusted Execution Engine 3.0.x.x (CVE-2017-5707. CVE-2017-5710). The ME, SPS, and ITE systems are embedded firmware that provide management and code integrity checks on intel powered hardware.

Four of the bugs were identified by security researchers at Positive Technologies, prompting Intel to conduct a full review, which revealed a further four Intel firmware vulnerabilities.

The good news is that in order for the vulnerabilities to be exploited, access to the device would be required. While insiders could run any code on the Management Engine by exploiting the vulnerabilities, it is possible that if other vulnerabilities exist, they could be leveraged by external actors to exploit the vulnerabilities without the need for a local user at a vulnerable device.

The flaws in the Management Engine (ME) are serious because ME is the basis for trust on a system. The ME performs checks on devices to ensure firmware hasn’t been updated or tampered with, so vulnerabilities in the Management Engine could be exploited to change the way the checks are performed.

For example, if a firmware update is attempted, the ME could report that the update has been applied, when it hasn’t. System administrators would believe that devices have been patched, when they remain vulnerable.

Further, since the ME is never switched off, unless power is totally cut to a device, even if the operating system is rebooted, the ME may remain compromised.

Unfortunately, there are no real workarounds other than applying the patches. Manufacturers are now working on customizing Intel’s patches, although since the vulnerabilities affect multiple processors, the process of customizing patches, testing them, and rolling them out could take several weeks.

Lenovo and Dell have already published lists with more than 100 affected systems, with the former expecting to roll out its patched by the end of the month.

Currently it is not believed that any of the vulnerabilities are being actively exploited, although that is almost certain to change over the coming weeks.

A tool has been released to check for the Intel firmware vulnerabilities detailed in security bulletin INTEL-SA-00086, which can be downloaded from the Intel website on this link.

The post Patches Released to Address Critical Intel Firmware Vulnerabilities appeared first on HIPAA Journal.

3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group

A man linked to the hacking group TheDarkOverlord has been sentenced to serve three years in jail for fraud and blackmail offenses, although not for any cyberattacks or extortion attempts related to the The Dark Overlord gang.

Nathan Wyatt, 36, from Wellingborough, England, known online as the Crafty Cockney, pleaded guilty to 20 counts of fraud by false representation, a further two counts of blackmail, and one count of possession of a false identity document with intent to deceive.

Last week, at Southwark Crown Court, Wyatt was sentenced to serve three years in jail by Judge Martin Griffiths. At the sentencing hearing, Judge Griffiths suggested Wyatt was responsible for many more crimes other than those pursued via the courts. Some of those offenses are related to the TheDarkOverlord.

In September last year, Wyatt was arrested for attempting to broker the sale of photographs of Pippa Middleton, which had been obtained from a hack of her iPhone. Pippa Middleton is the sister of the Duchess of Cambridge. The charges in relation to that incident were dropped and Wyatt maintains he was not responsible for the hack.

During the course of that investigation, Wyatt’s computer was seized. An analysis of the device revealed he had been involved in other crimes. Initially, Wyatt was arrested for using a false identity document and fraud offenses in January this year, and was arrested a second time in March for blackmail offenses.

Police discovered that Wyatt had used stolen credentials to apply for a payment card, although the application was denied. Wyatt had also used his deceased step father’s credit card to make a string of online purchases, including purchases of computer games and mobile phones. Wyatt racked up debts in the region of £4,750 on the card, according to the Northamptonshire Telegraph.

An extortion attempt saw Wyatt use the name “The Dark Overlords” on a ransom demand in which he attempted to obtain a payment of €10,000 in Bitcoin from a UK legal firm. Wyatt stole around 10,000 files from the unnamed Humberside law firm using malware to gain access to the files on the law firm’s server.

In that extortion attempt, Wyatt said that he was planning to sell the stolen files to buyers in Russia and China if the ransom demand wasn’t paid. The files included scans of driver’s licenses and passports. It is unclear whether Wyatt hacked the law firm or if he used stolen credentials to gain access to its system to install malware.

Wyatt’s partner, Kelly Walker, 35, was also arrested and charged with handling stolen goods and encouraging or assisting offenses, but she was acquitted when prosecutors failed to provide any evidence to support the charges.

It is unclear whether Wyatt was a core member of the Dark Overlord hacking group, a fringe player, or if he was a copycat that used the group’s name. Dissent from pointed out in a recent blog post that Wyatt was allegedly supposed to make a call to one of the Dark Overlord’s victims in Georgia to put pressure on the clinic to pay the ransom demand. Wyatt was also allegedly responsible for opening back accounts in the UK on behalf of the Dark Overlord to take payments sent from hacking victims in the United States.

Wyatt is likely to be released in 18 months. In the UK, prisoners serving between 1 and 4-year jail terms are usually released after they have served half of their sentence, with the rest of the sentence served on probation. Wyatt has not been charged for any offenses in the United States.

The post 3 Year Jail Term for UK Man Linked to The Dark Overlord Hacking Group appeared first on HIPAA Journal.

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff.

The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed.

The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials.

Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established that access to the email accounts was gained by unauthorized individuals, it was not possible to determine whether emails containing protected health information had been accessed or viewed, or if any sensitive information was stolen. Since the attack occurred, no reports of misuse of patient information have been received.

To protect individuals against identity theft and fraud, credit monitoring and identity theft restoration services have been offered to breach victims free of charge, but only to those individuals whose Social Security numbers were compromised.

Medical College of Wisconsin reports that in addition to some faculty staff and Medical College of Wisconsin patients, some individuals who received treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been impacted by the breach.

The latest Medical College of Wisconsin phishing attack comes just 10 months after a similar incident resulted in the exposure of 3,200 patients’ protected health information.

The post 9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack appeared first on HIPAA Journal.

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017


Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

Cybersecurity in Healthcare Report Highlights Sorry State of Security

Infoblox has released a new cybersecurity in healthcare report which has revealed many healthcare organizations are leaving themselves wide open to attack and are making it far too easy for hackers to succeed.

The cybersecurity in healthcare report was commissioned to help determine whether the healthcare industry is prepared to deal with the increased threat of cyberattacks. Healthcare IT and security professionals from the United States and United Kingdom were surveyed for the report

The report highlighted the sorry state of cybersecurity in healthcare and revealed why cyberattacks so commonly succeed. Devices are left unprotected, outdated operating systems are still in use, many healthcare organizations have poor visibility into network activity, employees are not being trained to identify threats, and there is apathy about security in many organizations.

The Poor State of Cybersecurity in Healthcare

The use of mobile devices in hospitals has increased significantly in recent years. While the devices can help to improve efficiency, mobile devices can introduce considerable risks. 47% of the large healthcare organizations that were surveyed were using more than 5,000 devices on their networks. Securing so many devices and ensuring they are kept up to date and fully patched is a major challenge for healthcare IT and security professionals, but many organizations are unaware of all of the devices that are connecting to their networks.

Ransomware is a major issue for the healthcare industry. The scale of recent ransomware attacks has put many healthcare organizations on alert, and most hospitals are now in a much better position to deal with attacks when they occur. In the United Kingdom, 15% of respondents said they do not have a plan that could be implemented in the event of a ransomware attack. The lack of planning can result in far greater disruption when an attack occurs.

One in five respondents said devices were in use that were running on Windows XP, even though the operating system has been retired and has not been supported since April 2014. 22% said they were still using Windows 7, which had vulnerabilities that were exploited in the WannaCry attacks. Only 57% of organizations said they were patching their systems at least once a week.

18% of respondents said they had medical devices with unsupported operating systems. Infoblox drew attention to the fact that 7% of respondents didn’t know what operating system that their medical devices are running on, and out of those who do, 26% of large organizations said that they either don’t know or don’t care if they can update those systems.

Those findings make it no surprise that attacks like WannaCry occurred and hit the healthcare industry in the UK so hard.

Cybersecurity Spending is Increasing, but Money is Not being Spent Strategically

The report shows that healthcare organizations are responding to the elevated threat of cyberattacks by investing more heavily in security. 85% of healthcare organizations have increased cybersecurity spending in the past year, and 12% say they have increased spending by more than 50%.

The two technologies that are most commonly chosen are anti-virus solutions (61%) and firewalls (57%), with half of surveyed organizations also having invested in network monitoring technology to identify malicious network activity. Application security solutions are also a popular choice, chosen by 37% of organizations, while one third have invested in DNS security solutions to block data exfiltration and disrupt DDoS attacks.

In the United States, approximately half of healthcare professionals said they had started encrypting their data, compared to 36% in the UK.  Healthcare organizations are now realizing the benefits of providing security awareness training to staff, although worrying, only 35% do. PhishMe reports that more than 90% of cyberattacks start with a phishing email, yet only 33% said they had invested in email security solutions.  Signing up to threat intelligence services can help organizations be more proactive about cybersecurity, yet only 30% of respondents said they had signed up to receive threat intelligence reports.

Recommendations to Improve Cybersecurity in Healthcare

Based on the findings of the report, Infoblox made several recommendations for healthcare organizations to help them mitigate the threat of cyberattacks.

Those recommendations include planning to update operating systems to supported versions. The short-term issues that software updates create are far better than the widespread disruption caused by cyberattacks that exploit vulnerabilities on those outdated systems.

Organizations were advised to know their networks better – the operating systems in use, the devices that are allowed to connect to the network, and the importance of monitoring network activity to detect intrusions.

Organizations must plan for ransomware attacks to minimize disruption. 15% of healthcare organizations still do not have a plan in place to respond if ransomware is installed, even with the elevated threat of attacks on healthcare organizations.

IT security budgets may be increasing, but those budgets must be spent wisely. Investing more money in traditional defenses may not be the best use of budgets.

“Digital transformation presents a massive opportunity to support the doctors and nurses who work tirelessly – but these new technologies also introduce new cyber risk that must be mitigated,” said Rob Bolton, Director of Western Europe at Infoblox. “It’s crucial that healthcare IT professionals plan strategically about how they can manage risk within their organization and respond to active threats to ensure the security and safety of patients and their data.”

The post Cybersecurity in Healthcare Report Highlights Sorry State of Security appeared first on HIPAA Journal.

Is Google Hangouts HIPAA Compliant?

Is Google Hangouts HIPAA compliant? Can Google Hangouts be used by healthcare professionals to transmit and receive protected health information (PHI)?

Is Google Hangouts HIPAA Compliant?

Healthcare organizations frequently ask about Google services and HIPAA compliance, and one product in particular has caused some confusion is Google Hangouts. Google Hangouts is the latest incarnation of the Hangouts video chat system, and has taken the place of Huddle (Google+ Messenger). Google Hangouts is a cloud-based communication platform that incorporates four different elements: Video chat, SMS, VOIP, and an instant messaging service.

Google will sign a business associate agreement for G Suite, which currently covers the following Google core services

  • Gmail
  • Calendar
  • Google Drive (Includes Google Docs, Google Sheets, Google Slides, and Google Forms)
  • Apps Script
  • Keep
  • Sites
  • Jamboard
  • Google Cloud Search
  • Vault (If applicable)
  • Google Hangouts (Chat messaging)
  • Hangouts Meet

The Business Associate Agreement does not cover Google Groups, Google Contacts, and Google+, none of which can be used in conjunction with protected health information. Google also advises users to disable the use of non-core services in relation to G suite – for example YouTube, ​Blogger ​and Google ​Photos.

So, certain elements of Google Hangouts are HIPAA compliant and can be used by HIPAA covered entities without violating HIPAA Rules, provided that prior to the use of the services with PHI, the covered entity has entered into a business associate agreement with Google.

However, even with a BAA in place, not all elements of Google Hangouts are HIPAA compliant, so covered entities must exercise caution. Video chat for instance, is not covered by the BAA so cannot be used, and neither the SMS and VOIP options.

To help make Google Hangouts HIPAA compliant, Google has released a guide for healthcare organizations.

Google Hangouts HIPAA Compliance Depends on Users

If you decide to allow the use of Google Hangouts in your organization, it important to address the allowable uses of Google Hangouts with respect to PHI through policies and procedures. Staff must be trained on the correct use of the platform, and instructed which elements of Google Hangouts can be used and which are prohibited. If video chat is important for your organization, you should seek a HIPAA-compliant alternative platform.

As we have mentioned in a previous post, simply obtaining a BAA from Google is no guarantee of HIPAA compliance – that will depend on how Google services are configured and how they are used – See this page for further information of G Suite HIPAA Compliance.

Don’t Forget to Implement Additional Safeguards for Mobile Devices

One area where HIPAA-covered entities could easily violate HIPAA Rules is the use of Google Hangouts on mobile devices. Google does have excellent security controls that can alert users to potential unauthorized access of their Google account. These should be configured to ensure inappropriate access attempts are identified rapidly. Controls should also be implemented on mobile devices to ensure that the devices are protected in case of loss or theft.

Access controls on the device should be implemented to prevent the device, and any ePHI stored on it, from being easily accessed. Policies and procedures should also be developed to ensure lost and stolen devices are reported promptly, and actions taken to secure accounts. It is also recommended to implement controls that allow lost and stolen devices to be located, locked, and remotely wiped.

The post Is Google Hangouts HIPAA Compliant? appeared first on HIPAA Journal.

President Trump Nominates Alex Azar for HHS Secretary

Former Deputy Secretary of the Department of Health and Human Services, Alex Azar, is tipped to take over from former Secretary Tom Price after receiving the presidential nomination for the role. Azar previously served as general counsel to the HHS and Deputy Secretary during the George W. Bush administration.

President Trump confirmed on Twitter that he believes Azar is the man for the job, tweeting “Happy to announce, I am nominating Alex Azar to be the next HHS Secretary. He will be a star for better healthcare and lower drug prices!”

The position of Secretary of the Department of Health and Human Services was vacated by former Secretary Tom Price in September, following revelations about his controversial use of military aircraft and expensive charter flights to travel around the country.

While there were several potential candidates tipped to receive the nomination, including commissioner of the Food and Drug Administration, Scott Gottlieb, and administrator of the Centers for Medicare and Medicaid Services, Seema Verma, President Trump has made a controversial choice.

Alex Azar is a trained lawyer, but has spent the past ten years working in the pharmaceutical industry – an industry regulated by the HHS. In 2007, Azar joined pharmaceutical giant Eli Lilly taking on the role of senior vice president of corporate affairs and communications before becoming the head of the U.S. division of the firm until January 2017, when he left to start up his own consulting firm.

The nomination of Azar has raised many eyebrows. While President Trump has tweeted that he sees Azar as the man to help lower drug prices, Eli Lilly has attracted considerable criticism in the past for hikes in drug prices, notably for price rises to Insulin, one of the firm’s major pharmaceutical products. President Trump has previously claimed the pharmaceutical industry is ‘getting away with murder’ setting prices for their products.

Democrats have already expressed skepticism about how Azar would be able to help lower healthcare costs, not sharing Trump’s optimistic view that Azar can help drive prices down.

Azar has also been a harsh critic of the Affordable Car Act, sharing President’s Trump’s view that the ACA should be repealed. Despite repeated attempts, the failure to repeal ACA will mean that if appointed, Azar will be responsible for overseeing enforcement of the ACA.

Before Azar can take the helm of the Department of Health and Human Services, he must first be approved by Congress. Azar’s record while serving in the pharmaceutical industry is certain to be scrutinized, as will his commitment to enforcing the Affordable Care Act that he has previously strongly opposed.

The post President Trump Nominates Alex Azar for HHS Secretary appeared first on HIPAA Journal.