Latest HIPAA News

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices.

Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization.

The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data.

Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated. If not, vulnerabilities could be exploited by threat actors to gain access to sensitive data and network resources.

The aim of the new guidance – (NIST) Special Publication 1800-21 – is to help organizations identify and address risks and improve mobile device security to reduce the likelihood of unauthorized device access and data loss and theft.

The guidance includes how-to guides and an example solution developed in a lab environment using commercially available mobile management tools which can be used by enterprises to secure their Apple iOS and Android devices and networks while minimizing the impact on operational processes.

The guidance was developed by NIST and technology partners Kryptowire, Lookout, Appthority, MobileIron, Palo Alto Networks, and Qualcomm and is available for downloaded from NCCoE on this link (PDF – 14.5MB). Comments are being accepted until September 23, 2019.

Further guidance on mobile device security for Bring Your Own Device (BYOD) is currently under development.

The post Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE appeared first on HIPAA Journal.

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem.

The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems.

PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis.

The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives.

With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without having a negative impact on user productivity and system performance.

Key challenges include controlling, monitoring, and auditing user accounts, identifying outliers in user behavior, enforcing the rule of least privilege, creating separation-of-duties policies for internal and external users, monitoring and securing internal and external connections to the system, and ensuring data integrity as images move across the enterprise.

The Healthcare PACS Project identifies the individuals who interact with the system, defines their interactions, performs a risk assessment, and identifies commercially available mitigating security technologies.

The guidance document explains the best approach and architecture to adopt, along with the characteristics of a secure PACS. Included are how-to-guides and an example implementation that uses commercially available technologies to implement stronger security controls to create a much more secure PACS ecosystem.

The guidance document was developed with assistance from several PACS system developers and cybersecurity companies, including Cisco, Digicert, Forescout, Philips, Hylans, Symantec, tripwire, Virta Labs, Zingbox, and Clearwater compliance.

NCCoE is seeking feedback from HDOs and healthcare industry stakeholders on the new guidance until November 18, 2019. The draft guidance can be downloaded from the NCCoE website on this link.

The post NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data

The Consumer Technology Association (CTA) has released data privacy guidelines to help companies better protect health and wellness data.

The guidelines have been developed to help CTA members address tangible privacy risks and securely collect, use, and share health and wellness data collected from health/wellness apps, wearable devices, and other digital tools.

The guidelines – Guiding Principles for the Privacy of Personal Health and Wellness Information – were developed by the CTA to help members address privacy gaps, discover consumer preferences, and earn consumer trust.

“[The] privacy guidelines, developed with consensus among industry stakeholders, will help give both individuals and companies the confidence to invest in innovative technologies which will improve health,” explained CTA president and CEO, Gary Shapiro. “The CTA Privacy Principles demonstrate that health tech companies understand they must be trusted stewards of patient data.”

Consumers now have access to a plethora of apps, devices, and digital tools that let them keep track of their health metrics, improve wellness, and manage their health and medical conditions. These tools help to engage consumers in their own health and wellness, make informed decisions to improve their health, and even access and share their medical information with others. Consumers benefit from these tools through improvements to their health and healthcare companies can use the aggregated data collected by these tools for research. That can lead to faster diagnoses and treatment for health conditions.

However, recent data breaches have raised concerns among consumers about how their information is collected, stored, and shared, and privacy scandals have made consumers much more aware about secondary uses of their data. These incidents have undermined trust in wearable devices and health apps, which is something that the CTA hopes to address with the guidance.

Initially the aim was to address privacy concerns around wearable devices, but the focus has since been expanded to cover apps and other digital tools. The CTA has been working with CTA members such as IBM, Humetrix, Humana, Validic, and Doctors on Demand to develop the guidelines, which cover the collection, storage, use, and sharing of health and wellness data.

The guidelines serve as a voluntary framework to improve privacy protections and security for health data and are intended to establish a baseline for privacy and security.

The guidelines are based on five key principles:

  • Being open and transparent about how health and wellness information is collected and used
  • Being careful how personal health information is used
  • Giving consumers control over the uses and sharing of their health information
  • Implementing strong security to protect health data
  • Being accountable for practices and promises

The guidelines incorporate some flexibility to ensure they can be adopted by companies of all types and sizes. While they are primarily intended for CTA members, they can also be adopted by non-HIPAA covered app developers, service providers, technology companies, and firms that are just entering the health and wellness sphere.

The guidelines are also available to consumers to let them learn more about CTA principles and make informed decisions about the companies they choose to interact with.

The privacy guidelines can be downloaded from the CTA Tech website on this link (PDF).

The post Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data appeared first on HIPAA Journal.

HSCC Publishes Guidance on Healthcare Information Sharing Organizations

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published guidance on cybersecurity information sharing organizations in the healthcare sector.

HSCC is a public-private partnership of more than 200 companies and organizations, including health IT companies, medical device manufacturers, laboratories, pharmaceutical companies, health plans, payers and government agencies. Its role is to provide collaborative solutions to help mitigate cybersecurity threats affecting the healthcare industry.

The Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) is the fourth cybersecurity resource published by HSCC as mandated by the Health Care Industry Cybersecurity Task Force, which requires HSCC to help improve information sharing of industry threats, risks, and mitigations. Other resources previously published by HSCC cover healthcare industry cybersecurity best practices, developing a medical device joint security plan, and the development of a health industry cybersecurity workforce.

“Many health organizations are beginning to understand the importance of cybersecurity information sharing but don’t know where to start,” said Errol Weiss, Chief Security Officer of the Health Information Sharing and Analysis Center (H-ISAC) and co-chair of the HSCC task group responsible for the HIC-MISO toolkit. “With cyber-attacks against health organizations increasing in number and severity, one of the most important things an enterprise can do is build awareness and preparedness through community engagement.”

The aim of the HIC-MISO is to help healthcare organizations understand the importance of cybersecurity information sharing and to provide the resources they need to start participating in threat sharing. The HIC-MISO is a list of the most commonly used information sharing organizations (ISOs) in the healthcare industry along with details of the services they provide.

To keep the HIC-MISO simple and manageable, it is limited to the most widely used ISOs serving the healthcare industry at a national rather than regional level. The HIC-MISO includes information on ISOs such as HITRUST, H-ISAC, HPH-SCC, and MED-ISAO, along with the mission/function of each, the services provided, and any potential costs of participation. It is aimed at healthcare organizations that do not have the resources to participate in more than one or two threat sharing groups.

HSCC advises healthcare organizations that are not currently participating in threat sharing to start small and to initially only share the most important information. As the program matures and organizations become more comfortable with threat sharing, more information can be shared, and the program can be expanded. The most important step is to get started.

The HIC-MISO is supplemented with a guide that will allow organizations establish an information management structure that is appropriate to the size of the enterprise, the resources available, and its risk profile.

The post HSCC Publishes Guidance on Healthcare Information Sharing Organizations appeared first on HIPAA Journal.

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records.

The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage.

HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty.

This week, OCR has announced that the first settlement has been reached with a HIPAA-covered entity under the right of access initiative. Bayfront Health St. Petersburg, a 480-bed hospital in St. Petersburg, FL, has agreed to pay OCR $85,000 to settle the case.

OCR launched an investigation into a potential HIPAA violation at Bayfront Health following receipt of a complaint from a patient on August 14, 2018. The patient alleged that she had requested her fetal heart monitor records from Bayfront Health St. Petersburg in October 2017. At the time of the complaint, 9 months after the request was made, she had still not been provided with a full copy of her records.

OCR confirmed that the patient made the request on October 18, 2017 and was informed by Bayfront Health that the records could not be found. Two further requests were sent to Bayfront Health by the patient’s counsel on January 2, 2018 and February 12, 2018. In March 2018, Bayfront Health provided an incomplete set of records and a complete response was only received on August 23, 2018. The patient’s counsel shared the records with the patient, but it took the intervention of OCR for the fetal heart monitor records to be provided to the patient. Those records were provided directly to the patient on February 7, 2019.

OCR determined that the failure to provide access to the patient’s designated record set was a clear violation of 45 C.F.R. § 164.524 and that the HIPAA violation warranted a sizable financial penalty.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

In addition to the financial penalty, Bayfront Health has agreed to implement a corrective action plan and will be monitored by OCR for the following 12 months.

The post OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative appeared first on HIPAA Journal.

Study Confirms Why Prompt Data Breach Notifications Are So Important

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential.

When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere.

According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the breach being discovered.

Prompt data breach notifications can make a big difference. Patients and plan members are likely to be much more forgiving if they are informed about a data breach promptly. 90% of respondents said they would be somewhat forgiving if they knew that the breached organization had a plan in place for communicating with patients in the event of a data breach, but many organizations are not prepared for the worst.

Previous research conducted by Experian suggests 34% of breach response plans do not include customer notification and only 52% of companies have a data breach crisis or communications plan in place. If the communications team is made aware in advance of notification requirements, the people responsible for the communications are mapped out, and approval processes are planned in advance, it will allow notifications to be issued much more quickly.

While incredibly fast breach notifications are expected, in practice it is often not possible to issue notifications in such a short time frame. A phishing attack that results in an email account being subjected to unauthorized access requires every email in that email account to be checked for PHI. It is not always possible to automate that search effectively and manual checks are often required. It is therefore important to start investigations promptly, yet 84% of businesses did not include forensic analysis in their breach response plans which can lead to delays in issuing notifications.

Slow and ineffective communication is likely to add insult to injury following a data breach. 66% of respondents said slow breach notification and poor communication would likely see them stop doing business with the breached entity, and 45% of respondents would not only seek an alternative service provider, they would also instruct their friends and family members to do the same.

*Data for the report came from an Experian survey of 1,000 adults in the United States by consultancy firm KRC Research in July 2019.

The post Study Confirms Why Prompt Data Breach Notifications Are So Important appeared first on HIPAA Journal.

Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, South Carolina

Alex Azar, Secretary of the Department of Health and Human Services (HHS) has declared a public health emergency (PHE) in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian.

The announcement follows the presidential PHE in the above areas as the states prepare for when the hurricane makes landfall. The declaration was accompanied by the announcement of a limited waiver of HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule, as mandated by the Project Bioshield Act of 2004 of the Social Security Act. The waiver only applies in the emergency areas and for the period of time covered by the PHE.

The waiver applies to hospitals that have implemented their disaster protocol, and only for up to 72 hours from when the disaster protocol was implemented, unless the PHE declaration terminates before that 72-hour period has elapsed.

Once the PHE comes to an end, hospitals are required to comply with all requirements of the HIPAA Privacy Rule for all patients, including those still under the care of the hospital when the PHE ends. The HHS notes that during a PHE, the requirements of the HIPAA Privacy and Security Rules remain in place.

Even in the absence of a HIPAA waiver, the HIPAA Privacy Rule permits the sharing of patient information with friends, family, public health officials, and emergency personnel. Entities can share patient information for the purposes of providing treatment, for public health activities, and to lessen a serious threat to public health or safety. Information can also be shared with patients’ friends, family and other individuals involved in their care to ensure that proper care and treatment can be provided.

Under the terms of the HIPAA waiver, the HHS agrees to waive HIPAA sanctions and penalties for the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

Further information on the waiver and HIPAA privacy and disclosures of PHI in emergency situations can be found on the following link:

The post Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, South Carolina appeared first on HIPAA Journal.

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto.

For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study.

The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine.

When asked about the consequences of a cyberattack on IoT devices, the biggest concern was theft of patient data, which was rated as the main threat by 39% of healthcare respondents. Attacks on IoT devices can also threaten patient safety. 20% of respondents considered patient safety a major risk and 30% of healthcare providers that experienced an IoT cyberattack said patient safety was actually put at risk as a direct result of the attack.

12% of respondents said theft of intellectual property was a major risk, and healthcare security professionals were also concerned about downtime and damage to their organization’s reputation.

The main impact of these attacks is operational downtime, which was experienced by 43% of companies, theft of data (42%), and damage to the company’s reputation (31%).

Mitigating IoT cyberattacks comes at a considerable cost. The average cost to resolve a healthcare IoT cyberattack was $346,205, which was only beaten by attacks on the transport sector, which cost an average of $352,639 to mitigate.

Even though there are known risks associated with IoT devices, it does not appear to have deterred hospitals and other healthcare organizations from using the devices. It has been estimated up to 15 million IoT devices are now used by healthcare providers. Hospitals typically use an average of 10-15 devices per hospital bed.

Securing the devices can be a challenge, but most healthcare organizations know exactly where the vulnerabilities are. They just lack the resources to correct those vulnerabilities.

Manufacturers need to do more to secure their devices. Security is often an afterthought and safeguards are simply bolted on rather than being incorporated during the design process. Fewer than half of device manufacturers (49%) said security is factored in during the design of the devices and only 53% of device manufacturers conduct code reviews and continuous security checks.

82% of device manufacturers expressed concern about the security of their devices and feared safeguards may not be enough to prevent a successful cyberattack. 93% of device manufacturers said security of their devices could be improved a little to a great deal, as did 96% of device users.

“The previous mindset of security as an afterthought is changing. 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” explained the researchers in their recent report. “This clearly indicates that businesses realize the value add that security can bring to their organization.”

The post 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices appeared first on HIPAA Journal.