Latest HIPAA News

Two Employees Fired for Impermissible PHI Disclosures to Third Parties

Posted March 8, 2021 by HIPAA Journal

Humana has discovered an employee of a subcontractor of a business associate impermissibly disclosed the protected health information of approximately 65,000 of its members to a third-party for training purposes.

Cotiviti was contracted by Humana to provide assistance requesting medical records and used a subcontractor to review the requested medical records. Under HIPAA, subcontractors used by business associates are also required to comply with HIPAA.

The privacy violations occurred between October 12, 2020 and December 16, 2020 and Cotiviti notified Humana about the HIPAA violation on December 22, 2020. Cotiviti has worked with Humana to ensure that safeguards are implemented to prevent similar privacy breaches in the future, and that those safeguards are put in place at any subcontractors it uses. The individual who disclosed the data is no longer employed by the subcontractor.

The types of data disclosed includes member names’, addresses, phone numbers, email addresses, dates of birth, full or partial Social Security Numbers, insurance identification numbers, provider names, dates of service, medical record numbers, treatment information, and medical images.

While the disclosures were not made for malicious purposes and further disclosures of the PHI are not believed to have occurred, Humana is offering affected individuals 2 years of complimentary credit monitoring and identity theft protection services.

UPMC St. Margaret Fires Employee for Impermissible PHI Disclosure

UPMC St. Margaret has discovered an employee impermissibly disclosed the protected health information of certain patients to a third-party organization without authorization.

On August 2020, UPMC, St. Margaret discovered a medication administration report had been sent to an organization when there was no legitimate work purpose for doing so. The report contained information such as names, UPMC identification numbers, and medication administration data, including drug name, dose, time/date of administration, and the reason for providing medication.

Following the discovery of the impermissible disclosure, the employee’s access to UPMC systems was terminated, as was the individual’s employment with UPMC after the investigation was completed. Affected individuals were notified about the privacy breach on March 5, 2021. No reason was provided as to the notification delay.

The post Two Employees Fired for Impermissible PHI Disclosures to Third Parties appeared first on HIPAA Journal.

IBM X-Force: Healthcare Cyberattacks Doubled in 2020

Posted March 3, 2021 by HIPAA Journal

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020.

The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9.

The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial entry point in 33% of attacks, up from 31% in 2019.

2020 was the first year since IBM X-Force started publishing its annual threat index reports that the exploitation of vulnerabilities was more common than phishing as the initial attack vector, which was largely due to the global shift to a distributed workforce in response to the pandemic.

Around 1 in 5 cyberattacks in 2020 involved the exploitation of vulnerabilities in Citrix servers, which were used to support remote workforces. Out of all attacks involving the exploitation of Citrix vulnerabilities, healthcare placed third with 17% of all attacks. Credential theft-related attacks secured third place in the initial attack vector list and accounted for 18% of attacks, down from 29% in 2019.

In healthcare especially, ransomware attacks increased sharply. Overall, 23% of security events in 2020 involved ransomware, up from 20% in 2019. 28% of all cyberattacks on the healthcare industry involved ransomware. These attacks often involved data theft prior to file encryption to pressure victims into paying the ransom to prevent the exposure or sale of stolen data. 59% of ransomware attacks in 2020 involved the use of this double-extortion tactic.

Sodinokibi was used in 22% of all ransomware attacks. The researchers estimate that the Sodinokibi gang generated $123 million in ransom payments in 2020. Other highly active ransomware operations included RagnarLocker, Netwalker, Maze, and Ryuk, which each had a share of 7% of the attacks.

Ransomware was the leading attack type, followed by data theft, and server access. Data theft increased 160% year-over-year, with a large proportion of the attacks due to the Emotet Trojan. Server access increased 233% in the past 12 months, mostly involving the exploitation of vulnerabilities and the use of stolen credentials. Remote Access Trojan (RAT) attacks had a notable increase from 2% of attacks in 2019 to 6% in 2020. Business email compromise attacks decreased in 2020, falling from 14% of attacks in 2019 to 9% in 2020. Insider breaches fell from 6% to 5% of attacks, with misconfigurations unchanged, accounting for 5% of attacks.

The second and third most common types of healthcare cyberattacks were server access and BEC attacks, each accounting for 18% of attacks in 2020. Data theft, insider incidents, and misconfigurations accounted for 9% of attacks each.

The increase in healthcare industry cyberattacks was largely due to the industry being heavily targeted by ransomware gangs and threat actors targeting COVID-19-related research organizations. It could have been far worse for the healthcare industry. Security researchers became aware that the Ryuk ransomware gang was planning a targeted campaign in October that would have seen 400 hospitals attacked. Fortunately, efforts by cybersecurity companies and law enforcement limited the attacks to just 9 out of the 400 hospitals.

The post IBM X-Force: Healthcare Cyberattacks Doubled in 2020 appeared first on HIPAA Journal.

NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity

Posted March 2, 2021 by HIPAA Journal

The National Security Agency (NSA) has recently released new guidance to help organizations adopt a Zero Trust approach to cybersecurity to better defend against increasingly sophisticated cyber threats.

Zero Trust is a security strategy which assumes that breaches are inevitable or have happened and an intruder is already inside the network. This approach assumes that any device or connection may have been compromised so it cannot be implicitly trusted. Continuous verification is required in real time from multiple sources before access is granted and for system responses.

Adopting a Zero Trust approach to security means adhering to the concept of least-privileged access for every access decision and constantly limiting access to what is needed, with anomalous and potentially malicious activity constantly examined.

“Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries,” explained the NSA in the guidance. “Zero Trust repeatedly questions the premise that users, devices, and network components should be implicitly trusted based on their location within the network.”

The Zero Trust approach provides far greater security against external threat actors and authorized insiders with malicious intentions. When an authorized user or remote cyber attacker uses credentials to gain access to resources, those credentials and the device used are assumed to be malicious until proven otherwise. Sine access to networks and resources is limited, and networks are segmented, the potential harm that can be caused is severely reduced and lateral movement is restricted.

Traditionally, cybersecurity has been focused on protecting internal networks from external threats. Provided the network perimeter is not breached, this approach is effective, but today’s increasingly sophisticated cyber threats often breach the perimeter defenses, after which threat actors are able to move laterally within networks undetected, as occurred in the SolarWinds supply chain attack. A Zero trust approach to security would not prevent a system breach, but the harm caused would be drastically reduced and alerts would be generated to advise network defenders of a potential attack in progress.

The NSA provides examples in the guidance of how the Zero Trust approach blocks attempts by a threat actor using a legitimate user’s stolen credentials to access network resources using their own or the user’s device.

Source: National Security Agency

The Zero Trust approach is also effective at blocking supply chain attacks, when a threat actor adds malicious code to a device or application. In these attacks, communication between the device or app and the attacker would not be possible as the compromised device or app would not be trusted.

The transition to this new approach to security requires security teams to adopt a Zero Trust mindset which requires coordinated and aggressive system monitoring, system management, and defensive operations capabilities. All requests for access to critical resources, network traffic, devices and infrastructure must be assumed to be malicious, and acceptance that access approvals to critical resources incur risk, therefore security teams must be prepared to perform rapid damage assessment, control, and recovery operations.

Adopting a Zero Trust approach to security requires major changes to existing information systems and considerable time and effort, and there are likely to be many challenges. Fortunately, the change to Zero Trust can be implemented in stages starting with fundamental integrated capabilities, then refining capability integration and further refining capabilities, before deploying advanced protections and controls with robust analytics and orchestration. When Zero Trust functionality is introduced incrementally in accordance with a strategic plan, risk will be reduced accordingly at each step.

The NSA guidance provides an outline of the Zero Trust approach to security, recommendations and best practices for transitioning to Zero Trust, resources required for a successful transition, and how the Zero Trust implementation can be matured to ensure success.

The post NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity appeared first on HIPAA Journal.

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

Posted February 25, 2021 by HIPAA Journal

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020.

HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized individual; and the extent to which risk has been mitigated.

The HIPAA Breach Notification Rule requires notifications to be issued to affected individuals within 60 days of the discovery of a breach. All breaches must be reported OCR , including security incidents and privacy breaches affecting a single patient. If the breach affects 500 or more individuals, OCR must also be notified within 60 days. When there is a smaller breach, patients must still be notified within 60 days, but OCR does not need to be notified until 60 days from the end of the calendar year when the breach was discovered.

Breach reports should be submitted to OCR electronically via the OCR breach reporting portal. While smaller breaches can be reported ‘together’ ahead of the deadline via the portal, each incident must be submitted individually. Since details of the breach must be provided, including contact information, the nature of the incident, and the actions taken following the breach, adding these breach reports can take some time. The best practice is to report the breaches throughout the year when sufficient information about the nature, scope, and cause of the breaches are known, rather than wait until the last minute.

The failure to report small healthcare data breaches before the deadline could result in sanctions and penalties against the covered entity or business associate.

The post March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches appeared first on HIPAA Journal.

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

Posted February 24, 2021 by HIPAA Journal

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been fined $1,200 and sentenced to 6 months in jail.

In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally.

According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ).

Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his safety. When questioned about the threats and the HIPAA violations, an FBI agent identified irregularities in his story and upon further questioning, Parker admitted making fake accusations to frame the former acquaintance for fictional HIPAA violations.

“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations,” said U.S. Attorney Bobby L. Christine, when Parker was charged. “This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community.”

Parker pleaded guilty to one case of making false statements and potentially faced a 5-year jail term. He was sentenced to serve 6 months in jail by U.S. District Court Judge Lisa Godbey Wood.

“Many hours of investigation and resources were wasted determining that Parker’s whistleblower complaints were fake, meant to do harm to another citizen,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “Before he could do more damage, his elaborate scheme was uncovered by a perceptive agent and now he will serve time for his deliberate transgression.”

Parker is not eligible for parole and will serve the full term, followed by 3 years of supervised release.

The post Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months appeared first on HIPAA Journal.

Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity

Posted February 23, 2021 by HIPAA Journal

Throughout the pandemic, cybercriminals have taken advantage of new opportunities and have been attacking hospitals, clinics and other businesses and organizations on the front line in the fight against COVID-19.

Ransomware attacks on the healthcare industry soared in 2020, especially in the fall when a coordinated campaign claimed many healthcare victims. Ransomware remains a major threat to the healthcare sector and the high numbers of attacks have continued into 2021.

A recent report from the CTIL League provides further information on these attacks and some of the other ways the healthcare industry was targeted in 2020. The report highlights the work conducted by the CTIL Dark team, which monitors the darknet and deep web for signs of data breaches and cybercriminal activity that has potential to impact the healthcare industry or general public health.

This is the first report to be released that highlights the discoveries and achievements of the CTIL Dark team, and delves into realm of healthcare ransomware attacks and the dark markets where access to healthcare networks are traded.

In 2020, the CTIL Dark team’s research determined the main ransomware gangs targeting the healthcare sector to be Maze, Conti, Netwalker, REvil, and Ryuk. Between these five operations more than 100 ransomware attacks were conducted on the healthcare sector, two thirds of which were in North America and Europe. The attacks by these groups accounted for 75% of all attacks on the sector in 2020.

The increase in ransomware attacks in 2020 was attributed to the ease at which the industry could be attacked and the increased prominence of the industry during the pandemic, and no healthcare organization was immune. In fact while attacks on large healthcare organizations with the means to pay large ransom demands were favored, in the fall there was a significant increase in attacks on small- to medium-sized hospitals and clinics.

Ransomware attacks tend to dominate the news reports due to the major impact these attacks have on healthcare providers and their patients. Hospitals are forced to switch to pen and paper, appointments often have to be cancelled, and patient information is frequently leaked online and made available to a wide range of cybercriminals. What is less well understood is the supply chain that makes many of these attacks possible.

During the pandemic, demand for backdoor access to healthcare networks increased considerably, as did the number of criminals providing access. The supply chains established to provide credentials for healthcare networks to ransomware gangs and other threat actors saw the barrier to entry into cyberattacks on the sector significantly lowered.

2020 saw an increase in the number of Initial Access Brokers. These are the hackers who target and breach vulnerable networks and sell on access to the highest bidder, including ransomware gangs and their affiliates. The CTIL Dark team reports a doubling of the number of Initial Access Brokers between Q2, 2020 and Q4, 2020. Skilled hackers that can breach healthcare networks often sign up to ransomware-as-a-service operations as affiliates themselves. In 2020, several RaaS operations started recruitment drives targeting individuals who already had access to healthcare networks and could conduct large numbers of attacks.

The CTIL Dark team notes that ransomware attacks are becoming more extensive, targeted, and coordinated, with threat groups often partnering and sharing resources and information. In 2020, the ransomware activity investigated by the team most commonly involved attacks on perimeter vulnerabilities such as unpatched systems and weak passwords in remote connectivity solutions, rather than phishing attacks.

The CTIL Dark team also identified an increase in the number of databases containing PHI being sold on darknet forums for use in targeted attacks on patients, and employee databases for targeting healthcare employees to gain access to healthcare networks.

Phishing attacks increased in 2020, with opportunistic threat actors abandoning their regular campaigns and switching to COVID-19 themed campaigns that closely mirrored equipment shortages and knowledge gaps. Scams were conducted in response to the shortage in COVID-19 tests and PPE, followed by fake offers of antibody blood. When hydroxyquinoline was touted as a game changer for COVID-19 treatment, darknet vendors switched from offering cocaine to offering doses of the drug. Now, as the vaccine rollout gathers pace, scammers have switched to offering fake vaccines.

CTIL has predicted attacks targeting the healthcare sector will most likely increase in 2021 rather than decline, so it is essential for healthcare organizations to remain on high alert and leverage data from cybersecurity vendors, health-ISACs, law enforcement, and organizations such as CTIL league and implement policies, procedures, and protections to combat these threats.

The post Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity appeared first on HIPAA Journal.

January 2021 Healthcare Data Breach Report

Posted February 19, 2021 by HIPAA Journal

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day.

There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records.

Largest Healthcare Data Breaches Reported in January 2021

The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply patches for 7 years, which allowed unauthorized individuals to exploit the flaws and gain access to sensitive data.

Hendrick Health had a major data breach due to a ransomware attack; one of many reported by healthcare providers since September 2020 when ransomware actors stepped up their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology vendors.

Email-based attacks such as business email compromise (BEC) and phishing attacks were common in January, and were the cause of 4 of the top ten breaches.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Location of Breached Information
Florida Healthy Kids Corporation	Health Plan*	3,500,000	Hacking/IT Incident: Website and Web Application Hack	Network Server
Hendrick Health	Healthcare Provider	640,436	Hacking/IT Incident: Ransomware	Network Server
Roper St. Francis Healthcare	Healthcare Provider	189,761	Hacking/IT Incident: Phishing attack	Email
Precision Spine Care	Healthcare Provider	20,787	Hacking/IT Incident: BEC attack	Email
Walgreen Co.	Healthcare Provider	16,089	Unauthorized Access/Disclosure: Unknown	Email
The Richards Group	Business Associate	15,429	Hacking/IT Incident: Phishing attack	Email
Florida Hospital Physician Group Inc.	Healthcare Provider	13,759	Hacking/IT Incident: EHR System	Electronic Medical Record
Managed Health Services	Health Plan*	11,988	Unauthorized Access/Disclosure: Unconfirmed	Paper/Films
Bethesda Hospital	Healthcare Provider	9,148	Unauthorized Access of EMR by employee	Electronic Medical Record
County of Ramsey	Healthcare Provider*	8,687	Hacking/IT Incident: Ransomware	Network Server

*Breach reported by covered entity but occurred at a business associate.

Causes of January 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to cause the majority of healthcare data breaches. January saw 20 hacking/IT incidents reported, which accounted for 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was compromised or exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.

There were 11 reported unauthorized access and disclosure incidents involving 50,996 records. The average breach size was 4,636 records and the median breach size was 1,680 records.

There was one reported incident involving the loss of an unencrypted laptop computer containing 2,340 records, but no theft or improper disposal incidents.

As the bar chart below shows, email is the most common location of breached PHI, mostly due to the high number of phishing attacks. This was closely followed by network server incidents, which mostly involve malware or ransomware.

January 2021 Healthcare Data Breaches by Entity Type

Healthcare providers were the worst affected covered entity type with 23 reported data breaches followed by health plans with 6 reported breaches. Three data breaches were reported by business associates of HIPAA covered entities, although a further 7 occurred at business associates but were reported by the covered entity, including the largest data breach of the month.

The number of breaches reported by business associates have been increasing in recent months. These incidents often involve multiple covered entities, such as the data breach at Blackbaud in 2020 which resulted involved the data of more than 10 million individuals across around four dozen healthcare organizations. A study by CI Security found 75% of all breached healthcare records in the second half of 2020 were due to data breaches at business associates.

Where Did the Data Breaches Occur?

January’s 32 data breaches were spread across 18 states, with Florida the worst affected with 6 reported breaches. There were 3 breaches reported by entities in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.

Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had 1 breach reported.

HIPAA Enforcement Activity in January 2021

2020 was a record year for HIPAA enforcement actions with 19 settlements reached to resolve HIPAA cases, and the enforcement actions continued in January with two settlements reached with HIPAA covered entities to resolve violations of the HIPAA Rules.

Excellus Health Plan settled a HIPAA compliance investigation that was initiated following a report of a breach of 9,358,891 records in 2015. OCR investigators identified multiple potential violations of the HIPAA Rules, including a risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. Excellus Health Plan settled the case with no admission of liability and paid a $5,100,000 financial penalty.

OCR continued with its crackdown of noncompliance with the HIPAA Right of Access with a $200,000 financial penalty for Banner Health. OCR found two Banner Health affiliated covered entities had failed to provide a patient with timely access to medical records, with both patients having to wait several months to receive their requested records.

The post January 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

100% of Tested mHealth Apps Vulnerable to API Attacks

Posted February 16, 2021 by HIPAA Journal

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov.

Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic.

mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user activity than other mobile device apps such as online banking. There are currently an estimated 318,000 mHealth apps available for download from the major app stores.

The 30 mHealth apps analyzed for the study are used by an estimated 23 million people, with each app downloaded an average of 772,619 times from app stores. These apps contain a wealth of sensitive data, from vital signs data to pathology reports, test results, X-rays and other medical images and, in some cases, full medical records. The types of information stored in or accessible through the apps carries a high value on darknet marketplaces and is frequently targeted by cybercriminals. The vulnerabilities identified in mHealth apps makes it easy for cybercriminals to gain access to the information.

“Look, let’s point the pink elephant out in the room. There will always be vulnerabilities in code so long as humans are writing it. Humans are fallible,” said Knight. “But I didn’t expect to find every app I tested to have hard-coded keys and tokens and all of the APIs to be vulnerable to broken object level authorization (BOLA) vulnerabilities allowing me to access patient reports, X-rays, pathology reports, and full PHI records in their database.”

BOLA vulnerabilities allow a threat actor to substitute the ID of a resource with the ID of another. “When the object ID can be directly called in the URI, it opens the endpoint up to ID enumeration that allows an adversary the ability to read objects that don’t belong to them,” explained Knight. “These exposed references to internal implementation objects can point to anything, whether it’s a file, directory, database record or key.” In the case of mHealth apps, that could provide a threat actor with the ability to download entire medical records and personal information that could be used for identity theft.

APIs define how apps can communicate with other apps and systems and are used for sharing information. Out of the 30 mHealth apps tested, 77% had hard-coded API keys which made them vulnerable to attacks that would allow the attacker to intercept information as it is exchanged. In some cases, those keys never expired and 7% of the API keys belonged to third-party payment processors that strongly advise against hard coding these private keys in plain text, yet usernames and passwords had still been hard coded.

All of the apps lacked certificate pinning, which is used to prevent man-in-the-middle attacks. Exploiting this flaw would allow sensitive health and personal information to be intercepted and manipulated. Half of the tested apps did not authenticate requests with tokens, and 27% did not have code obfuscation protections, which made them vulnerable to reverse engineering.

Knight was able to access highly sensitive information during the study. 50% of records included names, addresses, dates of birth, Social Security numbers, allergies, medications, and other sensitive health data. Knight also found that if access is gained to one patient’s records, other patient records can also be accessed indiscriminately. Half of all APIs allowed medical professionals to view pathology, X-ray, and clinical results of other patients and all API endpoints were found to be vulnerable to BOLA attacks, which allowed Knight to view the PHI and PII of patients not assigned to her clinical account. Knight also found replay vulnerabilities that allowed her to replay FaceID unlock requests that were days old and take other users’ sessions.

Part of the problem is mHealth apps do not have security measures baked in. Rather than build security into the apps at the design stage, the apps are developed, and security measures are applied afterwards. That can easily result in vulnerabilities not being fully addressed.

“The fact is that leading developers and their corporate and organizational customers consistently fail to recognize that APIs servicing remote clients such as mobile apps need a new and dedicated security paradigm,” said David Stewart, founder and CEO of Approov. “Because so few organizations deploy protections for APIs that ensure only genuine mobile app instances can connect to backend servers, these APIs are an open door for threat actors and present a real nightmare for vulnerable organizations and their patients.”

The post 100% of Tested mHealth Apps Vulnerable to API Attacks appeared first on HIPAA Journal.

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

Posted February 15, 2021 by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule.

The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019.

The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been provided. The complainant finally received the requested records on October 15, 2019, more than 6 months after the record request was initially made.

OCR determined the long delay in providing the requested records was in violation of 45 C.F.R. § 164.524 and the HIPAA violation warranted a financial penalty. Had the records been provided in a timely manner after receiving technical assistance, a financial penalty could have been avoided.

In addition to paying the $70,000 penalty, Sharp HealthCare has agreed to adopt a corrective action plan and will be monitored closely for compliance by OCR for 2 years. The corrective action plan requires Sharp HealthCare to develop, maintain, and revise, as necessary, policies and procedures covering patient requests for access to their medical records and training must be provided to the workforce on individuals’ right to access their own PHI.

In an announcement about the latest settlement, Acting OCR Director Robinsue Frohboese said, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.”

The post Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information