Latest HIPAA News

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule.

The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019.

The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been provided. The complainant finally received the requested records on October 15, 2019, more than 6 months after the record request was initially made.

OCR determined the long delay in providing the requested records was in violation of 45 C.F.R. § 164.524 and the HIPAA violation warranted a financial penalty. Had the records been provided in a timely manner after receiving technical assistance, a financial penalty could have been avoided.

In addition to paying the $70,000 penalty, Sharp HealthCare has agreed to adopt a corrective action plan and will be monitored closely for compliance by OCR for 2 years. The corrective action plan requires Sharp HealthCare to develop, maintain, and revise, as necessary, policies and procedures covering patient requests for access to their medical records and training must be provided to the workforce on individuals’ right to access their own PHI.

In an announcement about the latest settlement, Acting OCR Director Robinsue Frohboese said, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.”

The post Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action.

Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000.

OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made.

The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical records to be provided to individuals within 30 days of a request being made. OCR determined that the delay in providing the requested records was in violation of this Privacy Rule provision.

In addition to paying the financial penalty, Renown Health has agreed to adopt a corrective action plan that requires written policies and procedures to be developed, maintained, and revised, as necessary, covering the HIPAA Right of Access. Training must be provided to the workforce on the policies and procedures, and a sanctions policy must be implemented and applied when workforce members fail to comply with the policies and procedures. OCR will monitor Renown Health for compliance with the HIPAA Right of Access for 2 years.

“Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” said Acting OCR Director Robinsue Frohboese.

The settlement is the third to be announced by OCR in 2021 and follows a $200,000 settlement with Banner Health for similar HIPAA Right of Access violations and a $5,100,000 settlement with Excellus Health Plan to resolve multiple HIPAA violations that contributed to a 2015 data breach of 9,358,891 records.

The post Renown Health Pays $75,000 to Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

Feds Release Ransomware Fact Sheet

Posted by HIPAA Journal

A ransomware factsheet has been released by the National Cyber Investigative Joint Task Force (NCIJTF) to raise awareness of the threat of ransomware attacks and provide insights that can be leveraged to prevent and mitigate attacks.

The fact sheet was developed by an interagency group of more than 15 government agencies and is primarily intended for use by police and fire departments, state, local, tribal and territorial governments, and critical infrastructure entities. The factsheet was released as part of the “Reduce the Risk of Ransomware Campaign” launched by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) in January 2021.

The fact sheet explains the impact ransomware attacks have had on the public sector, provides information on U.S. government efforts to combat ransomware threats, and details the most common methods used by threat actors to gain access to networks to deploy ransomware payloads: Phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities.

Phishing emails contain either a malicious link or file attachment. If the user opens the attachment or visits the link, code is executed which downloads a malicious payload. That payload may be ransomware or another malware variant which will ultimately be used to deliver ransomware. A recent report from Coveware has revealed phishing emails are now the most common method of ransomware delivery, overtaking the exploitation of RDP vulnerabilities.

Exploitation of RDP vulnerabilities is also common. RDP allows remote workers to access resources and data over the Internet. Brute force tactics are often used to guess weak passwords and stolen credentials are purchased on darknet marketplaces that allow the attackers to remotely access systems and deploy malware or ransomware. While less common, vulnerabilities in software are also exploited to gain control of victim systems and deploy ransomware.

Many of the recent ransomware campaigns have been highly sophisticated and targeted. While it is not possible to eliminate risk entirely, most ransomware attacks can be prevented by following cybersecurity best practices.

NCIJTF suggests:

  1. Backing up data, testing backups, and ensuring a copy is stored securely offline.
  2. Implementing multifactor authentication.
  3. Updating software and patching all systems.
  4. Ensuring security solutions such as antivirus software are kept up to date.
  5. Creating, reviewing, and testing an incident response plan.

The ransomware fact sheet can be accessed on this link.

Further information on preventing and mitigating ransomware attacks can be found here (CISA).

The post Feds Release Ransomware Fact Sheet appeared first on HIPAA Journal.

Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data

Posted by HIPAA Journal

On January 28, 2021, democratic senators introduced the Public Health Emergency Privacy Act to protect the privacy of Americans and ensure data security measures are applied to protect COVID-19 related health data collected for public health purposes.

The Public Health Emergency Privacy Act was introduced by Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn. and U.S. representatives Anna Eshoo, D-CA., Jan Schakowsky, D-IL., and Suzan DelBene, D-WA and requires strong and enforceable privacy and data security rights for health information to be set.

“Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” said Sen. Blumenthal. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.”

The Public Health Emergency Privacy Act will ensure strict privacy protections are implemented to ensure any health data collected for public health purposes will only ever be used to achieve the public health purpose for which it was collected.

The Public Health Emergency Privacy Act restricts the use of data collected for public health purposes to public health uses, prohibits the use of the data for discriminatory, unrelated, or intrusive purposes, and prevents government agencies that play no role in public health from misusing the data.

The Act requires data security and data integrity protections to be applied to safeguard health data, for the data collected to be restricted to the minimum necessary information to achieve the purpose for which it is collected and requires tech firms to ensure the data is deleted once the public health emergency is over.

Americans’ voting rights are protected by not permitting conditioning the right to vote on any medical condition or use of contact tracing apps. The Act will also give Americans control over participation in public health efforts by ensuring transparency and requiring opt-in consent. The Act also requires regular reports on the impact of digital collection tools on civil rights.

The Public Health Emergency Privacy Act will not supersede the requirements of HIPAA, the Privacy Act of 1974, or federal and state medical record retention and health information privacy regulations.

“Strong privacy protections for COVID health data will only be more vital as we move forward with vaccination efforts and companies begin experimenting with things like ‘immunity passports’ to gate access to facilities and services,” said Sen. Warner. “Absent a clear commitment from policymakers to improving our health privacy laws, as this important legislation seeks to accomplish, I fear that creeping privacy violations and discriminatory uses of health data could become the new status quo in health care and public health.”

This is not the first time legislation of this nature has been proposed. A similar bill was introduced in 2020, but it failed to win congressional support.

The post Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data appeared first on HIPAA Journal.

OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project

Posted by HIPAA Journal

Two members of the Department of Veteran Affairs’ (VA) information technology staff are alleged to have made false representations about the privacy and security risks of a big data AI project between the VA and a private company that would have seen the private and confidential health data of tens of millions of veterans fed into the AI system.

An administrative investigation was conducted by the VA Office of Inspector General (OIG) into a potential conflict of interest related to a cooperative research and development agreement (CRADA) between the VA and a private company in 2016.

The purpose of the collaboration was to improve the health and wellness of veterans using AI and deep learning technology developed by Flow Health. The project aimed to identify common elements that make people susceptible to disease, identify potential treatments and possible side effects to inform care decisions and to improve the accuracy of diagnoses.

The CRADA would have resulted in the private and confidential health data, including genomic data, of all veterans who had received medical treatment at the VA being provided to Flow Health. The deal was brought to the attention of senior VA IT leaders in November 2016 following media coverage of the deal after Flow Health issued a press release announcing the new initiative.

The CRADA had been approved but was unilaterally terminated in December 2016 before any veteran data was transferred. The VA’s IT leaders requested the OIG conduct an investigation into potential conflicts of interest between the two employees and Flow Health in December 2016.

The CRADA would have seen private and confidential health data provided to Flow Health for 5 years. According to Flow Health, the project would see the company build “the world’s largest knowledge graph of medicine and genomics from over 30 petabytes of longitudinal clinical data drawn from VA records on 22 million veterans spanning over 20 years,” and that the project with the VA was “a watershed moment for deep learning in healthcare.” To protect the privacy of veterans, Flow Health said it would de-identify all patient data during analysis.

One of the VA employees worked as an Office of IT program manager and the other as a Veterans Health Administration health system specialist at the VHA central office. OIG investigated whether either of the employees had any financial conflicts of interest related to the deal with Flow Health, and while no financial conflicts of interest were found, OIG did discover the employees concealed material information about the privacy and security risks of the project and made misrepresentations about the risks which led to the project being approved under false pretenses.

In the report, False Statements and Concealment of Material Information by VA Information Technology Staff, OIG said the VA official tasked with approving or rejecting the proposed project requested the employees provide an explanation of the cybersecurity implications of the Flow Health project.

OIG said the two employees concealed information from the VA official and did not divulge that subject matter experts had raised significant privacy and security concerns about the project. The two employees also made false statements to the VA official about the status of privacy and security reviews, indicating they have been conducted and all issues had been addressed. They also advocated the VA official execute the contract with Flow Health.

The OIG referred the matter to the Department of Justice, which declined to prosecute the two employees. The OIG recommended the VA determine whether administrative actions should be taken over the employees’ conduct, and the VA concurred with the recommendation.

The post OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project appeared first on HIPAA Journal.

Multinational Law Enforcement Operation Takes Down the Emotet Botnet

Posted by HIPAA Journal

Europol has announced the notorious Emotet Botnet has been taken down as part of a multinational law enforcement operation. Law enforcement agencies in Europe, the United States, and Canada took control of the Emotet infrastructure, which is comprised of hundreds of servers around the world.

The Emotet botnet was one of the most prolific malware botnets of the last decade and the Emotet Trojan was arguably the most dangerous malware variant to emerge in recent years. The Emotet operators ran one of the most professional and long-lasting cybercrime services and was one of the biggest players in the cybercrime world. Around 30% of all malware attacks involved the Emotet botnet.

The Emotet Trojan was first identified in 2014 and was initially a banking Trojan, but the malware evolved into a much more dangerous threat and became the go-to solution for many cybercriminal operations. The Emotet Trojan acted as a backdoor into computer networks and access was sold to other cybercriminal gangs for data theft, malware distribution, and extortion, which is what made the malware so dangerous. Emotet was used to deliver TrickBot and QakBot, which in turn were used to deliver ransomware variants such as Ryuk, Conti, Egregor, and ProLock.

Once a device was infected with the Emotet Trojan it would be added to the botnet and used to infect other devices. Emotet could spread laterally across networks and hijacked email accounts to send copies of itself to contacts. The Emotet gang took phishing to the next level and their campaigns were highly successful. A wide range of lures were used to maximize the chance of the emails being opened and the malware installed. Emotet also hijacked message threads and inserted itself into email conversations to increase the chance of malicious attachments being opened.

The law enforcement operation was planned for around 2 years and was a collaborative effort between authorities in the Netherlands, Germany, France, Lithuania, Canada, Ukraine, the United States, and the United Kingdom, with the operation coordinated by Europol and Eurojust.

The infrastructure used to control the botnet was spread across hundreds of servers, each of which performed different functions and were used to manage infected computers, distribute copies of the Emotet Trojan, exfiltrate data, and provide services to other cybercrime groups. The Emotet gang had also built resiliency into its infrastructure to prevent any takedown attempts.

In order to takedown the infrastructure and prevent any attempts at restoration, the operation was coordinated and saw law enforcement agencies take control of servers simultaneously from the inside. The servers are now under the control of law enforcement and a module that uninstalls the malware is already being distributed. Europol says the malware will be uninstalled from infected devices on March 25, 2021 at 12:00.

In addition to severely disabling the operation, several members of the Emotet gang in Ukraine suspected of running the botnet have been arrested and other arrests are expected to follow.

The post Multinational Law Enforcement Operation Takes Down the Emotet Botnet appeared first on HIPAA Journal.

Ransomware Attacks Account for Almost Half of Healthcare Data Breaches

Posted by HIPAA Journal

A new report published by Tenable has revealed almost half of all healthcare data breaches are the result of ransomware attacks, and in the majority of cases the attacks were preventable.

According to the Tenable Research 2020 Threat Landscape Retrospective Report, 730 data breaches were reported across all industry sectors in the first 10 months of 2020 and more than 22 billion records were exposed. 8 million of those records were exposed in healthcare data breaches.

Healthcare registered the highest number of data breaches of any industry sector between January and October 2020, accounting for almost a quarter (24.5%) of all reported data breaches, ahead of technology (15.5%), education (13%), and the government (12.5%).

Due to the high number of healthcare data breaches, Tenable researchers analyzed those breaches to identify the main causes and found that ransomware attacks accounted for 46.4% of all reported data breaches, followed by email compromise attacks (24.6%), insider threats (7.3%), app misconfigurations (5.6%) and unsecured databases (5%). Across all industry sectors, ransomware attacks accounted for 35% of data breaches and 14.4% of breaches were due to email compromises, which shows the healthcare industry is particularly vulnerable to these types of attacks.

While no healthcare organization is immune to ransomware attacks, in the most part these attacks can be prevented. One of the most common ways for ransomware gangs to gain access to healthcare networks is the exploitation of vulnerabilities in Virtual Private Network (VPN) solutions. The two vulnerabilities most commonly exploited by ransomware gangs are the CVE-2019-19781 vulnerability in the Citrix ADC controller, which affects gateway hosts, and the CVE-2019-11510 vulnerability in Pulse Connect Secure.

Patches to correct both of these vulnerabilities were released in early 2020, yet many organizations were slow to apply the patches and correct the flaws, which gave threat actors an easy way to gain a foothold in networks, access and exfiltrate sensitive data, and deploy ransomware.

“As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed, and represent lucrative opportunities for ransomware actors,” said Renaud Deraison, co-founder and chief technology officer at Tenable.

Many organizations continue to use server software that is no longer supported, and ransomware gangs often target vulnerabilities in outdated server software. Ransomware gangs also exploit vulnerabilities in RDP and use brute force tactics to guess weak passwords.

It can be difficult for healthcare organizations to change software solutions and operating systems that are approaching end of life, but it is vital to upgrade to solutions that have active support or ensure that any software that is no longer supported is isolated and those systems cannot be accessed remotely. Locking down RDP and enforcing the use of strong passwords will also help to prevent ransomware attacks.

It is also important to address the second highest cause of healthcare data breaches. Email security solutions will prevent the majority of email attacks, but security awareness training for employees should also be provided regularly. One of the most important steps to take is to implement multi-factor authentication on all email accounts. It is often only after experiencing a phishing attack that healthcare organizations implement multi-factor authentication, but by being proactive, email account breaches can be prevented.

In a summer 2020 blog post, Microsoft explained that multi-factor authentication is the most important security solution to apply to block phishing attacks and will prevent 99.9% of attacks on email accounts.

The post Ransomware Attacks Account for Almost Half of Healthcare Data Breaches appeared first on HIPAA Journal.

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Posted by HIPAA Journal

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft.

The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year.

In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities.

These attacks have caused significant financial harm and in some cases the disruption has had life threatening consequences. Healthcare services have had to be suspended, ambulances have been redirected to alternative facilities, 911 services have been interrupted, medical appointments have been postponed and test results have been delayed. “The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost,” said Fabian Wosar, CTO, Emsisoft.

One of the most damaging attacks was on Universal Health Services, a health system that operates more than 400 hospitals and healthcare facilities in the United States. The attack affected all its locations and caused considerable disruption. An attack on the University of Vermont Health Network forced systems offline, including its EHR system. Several hospital systems remained out of action for several weeks after the attack. The ransomware attack cost the health system around $1.5 million a day in additional expenses and lost revenue while it recovered. “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover,” said Gus Genter, CIO, Winnebago County, who was quoted in the report.

It has become increasingly common for ransomware threat actors to steal sensitive data prior to file encryption and for threats to be issued to publish or sell the stolen data if the ransom is not paid. This tactic was first adopted by the Maze ransomware gang, but many other threat groups have now adopted the same tactic. Emsisoft said only the Maze ransomware gang was exfiltrating data prior to file encryption at the start of 2020, but now at least 17 other threat groups are stealing data and publishing it on leak sites if the ransom is not paid.

In some cases, even payment of the ransom does not guarantee the stolen data will be deleted. Several ransomware gangs, including Sodinokibi (REvil), Netwalker, and Mespinoza are known to have leaked stolen data even after the ransom was paid.

Emsisoft notes that in the first half of 2020, only one of the 60 ransomware attacks on federal, state, county, and municipal governments and agencies resulted in stolen data being leaked; however, in the second half of the year, 23 out of the 53 attacks saw stolen data released on leak sites. At least 12 healthcare organizations that were attacked with ransomware had sensitive data stolen and leaked online.

2020 was clearly a bad year, but there is little to suggest 2021 will be any better. Ransomware attacks are likely to continue at pace and may even increase. “Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals,” explained Emsisoft in the report.

The post At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020 appeared first on HIPAA Journal.

OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations.

The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency.

A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations.

A WBSA, and the data created, received, maintained, or transmitted by the WBSA, should only be accessible to the intended parties, such as the healthcare provider or pharmacy providing the vaccinations, an authorized person scheduling appointments, or a WBSA workforce member that requires access to the solution and/or data for providing technical support.

The notice of enforcement discretion does not apply to an appointment scheduling application that connects directly to electronic health record (EHR) systems.

A WBSA may not meet all requirements of the HIPAA Rules and would therefore not be permitted for use in connection with electronic protected health information (ePHI) under normal circumstances. It is also possible that the vendor of a WBSA may not be aware that their solution is being used by healthcare providers in connection with ePHI, which would see the vendor classified as a business associate under HIPAA.

While the notice of enforcement discretion is in effect, OCR will not impose penalties against HIPAA covered entities, their business associates, and WBSA vendors that meet the definition of business associate under the HIPAA Rules for good faith uses of WBSAs for scheduling COVID-19 vaccination appointments.

While penalties will not be imposed, OCR encourages the use of reasonable safeguards to protect the privacy of individuals and the security of ePHI. That means the ePHI collected and entered into the WBSA should be limited to the minimum necessary information, encryption technology should be used if available, and all privacy settings should be enabled. That includes adjusting the calendar display to hide names or only show initials. If a vendor stores ePHI, the storage should only be temporary and ePHI should be destroyed no later than 30 days after the appointment. The WBSA vendor should be instructed not to disclose any ePHI in a manner inconsistent with the HIPAA Rules.

These reasonable safeguards are encouraged by OCR. “Failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification,” explained OCR in the notification.

Bad faith uses are not covered by the notification include:

  1. Use of a WBSA where the vendor prohibits its use for scheduling healthcare services.
  2. Using the WBSA for scheduling appointments other than COVID-19 vaccinations.
  3. Using a solution that does not have access controls to limit access to ePHI to authorized individuals.
  4. Screening individuals for COVID-19 prior to in-person healthcare visits.
  5. Use of public-facing WBSAs.

“OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, Acting OCR Director.

The post OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments appeared first on HIPAA Journal.