Latest HIPAA News

CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool

Posted by HIPAA Journal

The DHS’ Cybersecurity and infrastructure Security Agency has launched a website providing resources related to the ongoing cyber activities of the advanced persistent threat (APT) group responsible for compromising the SolarWinds Orion software supply chain.

The threat actors behind the attack gained access to the networks of federal, state, and local governments, critical infrastructure entities, and private sector organizations around the world. In addition to compromising the software update mechanism of SolarWinds Orion, the hackers also exploited vulnerabilities in commonly used authentication mechanisms to gain persistent access to networks.

According to Microsoft, the main goal of the attackers appears to be to gain persistent local access to networks by delivering the Sunburst/Solarigate backdoor, then pivot to victims’ cloud assets. Recently it has become clear that more than one threat group is conducting cyber espionage after the discovery of a different malware variant that was introduced through the SolarWinds Orion software update feature. Microsoft and Palo Alto Networks believe the second malware variant, named Supernova, is not associated with the group that deployed the Sunburst/Solarigate backdoor.

Several resources have already been published to help organizations assess the risk associated with the cyber activity and detect and mitigate potential breaches and eliminate the threat actors from their networks. The new website pools the resources and provides easy access to pertinent information on this global incident. The website will be regularly updated as new information becomes available as the investigations into the cyber activity continue.

The APT actor has compromised the networks of a large number of entities and is selectively choosing targets of interest for further network exploitation, but any organization that has installed the compromised software updates is at risk if corrective action is not taken.

It is important for all organizations that use SolarWinds Orion to take action to investigate for signs of compromise. As CISA explained in its latest alert, “If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk.” CISA also points out that even if entities have not installed the compromised SolarWinds Orion update, that does not necessary mean they will not be affected. Their managed service providers and partners may have been compromised, which could give the APT actor access to their networks.

The website includes a link to a free tool that has been released by CISA for detecting unusual and potentially malicious activity in Azure/Microsoft Office 365 environments. The new tool provides a narrowly focused view of activity related to the identity- and authentication-based attacks that have been observed across a wide range of sectors following the deployment of the Sunburst/Solarigate backdoor.

The tool – named Sparrow – can be used to narrow down large data sets of investigation modules and telemetry to provide information specific to the attacks on federated identity sources and applications.

The post CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool appeared first on HIPAA Journal.

OCR Announces its 19th HIPAA Penalty of 2020

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled a HIPAA Right of Access compliance case with Peter Wrobel, M.D., P.C., doing business as Elite Primary Care.

Elite Primary Care is a provider of primary health services in Georgia. OCR launched a compliance investigation following receipt of a compliant from an Elite Primary Care patient on April 22, 2019 who alleged he had been denied access to his health records. OCR contacted the practice and provided technical assistance on the HIPAA Right of Access on May 2, 2019. OCR advised the practice to review the facts of the request and provide access to the requested records if the request met the requirements of the HIPAA Privacy Rule.

The patient subsequently submitted a request for access in writing which was received by the practice on June 5, 2019. The patient filed a second complaint with OCR on October 9, 2019, as the practice continued to deny him access to his requested records.

Elite Primary Care sent the patient’s medical records to his new healthcare provider on November 21, 2019 and provided the patient with a copy of those records on May 8, 2020.

OCR concluded the delay in providing the patient with a copy of his requested records was in violation of the HIPAA Right of Access (45 C.F.R. § 164.524).

Under the terms of the settlement, Elite Primary Care will pay a financial penalty of $36,000 and adopt a corrective action plan that includes developing, implementing, maintaining, and revising, as necessary, written policies and procedures related to the HIPAA Right of Access provision of the HIPAA Privacy Rule. Once those policies and procedures have been checked by OCR, training will be provided to relevant members of its workforce.

The settlement was agreed with no admission of liability. OCR will monitor Elite Primary Care for 2 years to ensure continued compliance.

This is the thirteenth settlement to be announced by OCR under its HIPAA Right of Access enforcement initiative and the nineteenth HIPAA financial penalty to be announced in 2020.

“OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records.  Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee,” said OCR Director Roger Severino.

The post OCR Announces its 19th HIPAA Penalty of 2020 appeared first on HIPAA Journal.

November 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud.

November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).

 

The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records.

Exposed healthcare records past 12 months

Largest Healthcare Data Breaches Reported in November 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause
AspenPointe, Inc. CO Healthcare Provider 295,617 Hacking/IT Incident Ransomware attack
Lawrence General Hospital MA Healthcare Provider 176,587 Hacking/IT Incident Unspecified data security incident
Alamance Skin Center NC Healthcare Provider 100,000 Loss Ransomware attack
Mercy Iowa City IA Healthcare Provider 92,795 Hacking/IT Incident Phishing
Bayhealth Medical Center, Inc. DE Healthcare Provider 78,006 Hacking/IT Incident Blackbaud ransomware attack
Tufts Health Plan MA Health Plan 60,545 Hacking/IT Incident Phishing attack on vendor
Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care FL Healthcare Provider 58,823 Unauthorized Access/Disclosure Ransomware attack
Methodist Hospital of Southern California CA Healthcare Provider 39,881 Hacking/IT Incident Blackbaud ransomware attack
One Touch Point WI Business Associate 28,658 Unauthorized Access/Disclosure unknown
People Incorporated MN Healthcare Provider 27,500 Hacking/IT Incident phishing
Chesapeake Regional Healthcare VA Healthcare Provider 24,000 Hacking/IT Incident Blackbaud ransomware attack
Seeley Enterprises Company OH Healthcare Provider 16,196 Hacking/IT Incident Ransomware attack
Golden Gate Regional Center CA Business Associate 11,315 Hacking/IT Incident Ransomware attack
Galstan & Ward Family and Cosmetic Dentistry VA Healthcare Provider 10,759 Hacking/IT Incident Ransomware attack
Kaiser Foundation Health Plan of Georgia, Inc. GA Health Plan 10,205 Unauthorized Access/Disclosure Unknown

Causes of November 2020 Healthcare Data Breaches

Hacking/IT incidents continue to dominate the breach reports, both in terms of the number of breaches and the number of breached records. There were 23 hacking/IT incidents reported in November – 48.94% of all breaches reported in the month. 867,983 records were exposed or stolen in those breaches – 76.2% of all records breached in November. The average breach size was 37,738 records and the median breach size was 8,000 records.

There were 19 data breaches classed as unauthorized access/disclosure incidents – 40.43% of the month’s data breaches. 166,115 healthcare records were improperly accessed or impermissibly disclosed in those incidents – 14.58% of the breached records in November. The average breach size was 8,723 records and the median breach size was 3,557 records.

There were 4 loss/theft incidents (2/2) reported in November involving 103,053 records – 8.51% of the month’s breaches and 103,053 healthcare records were exposed or stolen in those incidents – 9.05% of records breached in November. The average breach size was 25,763 records and the median breach size was 1,265 records. There was one incident involving the improper disposal of paperwork that contained the PHI of an estimated 2,000 individuals.

 

The chart below shows the location of breached protected health information. Up until September 2020, email was the most common location of breached patient data, with the majority of those breaches the result of phishing attacks. That changed in September due to the ransomware attack on Blackbaud. Entities impacted by that data breach continue to submit breach reports, albeit at a low level, with network server incidents remaining high due to the healthcare industry continuing to be targeted by ransomware gangs. Phishing attacks continue to be a problem in healthcare, with 13 large data breaches reported involving PHI stored in email accounts.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in November. 34 healthcare providers reported data breaches and 6 data breaches were reported by health plans.

7 data breaches were reported by business associates of HIPAA covered entities; however, 16 breaches in total had some business associate involvement, with 9 of those breaches reported by the covered entity.

Healthcare Data Breaches by State

The November data breaches were reported by HIPAA-covered entities and business associates in 23 states and the District of Columbia. Ohio was the worst affected state with 5 breaches reported, followed by Georgia and Maine with 4, and California, Florida, and Texas with 3 breaches.

Two healthcare data breaches of 500 or more records were reported by entities based in Arkansas, Delaware, Illinois, Kentucky, Maryland, Michigan, and Virginia. One breach was reported in each of Alabama, Colorado, Iowa, Idaho, Louisiana, Minnesota, North Carolina, New Mexico, Pennsylvania, Wisconsin, and the District of Columbia.

HIPAA Enforcement Activity in November 2020

There were three HIPAA enforcement actions announced by the HHS’ Office for Civil Rights in November, all of which were part of its HIPAA Right of Access enforcement initiative. OCR announced the new enforcement initiative in 2019 to crack down on healthcare providers that fail to provide patients with timely access to their health records for a reasonable cost-based fee.

In all three cases, the healthcare providers did not provide a copy of the requested records within the 30-day time frame demanded by the HIPAA Privacy Rule.

University of Cincinnati Medical Center settled with OCR and paid a $65,000 penalty, Riverside Psychiatric Medical Group paid a $25,000 penalty, and Dr. Rajendra Bhayani paid a $15,000 penalty. Under this enforcement initiative, OCR has imposed 12 financial penalties on covered entities, 10 of which have been in 2020.

The post November 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location.

PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for cybersecurity risks to be introduced that could easily compromise the confidentiality, integrity, and availability of the PACS ecosystem, protected health information (PHI), and any systems to which PACS connects.

In September 2019, a ProPublica report found 187 unprotected servers that were used to store and retrieve medical images. Those servers stored the medical images and associated PHI of more than 5 million patients in the United States. In some cases, the images could be accessed using a standard web browser and viewed using free-to-download software.

This year, the analyst team at CyberAngel scanned approximately 4.3 billion IP addresses worldwide and found 2,140 unprotected servers across 67 countries. Those servers were found to contain more than 45 million medical images. The images had up to 200 lines of metadata that included personally identifiable information and protected health information. According to the CyberAngel “Full Body Exposure” report, those images could be accessed via the Internet with a standard web browser. In some instances, login portals were present, but accepted blank username and password fields.

NIST released draft guidance on securing the PACS ecosystem shortly after the ProPublica report was published to help healthcare delivery organizations identify cybersecurity risks associated with PACS and implement stronger security controls while minimizing the impact and availability to PACS and other components.

The final version of the guidance includes a comprehensive set of cybersecurity standards and best practices to adopt to improve the security of the PACS ecosystem, with the guidance covering asset management, access control, user identification and authentication, data security, security continuous monitoring, and response planning, recovery, and restoration.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” explained NIST.

This practice guide can be used by HIPAA covered entities and their business associates to implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of PACS

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is available on this link.

The guidance was developed by NIST/NCCoE in collaboration with Cisco, Clearwater Compliance, DigiCert, Forescout, Hyland, Microsoft, Philips, Symantec, TDI Technologies, Tempered Networks, Tripwire, Virtua Labs, and Zingbox.

The post NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis.

HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in public health, without requiring prior individual authorization.

Such disclosures are permitted under the following circumstances:

  • When disclosures are required by federal, state, local, or other laws that are enforceable in court
  • When the HIE is acting under a grant of authority or contract with a PHA for a public health activity
  • When the HIE is a business associate of the covered entity or another business associate, and wishes to provide ePHI to a PHA for public health purposes*

*The HIPAA Privacy Rule only permits an HIE which is a business associate of the covered entity or another business associate to disclose ePHI to a PHA for public health purposes if it is expressly stated that they can do so in the business associate agreement (BAA) with the covered entity. However, earlier this year in response to the COVID-19 public health emergency, OCR issued a notice of enforcement discretion stating no action will be taken against a business associate for good faith disclosures of ePHI to a PHA for public health purposes if they are not expressly permitted to disclose ePHI to a PHA in their BAA. In such cases, the business associate must inform the covered entity within 10 calendar days of the disclosure. The notice of enforcement discretion is only valid for the duration of the COVID-19 public health emergency. When the Secretary of the HHS declares the COVID-19 public health emergency over, such disclosures will no longer be permitted unless expressly permitted in the BAA.

Disclosures of ePHI by an HIE to a PHA should be limited to the minimum necessary information to achieve the purpose for the disclosure. A covered entity can rely on a PHA’s request to disclose a summary record to the PHA or HIE as being the minimum necessary PHI to achieve the public health purpose of the disclosure.

A covered entity is permitted by the HIPAA Privacy Rule to disclose ePHI to a PHA through an HIE, even if a direct request for the PHI is not received from the PHA, provided the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.

While the above disclosures of ePHI for public health purposes do not require authorizations to be obtained from the individuals whose PHI is being disclosed, those individuals must be notified about such disclosures. That can be achieved by stating disclosures of ePHI will occur for public health purposes in the organization’s Notice of Privacy Practices.

You can view the OCR guidance, which includes several examples related to COVID-19, on the HHS website, which can be accessed on this link (PDF).

The post OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training.  A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

OCR 2016-2017 HIPAA Audits Industry ReportMost covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

FTC Settles 2019 Consumer Data Breach Case with SkyMed

Posted by HIPAA Journal

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information.

SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted.

The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused.

It its breach notification, SkyMed explained, “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”

The FTC investigated the breach and conducted an audit to determine whether there had been a breach of the FTC Act. The FTC found multiple security and breach response failures. The FTC alleged SkyMed had not investigated whether the database had been accessed by unauthorized individuals during the time protections were not in place, and that the company failed to adequately review the database to determine what information it contained. SkyMed was therefore unable to determine whether any health information had potentially been compromised. When SkyMed confirmed that the database had been exposed, the company deleted the database to prevent any unauthorized access. SkyMed also failed to identify the individuals affected by the breach.

The FTC said every page of the SkyMed website displayed a “HIPAA Compliance” seal, which gave the impression that SkyMed’s privacy and security policies were in compliance with the standards demanded by the Health Insurance Portability and Accountability Act, yet the company had not undergone a third-party audit of its information security practices and no government agency had reviewed the HIPAA compliance claims. The FTC alleged SkyMed had deceived customers for more than 5 years by displaying the HIPAA Compliance seal on its company website.

“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the FTC Bureau of Consumer Protection. The company’s security practices did not meet the required standards and those expected by its customers.

The FTC said “reasonable measures” to secure the personal information of individuals who signed up for its emergency services had not been implemented. SkyMed had not used any data loss prevention tools, there was a lack of access controls, and a failure to implement authentication for its networks. When a security breach occurred and a database containing personal information was exposed, SkyMed failed to detect the exposed database for 5 months, and only then because it was found by a security researcher.

The nature of the information exposed “has caused or is likely to cause substantial injury to customers,” explained the FTC. “[SkyMed] could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”

The FTC alleged SkyMed had engaged in unfair and/or deceptive acts or practices under Section 5 of the FTC Act, which included two counts of deception about HIPAA compliance and its breach response. SkyMed was also determined to have engaged in unfair information security practices.

Under the terms of the settlement, SkyMed is prohibited from misrepresenting its data security practices, data breach response, and how the company protects the privacy, security, integrity, and confidentiality of the personal information, and participation in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.

SkyMed must send breach notifications to all impacted consumers and provide information about any information that has potentially been exposed. An information security program must be implemented, which must be coordinated by a designated, qualified employee. The program must include an organization-wide risk assessment to identify potential internal and external risks, and safeguards must be implemented to ensure those risks are mitigated and personal information is protected.

Logs of database access must be created and monitored, and data encryption must be implemented for sensitive data such as financial account information, passport numbers, and health information.  Access controls are required for all data repositories containing personal data and restrictions must be put in place to limit access to sensitive data. SkyMed is also required to certify annually that it is in compliance with the requirements detailed in the FTC settlement.

The post FTC Settles 2019 Consumer Data Breach Case with SkyMed appeared first on HIPAA Journal.

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices When Making Regulatory Determinations

Posted by HIPAA Journal

A new bill (HR 7988) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes.

The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations.

The bill defines ‘Recognized Security Practices’ as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

The bill also confirms that its aim is to reduce potential sanctions, penalties, and the length of audits when cybersecurity best practices are followed, and not to give the HHS the authority to increase audit lengths, fines, and penalties when an entity is discovered not to be in compliance with recognized security standards.

The bill easily passed the house vote and is expected to pass the Senate vote next week. The bill has received considerable support from many health IT industry stakeholder groups, including HITRUST. HITRUST believes the legislation will help to improve the cybersecurity posture of the healthcare industry, will encourage healthcare organizations to take a more proactive approach to HIPAA compliance, and will ensure entities that have achieved HITRUST Cybersecurity Standard Framework (CSF) Certification are recognized for their proactive approach to protecting healthcare data.

The bill also has the backing of the Healthcare and Public Health Sector Coordinating Council (HSCC), which believes the legislation will act as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and patient safety.

The post House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices When Making Regulatory Determinations appeared first on HIPAA Journal.

CISA: SolarWinds Orion Software Under Active Attack

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software.

The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST.

The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies.

SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign was first detected by the cybersecurity company FireEye, which was also attacked as part of this campaign.

The attacks started in spring 2020 when the first malicious versions of the Orion software were introduced. The hackers are believed to have been present in compromised networks since then. The malware is evasive, which is why it has taken so long to detect the threat. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” according to FireEye. Once the backdoor has been installed, the attackers move laterally and steal data.

“We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation-state,” said Kevin Thompson, SolarWinds President and CEO.

The hackers gained access to SolarWinds’ software development environment and inserted the backdoor code into its library in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were released between March 2020 and June 2020.

CISA issued an Emergency Directive ordering all federal civilian agencies to take immediate action to block any attack in progress by immediately disconnecting or powering down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. The agencies have also been prohibited from “(re)joining the Windows host OS to the enterprise domain.”

All customers have been advised to immediately upgrade their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. A second hotfix – 2020.2.1 HF 2 – is due to be released on Tuesday and will replace the compromised component and implement other additional security enhancements.

If it is not possible to immediately upgrade, guidelines have been released by SolarWinds for securing the Orion Platform. Organizations should also scan for signs of compromise. The signatures of the backdoor are being added to antivirus engines, and Microsoft has confirmed that all its antivirus products now detect the backdoor and users have been advised to run a full scan.

SolarWinds is working closely with FireEye, the Federal Bureau of Investigation, and the intelligence community to investigate the attacks. SolarWinds is also working with Microsoft to remove an attack vector that leads to the compromise of targets’ Microsoft Office 365 productivity tools.

It is currently unclear which group is responsible for the attack; although the Washington Post claims to have spoken to sources who confirmed the attack was the work of the Russian nation state hacking group APT29 (Cozy Bear). A spokesperson for the Kremlin said Russia had nothing to do with the attacks, stating “Russia does not conduct offensive operations in the cyber domain.”

The post CISA: SolarWinds Orion Software Under Active Attack appeared first on HIPAA Journal.