Latest HIPAA News

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

Posted by HIPAA Journal

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies.

The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful.

The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack.

Some of the most exploited vulnerabilities include:

CVE-2020-5902 – A vulnerability in the F5 Big-IP Traffic Management Interface which, if exploited, allows threat actors to execute arbitrary system commands, disable services, execute java code, and create/delete files.

CVE-2019-19781– A vulnerability in Citrix VPN appliances which can be exploited to achieve directory traversal.

CVE-2019-11510 – A vulnerability in Pulse Secure VPN appliances which can be exploited to gain access to internal networks.

CVE-2020-0688 – A vulnerability in MS Exchange which can be exploited to gain access to Exchange servers and execute arbitrary code.

There is no single action that can be taken to block these threats, but many of the successful attacks have exploited known vulnerabilities. Scans are often conducted within hours or days of a vulnerability being made public. Since many public and private sector organizations do not apply patches promptly, it gives hackers the opportunity to gain access to networks. Applying patches promptly is therefore one of the best forms of defense.

“Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks,” explained CISA in its security advisory. “If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.”

Scans are being conducted using tools such as the Shodan search engine to identify potential targets that may be susceptible to attacks. The hackers also leverage the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities (NVD) databases to obtained detailed information about vulnerabilities that can be exploited.

“Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits,” explained CISA. “These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.”

Other tactics often used by these threat actors include spear phishing and brute force attempts to guess weak passwords. It is therefore essential to enforce the use of strong passwords, provide phishing awareness training to the workforce, and implement software solutions capable of detecting/blocking phishing attacks.

The post CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws appeared first on HIPAA Journal.

Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge

Posted by HIPAA Journal

A potential class action lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach has been dismissed by a Federal judge.

The lawsuit was filed in June 2019 in response to an alleged violation of HIPAA Rules related to a data sharing partnership between the University of Chicago Medicine and Google.

In 2017, the University of Chicago Medicine sent the de-identified data of patients to Google as part of an initiative to use medical records to improve predictive analysis of hospitalizations, and by doing so, improve the quality of patient care. The aim of the partnership was to use machine learning techniques to identify when a patient’s health is declining, to allow timely interventions to prevent hospitalization.

The University of Chicago Medicine sent hundreds of thousands of patient records dating from 2009 to 2016 to Google. The data shared with Google was deidentified but contained physicians’ notes and time stamps of dates of service.

The lawsuit was filed by Edelson PC on behalf of lead plaintiff, Matt Dinerstein, a patient of UC Medical Center who had hospital stays on two occasions in 2015.

The lawsuit alleged Mr. Dinerstein’s confidential protected health information was shared with Google without properly de-identifying the data, as free-text notes from doctors and nurses were included in the data along with associated time stamps.  That information had come to light following a 2018 research study which confirmed notes and time stamps were included in the data.

The lawsuit alleged the inclusion of that information meant the data shared with Google was not sufficiently de-identified. Since Google already had a substantial store of information, it is possible that patients could be re-identified, which created a privacy risk for all patients whose information was shared with Google.

The lawsuit also alleged the medical records had value to Mr. Dinerstein and had been stolen, although no claim was made that Google had tried to re-identify patients. The lawsuit also claimed Mr. Dinerstein was owed a reasonable royalty for the use of his protected health information.

UC Medical Center and Google filed motions to dismiss the lawsuit on August 3, 2019 claiming all data sent to Google under the partnership had been transmitted via secure channels in a manner compliant with the HIPAA Rules. The motions also stated neither HIPAA nor the Illinois Medical Patient Rights Act include a private right of action.

On September 4, 2020, Federal Judge Rebecca Pallmeyer of the United States District Court Northern District of Illinois Eastern Division, rejected Mr. Dinerstein’s claims and dismissed the lawsuit.

“Even if Mr. Dinerstein has a property interest in medical information, his allegations do not support an interference that the value of that property has been diminished by the University’s or Google’s actions,” said Judge Pallmeyer, also saying royalties are only appropriate for interference with a property right, and the plaintiff had failed to establish he had such rights to his PHI. Judge Pallmeyer also said in the ruling that Mr. Dinerstein had failed to adequately demonstrate the alleged privacy breach had caused him economic damage. The plaintiff has the right to file an amended complaint before October 15, 2020.

The ruling will certainly be good news for Google, which is also facing scrutiny of its partnership with Ascension over potential HIPAA violations related to the millions of records Ascension provided to Google in 2019 under “Project Nightingale”.

The post Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge appeared first on HIPAA Journal.

Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA

Posted by HIPAA Journal

The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) recently released a draft consumer privacy framework for health data to address gaps in legal protections for the health data of consumers that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA Rules require healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of health data. There are restrictions on uses and disclosures of healthcare data and Americans are also given rights over how their protected health information is used, to whom that information may be disclosed, and they have the right to access their health data.

Many organizations collect, use, store, and transmit many of the data elements within the category of ‘protected health information’, yet if they are not HIPAA-covered entities or business associates of HIPAA-covered entities, HIPAA Rules will not apply.

The eHI/CDT Consumer Privacy Framework for Health Data is a voluntary, self-regulatory program “designed to hold member companies to a set of standards separately developed through a multistakeholder process” and covers consumer health data not covered by HIPAA.

The framework includes a definition of the health data which must be protected as well as the standards and rules to protect that information. The framework places limits on the amount of data collected, how health data can be used, and includes a model for holding companies accountable for data collected, used, and disclosed.

The framework requires companies to obtain affirmative express consent to collect, use, or disclose consumer health data and prohibits companies from using consumer health data for any purpose other than the reason for which the information was requested, and for which consumers gave their consent.

Notice must be provided about the information collected, used or disclosed, the purpose for data collection must be clearly stated, and if there will be any disclosures, to whom disclosures will be made. The framework also prohibits the use of consumer health information for causing harm or discrimination against an individual.

Like HIPAA, the framework calls for limits to be placed on the health information collected, disclosed or used, which should be restricted to the minimum necessary amount to achieve the purpose for which it has been collected.

The framework gives consumers rights with respect to their consumer data, including the right to access the information collected, check health information for errors, have errors collected, and have health information deleted. If technically feasible, consumers should be able to have their data transferred to another participating entity. The framework also calls for participating entities to establish and implement reasonable security policies, practices, and procedures to ensure consumer health information is protected.

eHI/CDT are seeking constructive public feedback on the Consumer Privacy Framework for Health Data. Comments will be accepted until Friday, September 25, 2020.

The post Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA appeared first on HIPAA Journal.

CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks.  The guidance details best practices for detecting malicious activity and step by step instructions for investigating potential security incidents and securing compromised systems.

The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack.

The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate attacks while reducing the potential for negative consequences.

When incident response teams identify malicious activity, the focus is often on terminating a threat actors’ access to the network. While it is important to terminate any access a threat actor has to a device, network, or system, it is important that the correct approach is taken to avoid alerting the attacker that their presence has been detected.

“Although well intentioned to limit the damage of the compromise, some of those actions have the adverse effect of modifying volatile data that could give a sense of what has been done and tipping the threat actor that the victim organization is aware of the compromise and forcing the actor to either hide their tracks or take more damaging actions (like detonating ransomware),” said CISA. 

When responding to a suspected intrusion it is first necessary to collect and remove relevant artifacts, logs, and data that will allow the incident to be thoroughly investigated. If these elements are not obtained before any mitigations are implemented, the data could easily be lost, which will hamper any efforts to investigate the breach. Systems also need to be protected, as a threat actor may realize that the intrusion has been detected and change their tactics. Once systems have been protected and artifacts obtained, mitigating steps can be taken with care taken not to alert the threat actor that their presence in the network has been discovered.

When suspicious activity is detected, CISA recommends considering seeking support from a third-party cybersecurity company. Cybersecurity companies have the necessary expertise to eradicate an attacker from a network and ensure that security issues are avoided that could be exploited in further attacks on the organization once the incident has been remediated and closed.

Responding to a security breach requires a variety of technical approaches to uncover malicious activity. CISA recommends conducting a search for known indicators of compromise (IoCs), using confirmed IoCs from a wide range of sources. A frequency analysis is useful for identifying anomalous activity. Network defenders should calculate normal traffic patterns in network and host systems that can be used to identify inconsistent activity. Algorithms can be used to identify when there is activity that is not consistent with normal patterns and identify inconsistencies in timing, source location, destination location, port utilization, protocol adherence, file location, integrity via hash, file size, naming convention, and other attributes.

A pattern analysis is useful for detecting automated activity by malicious scripts and malware, and regular repeating actions by human threat actors. An analyst review should also be conducted based on the security team’s knowledge of system administration to identify errors in collected artifacts and find anomalous activity that could be indicative of threat actor activity.

The guidance details some of the common mistakes that are made when responding to incidents and lists technical measures and best practices for investigation and remediation processes.

Source: CISA

CISA also makes general recommendations on defense techniques and programs that will make it much harder for a threat actor to gain access to the network or system and remain there undetected. While these measures may not stop a threat actor from compromising a system, they will help to slow down any attack which will give incident response teams the time they need to identify and respond to an attack.

You can view the CISA guidance here: Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A)

The post CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity appeared first on HIPAA Journal.

OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced it has published additional resources for mobile health app developers and has updated and renamed its Health App Developer Portal.

The portal – Resources for Mobile Health Apps Developers – provides guidance for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs).

The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate.

“Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” explained OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.”

The portal provides access to the Mobile Health Apps Interactive Tool developed by the Federal Trade Commission (FTC) in conjunction with the HHS’ Office of the National Coordinator for Health IT (ONC) and the Food and Drug Administration (FDA). The Tool can be used by the developers of health-related apps to determine what federal rules are likely to apply to their apps. By answering questions about the nature of the apps, developers will discover which federal rules apply and will be directed to resources providing more detailed information about each federal regulation.

The portal also includes information on patient access rights under HIPAA, how they apply to the data collected, stored, processed, or transmitted through mobile health apps, and how the HIPAA Rules apply to application programming interfaces (APIs).

The update to the portal comes a few months after the ONC’s final rule that called for health IT developers to establish a secure, standards-based API that providers could use to support patient access to the data stored in their electronic health records. While it is important for patients to be able to have easy access to their health data to allow them to check for errors, make corrections, and share their health data for research purposes, there is concern that sending data to third-party applications, which may not be covered by HIPAA, is a privacy risk.

OCR has previously confirmed that once healthcare providers have shared a patients’ health data with a third-party app, as directed by the patient, the data will no longer be covered by HIPAA if the app developer is not a business associate of the healthcare provider. Healthcare providers will not be liable for any subsequent use or disclosure of any electronic protected health information shared with the app developer.

A FAQ is also available on the portal that explains how HIPAA applies to Health IT and a guidance document explaining how HIPAA applies to cloud computing to help cloud services providers (CSPs) understand their responsibilities under HIPAA.

The post OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers appeared first on HIPAA Journal.

Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE

Posted by HIPAA Journal

A sophisticated COVID-19 themed phishing campaign has been detected that spoofs chemical manufacturers and importers and exporters offering the recipient personal protective equipment (PPE) such as disposable face masks, forehead temperature thermometers, and other medical supplies to help in the fight against COVID-19.

The campaign was detected by researchers at Area 1 Security, who say the campaign has been active since at least May 2020 and has so far targeted thousands of inboxes. The threat actors behind the campaign regularly change their tactics, techniques, and procedures (TTPs) to evade detection by security tools, typically every 10 days.

The threat actors regularly rotate IP addresses for each new wave of phishing emails, frequently change the companies they impersonate, and revise their phishing lures. In several of the intercepted emails, in addition to spoofing a legitimate company, the names of real employees along with their email addresses and contact information are used to add legitimacy. The emails use the logos of the spoofed companies and the correct URL of the company in the signature. By including correct contact information, should any checks be performed by the recipient they may be led to believe the message is genuine.

Source: Area 1 Security

The aim of the threat actors is to deliver the Agent Tesla Trojan. Agent Tesla is an advanced remote access Trojan (RAT) that gives the attackers access to an infected device, allowing them to perform a range of malicious actions. The RAT is capable of logging keystrokes on an infected device and stealing sensitive information from the user’s AppData folder, which is sent to the command and control server via SMTP. The malware can also steal data from web browsers, email, FTP and VPN clients.

The RAT is offered on hacking forums as malware-as-a-service and has proven popular due to the ease of conducting campaigns and the low cost of using the malware, although the researchers note that Agent Tesla can be downloaded for free via a torrent available on Russian websites. The malware includes a User interface (UI) that allows users to track infections and access data stolen by the malware.

The RAT is delivered a compressed file attachment. If the attachment is extracted, the recipient will be presented with an executable file with a double extension, that will appear to be a .pdf file. Since Windows is configured by default to hide known file extensions, the extracted file will appear to be a.pdf file when it is actually an executable file. The display name is “Supplier-Face Mask Forehead Thermometer.pdf”, but the actual file is “Supplier-Face Mask Forehead Thermometer.pdf.exe” or “Supplier-Face Mask Forehead Thermometer.pdf.gz”.

The hash is frequently changed to avoid being detected as malware by security solutions. When the hash is changed, the malware will not be detected by signature-based security solutions until definitions are updated to include the new hash.

The attackers also take advantage of flaws in the configuration of email authentication protocols such as DMARC, DKIM, and SPF when spoofing the domains of legitimate companies.

According to the researchers, the attackers are mostly using a shotgun approach, rather than spear phishing emails on a select number of targets; that said, the researchers have identified some targeted attacks on executives of Fortune 500 companies.

Since the campaign is regularly updated to evade detection by security solutions, it is important to raise awareness of the campaign with employees to prevent them inadvertently installing the malware.

The post Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE appeared first on HIPAA Journal.

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

Posted by HIPAA Journal

The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations.

Healthcare professionals often create presentations that include medical images for educational purposes; however, care must be taken to ensure that protected health information is not accidently exposed or disclosed. Medical images contain embedded patient identifiers to ensure the images can be easily matched with the right patient but advances in web crawling technology is now allowing that information to be extracted, which places patient privacy at risk.

The web crawling technology used by search engines such as Google and Bing have enabled the large-scale extraction of information from previously stored files. Advances in the technology now allow information in slide presentations that was previously considered to be de-identified to be indexed, which can include patient identifiers. Source images can be extracted from PowerPoint presentations and PDF files, for example, and the technology can recognize alphanumeric characters that are imbedded in the image pixels.

As part of the indexing process, that information becomes associated with the images and search engine searches using a search term containing the information in those images will result in the files being displayed in the search engine results.

If a patient performs a search using their name, for example, an image from a diagnostic study conducted several years previously could be displayed in the search engine results. A click on the image would direct the patient to a website of a professional imaging association that had stored a PowerPoint presentation or Adobe PDF file that was used internally in the past for education purposes.

The professional imaging association would likely be unaware that the image contained any protected health information, the author of the file would be unlikely to be aware that the PHI had not been sufficiently de-identified when the presentation was created, and that saving the presentation as an Adobe PDF file had not ensured patient privacy.

The radiology organizations have offer guidance to healthcare organizations to help them avoid accidental PHI disclosures when creating online presentations containing medical images for educational purposes.

When creating presentations, only medical images that do not include any patient identifiers should be used. If medical images have embedded patient identifiers, screen capture software should be used to capture the part of the medical image that displays the area of interest, omitting the part of the image that contains patient identifiers. Alternatively, an anonymization algorithm embedded in the PACS should be used prior to saving a screen or active window representation or patient information overlays should be disabled before exporting the image.

The radiology organizations warn against the use of formatting tools in the presentation software – PowerPoint, Keynote, Google Slides etc – for cropping the images so as not to display any patient identifiers, as this practice will not permanently remote PHI from the images. They also warn that the use of image editing software such as Adobe Photoshop to blackout patient identifiers is also not a safe and compliant practice for de-identification.

After patient identifiers have been removed, a final quality control check is recommended to ensure that the images have been properly sanitized before they are made public.

You can view the guidance on the removal of PHI from medical images prior to creating medical image presentations on this link.

The post Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations appeared first on HIPAA Journal.

HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires

Posted by HIPAA Journal

The Secretary of the HHS, Alex Azar, has declared a public health emergency exists in the states of Louisiana and Texas as a result of the consequences of Hurricane Laura, and in California due to ongoing wildfires.

During public health emergencies the HIPAA Rules are not suspended; however, the HHS Secretary may choose to waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

In addition to the declaration of public health emergencies, the HHS Secretary has declared that sanctions and penalties against hospitals will be waived for the following provisions of the HIPAA Privacy Rule.

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

Sanctions and penalties for noncompliance with the above provisions of the HIPAA Privacy Rule have only been waived for hospitals in the emergency areas and only for the time period stated in the public health emergency declarations.

The waivers only apply to hospitals that have instituted their disaster protocol, and only for up to 72 hours from the time the disaster protocol is instituted.  Once either the Presidential or Secretarial declaration terminates, the HIPAA waivers will no longer be in effect and hospitals must then ensure they comply with all provisions of the HIPAA Privacy Rule. That applies even if the 72 hour period has not elapsed.

During public health emergencies, the HIPAA Privacy Rule allows patient information to be shared for treatment, payment, and healthcare operations.

Patient information can also be shared for public health activities to allow public health authorities to carry out their public health mission. Patient information can be shared with a public health authority such as the Centers for Disease Control and Prevention for the purpose of preventing or controlling disease, injury or disability.

The HIPAA Privacy Rule also permits the sharing of patient information at the direction of a public health authority to a foreign government agency and to persons at risk of contracting or spreading a disease or condition if permitted by other laws, which authorize a covered entity to notify such persons to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Disclosures can also be made to family members, friends, and others involved in an individual’s care and for notification, and healthcare providers may disclose patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law, and the provider’s standards of ethical conduct.

Limited disclosures to the media and others not involved in the care of a patient are permitted, if a request is received and the name of the patient is provided, but should be restricted to limited facility directory information to acknowledge an individual is a patient at the facility and basic information about the status of the patient (e.g., critical or stable, deceased, or treated and released).

In all cases, the minimum necessary rule applies. Disclosures should be restricted to the minimum amount of information necessary to achieve the purpose for which the information is being disclosed.

Public Health Emergency Declarations

Louisiana and Texas PHE

California PHE

HIPAA Waivers

HIPAA Bulletin Louisiana and Texas

HIPAA Bulletin California

The post HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires appeared first on HIPAA Journal.

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

Posted by HIPAA Journal

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization.

In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization.

In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the risk analysis process. An IT asset inventory is a detailed list of all IT assets in an organization, which should include a description of each asset, serial numbers, names, and other information that can be used to identify the asset, version (operating system/application), its location, and the person to whom the asset has been assigned and who is responsible for maintaining it.

“Although the Security Rule does not require it, creating and maintaining an up-to-date, information technology (IT) asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance,” explained OCR in the newsletter.

An IT asset inventory should not only include physical hardware such as mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers. It is also important to list software assets and applications that run on an organization’s hardware, such as anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems.

IT solutions such as backup software, virtual machine managers/hypervisors, and other administrative tools should also be included, as should data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media.

“Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization.”

For smaller healthcare organizations, an IT asset inventory can be created and maintained manually, but for larger, more complex organizations, dedicated IT Asset Management (ITAM) solutions are more appropriate. These solutions include automated discovery and update processes for asset and inventory management and will help to ensure that no assets are missed.

When creating an IT asset inventory to aid the risk analysis, it is useful to include assets that are not used to create, receive, process, or transmit ePHI, but may be used to gain access to ePHI or to networks or devices that store ePHI.  IoT devices may not store or be used to access ePHI, but they could be used to gain access to a network or device that would allow ePHI to be viewed.

“Unpatched IoT devices with known vulnerabilities, such as weak or unchanged default passwords installed in a network without firewalls, network segmentation, or other techniques to deny or impede an intruder’s lateral movement, can provide an intruder with a foothold into an organization’s IT network,” suggests OCR. “The intruder may then leverage this foothold to conduct reconnaissance and further penetrate an organization’s network and potentially compromise ePHI.” There have been multiple incidents where hackers have exploited a vulnerability in one of these devices to penetrate an organization’s network and access sensitive data.

Organizations that do not have a comprehensive IT asset inventory could have gaps in recognition and mitigation of risks to ePHI. Only with a comprehensive understanding of the entire organization’s environment will it be possible to minimize those gaps and ensure that an accurate and thorough risk analysis is performed to ensure Security Rule compliance.

Maintaining an IT asset inventory may not be a Security Rule requirement but covered entities must create policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility. An IT asset inventory can also be used for this purpose. The IT asset inventory can also be compared with the results of network scanning and mapping processes to help identify unauthorized devices that have been connected to the network and used as part of vulnerability management to ensure that no devices, software, or other assets are missed when performing software updates and applying security patches.

The NIST Cybersecurity Framework can be leveraged to assist with the creation of an IT asset inventory. NIST has also produced guidance on IT asset management in its Cybersecurity Practice Guide, Special Publication 1800-5. The HHS Security Risk Assessment Tool can also help with IT asset management. It includes inventory capabilities that allow for manual entry or bulk loading of asset information with respect to ePHI.

The post OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory appeared first on HIPAA Journal.