Latest HIPAA News

‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices

Posted by HIPAA Journal

A group of 12 vulnerabilities dubbed SweynTooth have been identified by researchers at the Singapore University of Technology and Design which are present in the Bluetooth Low Energy (BLE) chips manufactured by at least 7 companies.

BLE chips are used in smart home devices, fitness trackers, wearable health devices, and medical devices and give them their wireless connectivity. BLE chips with the SweynTooth vulnerabilities are used in insulin pumps, pacemakers, and blood glucose monitors as well as hospital equipment such as ultrasound machines and patient monitors.

It is not yet known exactly how many medical devices and wearable health devices are impacted by the flaws as manufacturers obtain their BLE chips from several sources. Some security researchers believe millions of medical devices could be vulnerable. BLE chips are used in around 500 different products. Hundreds of millions of devices could be affected.

The vulnerabilities are present in BLE chips manufactured by Cypress, Dialog Semiconductors, Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, and Telink Semiconductor. The vulnerabilities have been assigned CVSS v3 base scores ranging from 6.1-6.9 out of 10.

7 of the vulnerabilities could be exploited to crash vulnerable devices, which would stop the devices communicating and may cause them to stop working entirely. 4 vulnerabilities could be exploited to deadlock devices, causing them to freeze and stop functioning correctly. One vulnerability could result in a security bypass which would allow an attacker to gain access to device functions that are usually only accessible by an authorized device administrator. The flaws can be exploited remotely by an attacker, although only if the attacker is within radio range of a vulnerable device. The range of BLE varies from device to device, with a maximum range of less than 100 m (328 ft).

Both the U.S. Food and Drug Administration (FDA) and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (CISA) have issued alerts about the vulnerabilities this week. The FDA explained that affected device manufacturers have been notified about the flaws and are assessing which devices are affected. Mitigations are being developed that can be implemented to reduce the risk of exploitation until patches are released to correct the flaws.

Cypress, NXP, Texas Instruments, and Telelink have already released patches to correct the flaws. Dialog has issued two patches, with the remaining patches scheduled to be released by the end of March 2020. Currently, patches have yet to be released by Microchip and STMicroelectronics.

The FDA has advised BLE chip and device manufacturers to conduct risk assessments to determine the potential impact of the flaws. Healthcare providers have been advised to contact the manufacturers of their devices to find out if they are affected, and the actions they need to take to reduce the risk of exploitation. Patients have been advised to monitor their devices for abnormal behavior and to seek medical help immediately if they feel their medical devices are not functioning correctly.

The post ‘SweynTooth’ Vulnerabilities in Bluetooth Low Energy Chips Affect Many Medical Devices appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation.

Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach in November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until Dr. Porter paid the company $50,000.

The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(i), the practice had not reduced risks to a reasonable and appropriate level, and had not implemented policies and procedures to prevent, detect, contain, and correct security violations.

Since at least 2013, the practice had allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without first receiving satisfactory assurances that the company would implement safeguards to ensure the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(b).

Throughout the course of the investigation, OCR provided significant technical assistance, yet a risk analysis was not conducted after the breach and appropriate security measures were not implemented to reduce risks to a reasonable and appropriate level.

The financial penalty shows that healthcare providers of all sizes must take their responsibilities under HIPAA seriously. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry,” said OCR Director, Roger Severino.

The post HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020 appeared first on HIPAA Journal.

IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk

Posted by HIPAA Journal

An audit of the National Institutes of Health (NIH) conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed technology control weaknesses in the NIH electronic medical records system and IT systems that placed the protected health information of patients at risk.

NIH received $5 million in congressional appropriations in FY 2019 to conduct oversight of NIH grant programs and operations. Congress wanted to ensure that cybersecurity controls had been put in place to protect sensitive data and determine whether NIH was in compliance with Federal regulations.

The audit was conducted on July 16, 2019 by CliftonLarsonAllen LLP (CLA) on behalf of OIG to determine the effectiveness of certain NIH information technology controls and to assess how NIH receives, processes, stores, and transmits Electronic Health Records (EHR) within its Clinical Research Information System (CRIS), which contained the EHRs of patients of the NIH Clinical Center.

NHS has approximately 1,300 physicians, dentists and PhD researchers, 830 nurses, and around 730 allied healthcare professionals. In 2018, the Clinical Center had more than 9,700 new patients, over 4,500 inpatient admissions, and over 95,000 outpatient visits.

CLA found NIH had implemented controls to ensure the confidentiality, integrity, and availability of health data contained in its EHR and information systems, but those measures were not working effectively. Consequently, data in its EHR system and information systems could potentially have been accessed by unauthorized individuals and data was at risk of impermissible disclosure, disruption, modification, and destruction.

The National Institute of Standards and Technology (NIST) recommends primary and alternate EHR processing sites should be geographically separated. The geographical separation reduces the risk of unintended interruptions and helps to ensure critical operations can be recovered when prolonged interruptions occur. OIG found the primary and alternate sites were located in adjacent buildings on the NIH campus. If a catastrophic event had occurred, there was a high risk of both sites being affected.

The hardware supporting the EHR system was either approaching end of life or was on extended support. Four servers were running a Windows operating system that Microsoft had stopped supporting in 2015. NIH had paid for extended support which ran until January 2020, but OIG found there was no effective transition plan. OIG also found that NIH was not deactivating user accounts in a timely manner when employees were terminated or otherwise left NIH. 19 out of 26 user accounts that had been inactive for more than 365 days had not been deactivated, the accounts of 9 out of 61 terminated users were still active, and 3 out of 25 new CRIS users had changed their permissions without a form being completed justifying the change.

NIH informed CLA that it had delayed software upgrades until system upgrades were completed. NIH was in the process of upgrading its hardware at the time of fieldwork in anticipation of upgrades to CRIS. Software updates were due to be performed after the hardware upgrade had been completed.

NIH had implemented an automated tool to scan for inactive accounts and delete them, but the tool had not been fully implemented at the time of fieldwork. There were issues with the tool, such as problems tracking individuals who changed departments.

OIG recommended implementing an alternate processing site in a geographically distinct location and to take action to mitigate risks associated with the current alternative site until the new site is established. Policies and procedures should be implemented to ensure that software is upgraded prior to end of life, and NIH must ensure that its automated tool is functioning as intended. NIH concurred with all recommendations and has described the actions that have been and will be taken to ensure the recommendations are implemented.

The post IT Weaknesses at the National Institutes of Health Placed EHR Data at Risk appeared first on HIPAA Journal.

NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has published a cybersecurity education and development roadmap based on data from five pilot Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) Cybersecurity Education and Workforce Development programs.

There is a currently a global shortage of cybersecurity professionals and the problem is getting worse. Data from CyberSeek.org shows that between September 2017 and August 2018, 313,735 cybersecurity positions were open and figures from the 2017 Global Information Security Workforce Study indicate that by 2022, 1.8 million cybersecurity professionals will be required to fill open positions.

To help address the shortfall, the National Initiative for Cybersecurity Education (NICE), led by NIST, provided funding for the pilot programs in September 2016. The RAMPS cybersecurity education and development pilot programs were concerned with “energizing and promoting a robust network and ecosystem of cybersecurity education, training, and workforce development.”

The pilot programs involved forming regional alliances, through which the workforce needs of businesses and non-profit organizations become better aligned with the learning objectives of education and training providers, there is enlargement of the pipeline of students pursuing cybersecurity careers, more Americans are trained and moved into middle-class jobs in cybersecurity, and support is provided for local economic development to stimulate job growth.

The main focus of the programs is bringing together employers with cybersecurity skill shortages and educators who can help to develop a skilled workforce to meet industry needs.

The pilot programs were run by: Arizona Statewide Cyber Workforce Consortium, Cincinnati-Dayton Cyber Corridor, the Cyber Prep Program in Southern Colorado, the Hampton Roads Cybersecurity Education, Workforce and Economic Development Alliance in Southeast Virginia, and the Partnership to Advance Cybersecurity Education and Training in New Your City and the Capital District.

Each of the pilot programs adopted a different approach to address the shortage of skilled cybersecurity workers in their respective regions. Some of the common challenges faced by each program were employers that were unsure of their cybersecurity needs, a disconnect between workforce supply and demand, resources for education and workforce development programs were not coordinated, and it proved difficult to retain skilled cybersecurity workers in small communities.

The roadmap was created based on the successes of each program and includes guidance on how the common challenges can be addressed and the best practices and lessons learned from conducting the pilot programs.

There are four primary components necessary to build successful alliances to promote and build the cybersecurity workforce: Establishing program goals and metrics; developing strategies and tactics; measuring impact and results; and sustaining the effort. The document provides examples of each of the activities that proved successful in the pilot programs.

The document is not intended to act as a how to guide for setting up successful regional alliances, but it will be useful to those seeking guidance on how to organize and facilitate regional efforts to improve cybersecurity education and workforce development. In order to build a successful cybersecurity education and workforce development program, local and regional experts will need to provide their input as they will be familiar with the cybersecurity needs of their communities.

The document – A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce – can be downloaded from NIST on this link (PDF).

The post NIST Publishes Roadmap for Regional Alliances and Partnerships to Build the Cybersecurity Workforce appeared first on HIPAA Journal.

American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths

Posted by HIPAA Journal

The American Medical Association (AMA) has published a new HIPAA playbook to help physicians and their practices understand the HIPAA Right of Access and ensure compliance with this important requirement of HIPAA.

Misunderstandings about the HIPAA Right of Access can result in financial penalties for noncompliance. The HHS’ Office for Civil Rights launched a new HIPAA Right of Access enforcement initiative in 2019 and has already taken action against two healthcare organizations that were not providing patients with copies of their medical records in a timely manner. Both cases started with a single complaint from a patient who was not provided with a copy of the requested records and ended with a $85,000 financial penalty.

Patients need to be able to access their healthcare data to be able to make informed decisions about their own health. HIPAA gives patients the right to obtain a copy of their health records, but healthcare providers can face challenges complying with all of the legal requirements of HIPAA. These challenges, together with misunderstandings about the HIPAA Right of Access, have prevented some providers from complying with patient requests for copies of their health information.

The Patient Records Electronic Access Playbook was released to educate physicians and their practices about the need to provide patients with access to their medical records and the legal requirements related to medical record access and the sharing of records with patients.

The 104-page document is divided into four parts and covers the legal requirements of HIPAA and patient access laws and the challenges physician practices face complying with the HIPAA Right of Access. The playbook includes guidance to help physicians overcome challenges and best practices for operationalizing records access fulfillment.

The document also dispels some of the common myths about providing patients and third parties with health records, the health information that can and cannot be shared, the amount that healthcare providers can change for providing copies of medical records, and how medical records must be provided.

The playbook explains that even when patient portals are in use compliance with the HIPAA Right of Access is far from guaranteed. Patient portals do not typically allow patients to access all of their health information and copies of medical records will still need to be provided to patients. AMA recommends giving patients the opportunity to access their health data over several different media. The playbook also covers providing health records to third parties at the request of a patient and requests originating from third parties, which are two aspects of the HIPAA Right of Access that have caused confusion for many physician practices.

AMA says in the playbook that healthcare providers need to learn about the capabilities of their EHRs, and discover how patient records can be sent to other healthcare providers, how information can be fed into patient portals, and how to export patient records to USB drives or CDs.

Healthcare providers should also actively encourage patients to take a greater interest in their healthcare and obtain a copy of their health records and check those records for errors. “Most importantly, encourage each patient to use apps and access to health information to become an active champion of his or her health,” says AMA. “Patients can better manage their health by understanding and managing all of their health information.”

The post American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths appeared first on HIPAA Journal.

January 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day.

As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day. There was also a 15.78% decrease in reported breaches compared to December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years.

Largest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

Causes of January 2020 Healthcare Data Breaches

2019 saw a major increase in healthcare data breaches caused by hacking/IT incidents. In 2019, more than 59% of data breaches reported to the HHS’ Office for Civil Rights were the result of hacking, malware, ransomware, phishing attacks, and other IT security breaches.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents continued to dominate the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical records, and 2 cases of improper disposal of physical records. Ransomware attacks continue to plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands or even hundreds of thousands of patients exposed or stolen.


Hacking/IT incidents tend to be the most damaging type of breach and involve more healthcare records than other breach types. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches as a result of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 records.

11,284 records were stolen in theft incidents with an average breach size of 5,642 records. The two improper disposal incidents saw 2,812 records discarded without first rendering documents unreadable and undecipherable. The average breach size was  1,406 records. 
Location of breached protected health information

Regular security awareness training for employees has been shown to reduce susceptibility to phishing attacks, but threat actors are conducting increasingly sophisticated attacks. It is often hard to distinguish a phishing email from a genuine message, especially in the case of business email compromise scams.

What is needed to block these attacks is a defense in depth approach and no one technical solution will be effective at blocking all phishing attacks. Defenses should include an advanced spam filter to block phishing messages at source, a web filter to block access to websites hosting phishing kits, DMARC to identify email impersonation attacks, and multi-factor authentication to prevent compromised credentials from being used to access email accounts.

Healthcare Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were reported by business associates of HIPAA-covered entities. There were a further three data breaches reported by covered entities that had some business associate involvement.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates in 23 states reported data breaches in January. California and Texas were the worst affected with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was reported in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

HIPAA Enforcement in January 2020

There were no financial penalties imposed on HIPAA covered entities or business associates by the HHS’ Office for Civil Rights or state attorneys general in January.

There was a notable increase in the number of lawsuits filed against healthcare organizations that have experienced data breaches related to phishing and ransomware attacks.

January saw a lawsuit filed against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued over a December 2019 ransomware attack, and a second lawsuit was filed against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that occurred in October 2019. These lawsuits follow legal action against Kalispell Regional Healthcare and Solara Medical Supplies in December.

The trend has continued in February with several law firms racing to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 individuals.

These lawsuits may cite HIPAA violations, but since there is no private cause of action under HIPAA, legal action is taken over violations of state laws.

The post January 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep

Posted by HIPAA Journal

The healthcare industry is digitizing business management and data management processes and is adopting new technology to improve efficiency and cut costs, but that technology, in many cases, has been added to infrastructure, processes, and software from a different era and as a result, many vulnerabilities are introduced.

The healthcare industry is being targeted by cybercriminals who are looking for any chink in the armor to conduct their attacks, and many of those attacks are succeeding. The healthcare industry is the most targeted industry sector and one third of data breaches in the United States happen in hospitals.

According to the recently published 2020 Healthcare Security Vision Report from CyberMDX almost 30% of healthcare delivery organizations (HDOs) have experienced a data breach in the past 12 months, clearly demonstrating that the healthcare industry is struggling to address vulnerabilities and block cyberattacks.

Part of the reason is the number of difficult-to-secure devices that connect to healthcare network. The attack surface is huge. It has been estimated that globally there are around 450 million medical devices connected to healthcare networks and 30% of those devices are in the United States. That equates to around 19,300 connected medical devices and clinical assets per hospital in the United States. It is not uncommon for large hospitals to have more than 100,000 connected devices. On average, one in 10 devices on hospital networks are medical devices.

The report reveals 80% of device makers and HDOs say medical devices are difficult to secure due to a lack of knowledge on how to secure them, a lack of training on secure coding practices, and pressure to meet product deadlines.

71% of HDOs say they do not have a comprehensive cybersecurity program that includes medical devices, and 56% believe there will be a cyberattack on their medical devices in the next 12 months. That figure jumps to 58% when you ask medical device manufacturers. Even if an attack occurred, only 18% of HDOs say they are confident that they would be able to detect such an attack.

45% of Medical Devices Vulnerable to Flaws Such as BlueKeep

CyberMDX’s analysis revealed 61% of medical devices are exposed to some degree of cyber risk. 15% are exposed to BlueKeep flaws, 25% are exposed to DejaBlue flaws, and 55% of imaging devices run on outdated software that is vulnerable to exploits such as BlueKeep and DejaBlue. Overall, around 22% of Windows devices on hospital networks are vulnerable to BlueKeep.

BlueKeep and DejaBlue are vulnerabilities that can be exploited via Remote Desktop Protocol (RDP). The flaws can be exploited remotely and allow an attacker to take full control of vulnerable devices. BlueKeep is also wormable, so malware could be created that could spread to other vulnerable devices on a network with no user interaction required.

BlueKeep affects older Windows versions – Windows XP to Windows 7 and Windows Server 2003 to 2008 R2 – but many medical devices run on those older operating systems and have not been updated to protect against exploitation. DejaBlue affects Windows 7 and later versions.

Even Linux-based operating systems are vulnerable. Approximately 15% of connected hospital assets and 30% of medical devices are vulnerable to a flaw known as SACK Panic. It has been estimated that around 45% of medical devices are vulnerable to at least one flaw.

Prompt Patching is Critical, But That’s Not Straightforward

CyberMDX’s research found that 11% of HDOs don’t patch their medical devices at all and when patches are applied, the process is slow. 4 months after a vulnerability as serious as BlueKeep is discovered, an average hospital will only have patched around 40% of vulnerable devices.

The situation could actually be far worse, as the report reveals 25% of HDOs do not have a full inventory of their connected devices and an additional 13% say their inventory is unreliable. 36% do not have a formal BYOD policy and CyberMDX says a typical hospital has lost track of around 30% of its connected devices.

Patching medical devices is no easy task. “Where vulnerabilities concern unmanaged devices, there is no easy way to identify the relevant patch level for each device and no way to centrally push patches (through the active directory and SCCM) to devices distributed throughout the organization,” explained CyberMDX. “For these devices, technicians must individually investigate and manually attend the affected devices.”

Alarmingly, even though medical devices are vulnerable to attack, a majority of HDOs neglect granular network segmentation or segment their networks for reasons other than security, so when network segmentation is used, segments contain a variety of different devices with some connections open to the internet.

If flaws are exploited, many HDOs would struggle to detect an attack. More than a third of HDOs do not continuously monitor their connected devices and a further 21% identify, profile, and monitor their devices manually.

So, What is the Solution?

Improving the security of medical devices is no easy task, as CyberMDX explains. It requires “continuous review of configuration practices, segmentation, network restrictions, appropriate use, credential management, vulnerability monitoring, patching & updating, lifecycle management, recall tracking, access and role controls, compliance assurance, pen testing, live context-aware traffic monitoring & analysis, oversight of partner and third-party security practices, and more.” Further, “If you don’t know what devices you have networked, you won’t be able to understand their individual attack vectors.”

Improving security is certainly a daunting task, but the goal is not to make your organization 100% secure, as that would be an impossible goal. The aim should be to address the most important issues and to significantly reduce the attack surface.

“By more clearly defining lifecycle-wide security responsibilities and expectations with your vendors, by restricting functionally unnecessary in-VLAN communications, by investing in staff-wide cyber training, by normalizing basic network hygiene practices (like password and access management, patching & updating, etc.), and by tweaking security policies (at the NAC or firewall level) specifically for monitors, infusion pumps, and patient tracking devices, you can dramatically shrink your attack surface in short order,” suggest CyberMDX.

The post Alarming Number of Medical Devices Vulnerable to Exploits Such as BlueKeep appeared first on HIPAA Journal.

OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions

Posted by HIPAA Journal

An audit conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed many pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ data.

OIG conducted the audit at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS) to determine whether there was inappropriate access and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals.

CMS was concerned that a mail order pharmacy and other healthcare providers were misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to verify Medicare recipients’ eligibility for certain coverage benefits.

OIG conducted the audit to determine whether E1 transactions were only being used for their intended purpose. Since E1 transactions contain Medicare beneficiaries’ protected health information (PHI), they could potentially be used for fraud or other malicious or inappropriate purposes.

An E1 transaction consists of two parts – a request and a response. The healthcare provider submits an E1 request that contains an NCPDP provider ID number or NPI, along with basic patient demographic data.  The request is forwarded onto the transaction facilitator which matches the E1 request data with the data contained in the CMS Eligibility file. A response is then issued, which contains a beneficiary’s Part D coverage information.

The audit was conducted on one mail-order pharmacy and 29 providers selected by CMS. Out of 30 entities audited, 25 used E1 transactions for a purpose other than billing for prescriptions or to determine drug coverage order when beneficiaries are covered by more than one insurance plan. 98% of those 25 providers’ E1 transactions were not associated with prescriptions.

OIG found providers were obtaining coverage information for beneficiaries without prescriptions, E1 transactions were being used to evaluate marketing leads, some providers had allowed marketing companies to submit E1 transactions for marketing purposes, providers were obtaining information about private insurance coverage for items not covered under Part D, long term care facilities had obtained Part D coverage using batch transactions, and E1 transactions had been submitted by 2 non-pharmacy providers.

E1 transactions are covered transactions under HIPAA, PHI must be protected against unauthorized access while it is being electronically stored or transmitted between covered entities, and the minimum necessary standard applies. The findings suggest HIPAA is being violated and that this could well be a nationwide problem. Based on the findings of the audit and apparent widespread improper access and use of PHI, OIG will be expanding the audits nationwide.

OIG believes these issues have arisen because CMS has not yet fully implemented controls to monitor providers who are submitting high numbers of E1 transactions relative to prescriptions provided; CMS has yet to issue clear guidance that E1 transactions must not be used for marketing purposes; and CMS has not limited non-pharmacy access.

Following the audit, CMS took further steps to monitor for abuse of the eligibility verification system and will be taking appropriate enforcement actions when cases of misuse are discovered. OIG has recommended CMS issue clear guidance on E1 transactions and ensure that only pharmacies and other authorized entities submit E1 transactions.

The post OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.