Latest HIPAA News

HHS Releases Updated HIPAA Security Risk Assessment Tool

Posted by HIPAA Journal

The HHS has updated its HIPAA Security Risk Assessment Tool and has added several new features that have been requested by users to improve usability.

The HIPAA Security Risk Assessment Tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS’ Office for Civil Rights.

The Security Risk Assessment Tool can help small to medium sized healthcare organizations conduct a comprehensive, organization-wide risk assessment to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI).

By using the tool, healthcare organizations will be able to identify and assess risks and vulnerabilities and use that information to improve their defenses against malware, ransomware, viruses, botnets and other types of cyberattack.

The risk assessment is a foundational element of compliance with the Health Insurance Portability Act Security Rule. By conducting a risk assessment, healthcare organizations can identify areas where PHI may be at risk. Any risks can then be assessed, prioritized, and reduced to a reasonable and acceptable level.

Since its initial release, the tool has been updated several times to improve usability and add additional functions. The latest version of the Risk Assessment Tool – Version 3.1 – has been released to coincide with National Cybersecurity Awareness Month and includes several user-requested improvements:

  • Threat and vulnerability validation
  • Incorporation of NIST Cybersecurity Framework references
  • Improved asset and vendor management
  • Question flagging and a new Flagged Report
  • Ability to export Detailed Reports to Excel
  • Fixes for several reported bugs to improve stability

The tool can be downloaded from the HHS for Windows devices, although the latest version is not available for Mac OS.

The HHS points out that the tool is only as useful as the work that goes into conducting and documenting a risk assessment. Use of the tool does not guarantee compliance with the risk assessment requirements of the HIPAA Security Rule and will only help HIPAA-covered entities and their business associates conduct periodic risk assessments.

The post HHS Releases Updated HIPAA Security Risk Assessment Tool appeared first on HIPAA Journal.

Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate

Posted by HIPAA Journal

Healthcare data breaches lead to a reduction in the quality of care provided to patients, according to a study recently published in Health Services Research.

Researchers analyzed data from Medicare Compare which details quality measures at hospitals. Data from 2012-2016 was analyzed and compared with data from the HHS’ Office for Civil Rights on data breaches of more than 500 records over the same period. The researchers analyzed data on 3,025 Medicare-certified hospitals, 311 of which had experienced a data breach.

According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected. However, the delays were found to continue for months and years after an cyberattack was experienced.

The study showed that 3-4 years after a breach had occurred there were still delays in providing electrocardiograms to patients. The waiting time for an electrocardiograms to patients was found to be up to 2 minutes longer than before the breach occurred.

Hospitals that experienced a data breach also saw an increase in the 30‐day acute myocardial infarction mortality rate. The mortality rate at breached hospitals increased by as much as 0.36%.

The increase in mortality rate has not been attributed to the cyberattack itself, as recovery is usually possible without a few days to a few weeks after a cyberattack. The researchers suggest the delays in providing medical services following a cyberattack is due to the steps hospitals have taken to improve the security of their systems and better protect patient data, along with the increased HHS oversight that occurs after a data breach is experienced. These factors can result in a deterioration in the timeliness of care and patient outcomes.

Following a cyberattack, hospitals augment their security controls to prevent further cyberattacks from succeeding. Those measures include multi-factor authentication, stronger passwords, and other security enhancements. While these additional measures improve the security posture of hospitals and make breaches less likely to occur in the future, they can also impede clinicians.

“Over the past few years, overall improvements in AMI treatment have resulted in the 30‐day AMI mortality rate decreasing about 0.4 percentage points annually from 2012 to 2014,” wrote the researchers. “A 0.23‐0.36 percentage point increase in 30‐day AMI mortality rate after a breach effectively erases a year’s worth of improvement in the mortality rate.”

The researchers suggest hospitals should carefully evaluate the security measures they implement to prevent further breaches to ensure they do not unduly impede clinicians and negatively affect patient outcomes.

The study – Data breach remediation efforts and their implications for hospital quality – was published in the October edition of Health Services Research: DOI: 10.1111/1475-6773.13203.

The post Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate appeared first on HIPAA Journal.

Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has imposed a $2.15 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

In July 2015, OCR became aware of several media reports in which the PHI of a patient was impermissibly disclosed. The individual was a well-known NFL football player. Photographs of an operating room display board and schedule had also been shared on social media by a reporter. OCR launched an investigation in October 2015 and opened a compliance review in relation to the impermissible disclosure.

JHS investigated and submitted a report confirming a photograph was taken in which two patients PHI was visible, including the PHI of a well-known person in the community. The internal investigation revealed an employee had been accessing patient information without authorization since 2011. During that time, the employee had accessed the records of 24,188 patients without any legitimate work reason for doing so and had been selling that information.

HIPAA requires covered entities to implement policies and procedures to prevent, contain, and correct security violations – 45 C.F.R. § 164.308(a)(l) – however, before risks can be managed and reduced to a reasonable and acceptable level, a covered entity must conduct a comprehensive risk analysis – 45 C.F .R. §164.308(a)(l)(ii){A) – to ensure that all risks to the confidentiality, integrity, and availability of PHI are identified.

On several occasions, OCR requested documentation on risk analyses at JHS. JHS supplied documentation on internal assessments from 2009, 2012, and 2013, and risk analyses conducted by third parties in 2014, 2015, 2016, and 2017.

OCR discovered that prior to 2017, JHS had erroneously marked several aspects of the HIPAA Security Rule as non-applicable in the risk analyses. A risk analysis failure occurred in 2014 as it had failed to cover all ePHI and did not identify all risks to ePHI contained within JHS systems. JHS had also failed to provide documentation confirming measures had been implemented to reduce all risk to ePHI to a reasonable and appropriate level, even though recommendations had been made by the company that performed the 2014 risk analysis.

Similar risk analysis failures occurred in 2015. Some sections of the risk analysis conducted by a third party had not been completed, the risk analysis failed to cover all ePHI, and documentation could not be supplied confirming risk management efforts had taken place. It was a similar story in 2016, and the 2017 risk analysis was not comprehensive.

OCR investigators also discovered reviews of information system activity such as audit logs had not been regularly reviewed, in violation of 45 C.F.R. § 164.308(l)(ii)(D).

OCR also determined that between July 22, 2013 and January 27, 2016, policies and procedures had not been implemented to prevent, detect, contain, and correct security violations. The HIPAA Privacy Rule had also been violated, as reasonable efforts were not made to limit certain employees’ access to PHI, which had led to unauthorized access and impermissible disclosures. Access to PHI was also not limited to the minimum necessary information, in violation of 45 C.F.R. §164.308(a)(4) and 45 C.F.R. § 164.514(d).

On multiple occasions employees had accessed records without authorization when there was no treatment relationship with a patient, and also after a treatment relationship had come to an end.

JHS had also violated the HIPAA Breach Notification Rule by failing to report a breach within 60 days of discovery in violation of 45 C.F.R. § 164.408(b). The loss of boxes of files in 2013 was not reported for 160 days. JHS also admitted that it did not have policies in place covering PHI breaches prior to October 2013.

OCR attempted to resolve the HIPAA violations via informal means, but JHS failed to comply, which led to OCR issuing a Notice of Proposed Determination. JHS waived its right to a hearing and OCR issued a Notice of Final Determination, which was not contested and JHS paid the full financial penalty of $2,154,000.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” explained OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”

This is the second financial penalty for a HIPAA covered entity to be announced this month and the fifth penalty to be issued in 2019. Earlier this month, Elite Dental Associates settled its HIPAA case with OCR for $10,000 following disclosures of patients’ PHI on the Yelp review site.

Settlements were also agreed with Bayfront Health St Petersburg ($85,000), Medical Informatics Engineering ($100,000), and Touchstone Medical Imaging ($3,000,000) earlier in the year.

The post Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System appeared first on HIPAA Journal.

Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet

Posted by HIPAA Journal

The sensitive health information of millions of patients has been exposed over the internet as a result of the failure of nine companies to secure their medical databases.

The exposed patient data was discovered by security researchers at WizeCase. The research team, led by Avishai Efrat, used publicly available tools to search for exposed data that could be accessed without the need for any usernames or passwords. The firm then offers to help those organizations fix their data leaks and better secure their data.

In all cases, the researchers attempted to contact the healthcare organizations concerned to advise them about the misconfigured databases to allow steps to be taken to secure the data and prevent unauthorized access, but in several cases no response was received.

The researchers contacted databreaches.net and received assistance in contacting the companies concerned. When no response was received, the researchers contacted local authorities and hosting companies for assistance. Several attempts were made to get the data secured over the space of a month before the decision was taken to go public and name the companies concerned to spur them into taking action.

The databases belonged to healthcare organizations in Brazil, Canada, France, Nigeria, Saudi Arabia, two in China, and two in the United States. Seven of the nine exposed databases were on public facing Elasticsearch servers and two were misconfigured MongoDB databases.

The databases contained a range of sensitive information including names, addresses, contact telephone numbers, email addresses, dates of birth, tax ID numbers, insurance details, employer details, occupations, diagnoses, details of medical complaints, prescription information, HIV test results, pregnancy status, lab test results, Social Security numbers, and other types of personal and health information.

The two U.S. databases belonged to DeepThink Health – formerly Jintel Health – and VScript. DeepThink Health has developed a precision intelligence platform that captures and structures clinical and genomic datasets and analyzes the data to enable precision medicine. The 2.7GB Elasticsearch database contacted approximately 700,000 records. Those records contained the names and contact information of medical personnel, medical observations including details of the stages and types of cancers of patients, and cancer treatment information.

VScript is a pharmacy software firm. The researchers found an Elasticsearch server hosting 81MB of data of around 800 patients and a GoogleAPI bucket containing thousands of images of prescriptions along with the names, contact information, and dates of birth of the patients who had received them.

VScript was one of the companies that did not respond to either WizeCase or databreaches.net emails and phone calls. Databreaches.net also reached out to Google about the exposed data, but the data remained accessible even after Google had made contact. Databreaches.net notes that it is unclear whether the data belonged to VScript. The database may have been the responsibility of one of its vendors.

The other databases were owned by BioSoft in Brazil, ClearDent in Canada, the Nigeria HIV/AIDS Indicator and Impact Survey (NAIIS), Stella Prism in Saudi Arabia, Tsinghua University Clinical Medical College and Sichuan Lianhao Technology Group Co., Ltd in China, and Essibox, the French division of the international ophthalmic optics group Essilor.

“Technology is moving at a fast pace and the security systems don’t seem like they can keep up. This is especially troubling when dealing with a company that is supposed to protect sensitive user data,” explained WizeCase in a recent blog post. “Since some of these databases were created and maintained by third party companies, it is possible that the patients concerned are unaware that their data is being held and used by these companies.”

The exposure of sensitive medical data places patients at risk of blackmail, identity theft, and fraud, but many may never learn that their sensitive information has been exposed. The WizeCase researchers may not be the only individuals to have discovered the databases. It is possible that multiple individuals have stolen the databases and are using them for nefarious purposes.

The post Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet appeared first on HIPAA Journal.

September 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month.

1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks.

Largest Healthcare Data Breaches in September 2019

The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico reported a network server hacking incident involving 439,753 records of Intramural Practice Plan members. The exact nature of the breach is unclear.

Those four breaches accounted for 85.80% of the healthcare records breached in September.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
Magellan Healthcare Business Associate 55637 Hacking/IT Incident Email
CHI Health Orthopedics Clinic -Lakeside Healthcare Provider 48000 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
Kilgore Vision Center Healthcare Provider 40000 Hacking/IT Incident Network Server
Peoples Injury Network Northwest Healthcare Provider 27000 Hacking/IT Incident Network Server
Sweetser Healthcare Provider 22000 Hacking/IT Incident Email
Perfect Teeth Yale, P.C. Healthcare Provider 15000 Loss Other Portable Electronic Device

Causes of September 2019 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in September with 24 incidents reported. There were 9 unauthorized access/disclosure incidents and three cases of loss/theft of physical and electronic records.

1,917,657 healthcare records were compromised in the 24 hacking/IT incidents which accounted for 97.98% of breached records in September. The mean breach size was 958,829 records and the median breach size was 5,255 records.

Unauthorized access/disclosure incidents in September accounted for 1% or 19,741 breached records. The mean breach size was 2,193 records and the median breach size was 998 records. There were two reported theft incidents involving 4,770 physical and electronic records and a single loss incident involving 15,000 records stored on a portable electronic device.

Location of Breached Protected Health Information

Phishing continues to be a major problem area for the healthcare industry. In September, 44.44% of all breaches – 16 incidents – involved PHI stored in email accounts. There were 13 network server incidents, a large percentage of which were ransomware attacks.

September 2019 Healthcare Data Breaches by Covered Entity Type

28 data breaches were reported by healthcare providers in September, four incidents were reported by health plans/health insurers, and four incidents were reported by business associates of HIPAA covered entities. A further four breaches had some business associate involvement but were reported by the covered entity.

States Affected by September 2019 Healthcare Data Breaches

September’s data breaches were reported by entities in 23 states and Puerto Rico. California, Maryland, and Washington were the worst affected with three breaches each. There were two breaches reported by entities based in Arkansas, Arizona, Colorado, Georgia, Indiana, and South Carolina, and one breach was reported in each of Alabama, Florida, Iowa, Illinois, Maine, Michigan, Nebraska, New Jersey, Ohio, Oklahoma, Tennessee, Texas, Utah, West Virginia, and Puerto Rico.

HIPAA Enforcement Activity in September 2019

In September 2019, the HHS’ Office for Civil Rights announced its third HIPAA violation penalty of the year. Bayfront Health St Petersburg in Florida was issued with an $85,000 financial penalty for the failure to provide a patient with a copy of her child’s fetal heart monitor records within a reasonable time frame. It took 9 months and multiple attempts by the patient before she was provided with the records.

This month, OCR Director Roger Severino gave an update on OCR’s main enforcement priorities and confirmed that noncompliance with the HIPAA right of access is still a major focus for OCR. Further financial penalties can be expected over the coming weeks and months for healthcare organizations that fail to provide individuals with copies of their health information within a reasonable time frame and at a reasonable cost.

There were no financial penalties issued by state attorneys general in September over HIPAA violations.

The post September 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives

Posted by HIPAA Journal

Internal communications, disability claims, and health information of thousands of veterans have been exposed internally and could be accessed by Department of Veteran Affairs employees who were not authorized to view the information, according to the findings of a Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit.

VA OIG conducted an audit of the VA’s Milwaukee Regional Office following a tipoff by a whistleblower in September 2018 about the exposure of sensitive information on shared network drives, which the whistleblower claimed could be accessed by employees unauthorized to view the information.

VA OIG audit visited the Milwaukee offices in January 2019 and confirmed that sensitive information had been stored on two shared network drives on the VA Enterprise network, which could be accessed by veterans service organization (VSO) officers, even if those officers did not represent those veterans.

The auditors determined that any Veterans Benefits Administration employee who had permission to access the VA network remotely could have accessed the files stored on the shared drives. That means around 25,000 VBA employees could have accessed the drives.

The files stored on those drives contained information such as veterans’ names, addresses, dates of birth, contact telephone numbers, disability claims information, and other highly sensitive and confidential information. Some of the files on the network drives dated back to 2016. VA OIG did not disclose how many veterans have been affected by the security lapse.

The failure to restrict access to the records was a violation of HIPAA and the VA’s policies, which require administrative, technical, and physical safeguards to be implemented to protect the privacy of veterans. The exposure of data was not limited the Milwaukee regional office and was therefore classed as a national issue.

The privacy breach was attributed to failures in three areas: Knowing or inadvertent negligence by VBA staff who stored sensitive information on the network drives in violation of VA policies; a lack of technical controls to prevent “negligent individuals” from using the drives to store sensitive information, and a lack of oversight, which meant sensitive information stored on the drives was not identified and removed.

Because the information was only accessible internally, the VA’s Data Breach Response Service did not class the exposure as a data breach and notifications to veterans whose privacy has potentially been violated were not warranted because their data was not placed “at unnecessary risk.”

VA OIG said in the report “Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft.”

VA OIG has recommended the assistant secretary for information and technology and the undersecretary for benefits provide remedial training to users on the correct handling of sensitive information and storage of information on shared network drives. VA OIG also recommended technical controls should be implemented to ensure that the sensitive information of veterans cannot be stored on shared network drives.  Oversight procedures are also required to ensure any failures by VA staff to abide by federal laws and VA policies are identified and corrected.

“Until VA officials take steps to guard against user negligence, implement technical controls that prevent users from storing sensitive personal information on shared network drives, and issue oversight procedures to adequately monitor shared network drives, veterans’ sensitive personal information remains at risk,” said the VA OIG in the report.

The assistant secretary for information and technology concurred with the recommendations.

The post VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives appeared first on HIPAA Journal.

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Posted by HIPAA Journal

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C.

Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost.

Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation.

More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that Bayfront Health’s financial penalty was the first in a series of penalties for covered entities that are not providing patients with access to their health data within 30 days of the request being received.

OCR has issued guidance to help covered entities comply with this aspect of HIPAA, but now the time has come “for serious enforcement,” explained Severino.

Severino also explained that patients must be allowed to have their health data sent to health apps. The requests should only be denied if the app poses a security risk to the covered entity. Severino confirmed a covered entity is not liable for what happens to PHI after a disclosure to a health app at the patient’s request.

In many cases, patients are not being denied access to their medical records and requests for copies of medical records are being honored, but patients are being charged excessive amounts. In 2016, OCR issued guidance on the amounts that healthcare organizations can charge for providing copies of medical records and further clarification was also issued on the fee structures that can be adopted. Financial penalties for overcharging for copies of medical records can be expected.

The crackdown on patient access issues is part of the HHS Regulatory Sprint to Coordinated Care initiative and fits in with the Trump Administration’s drive to improve transparency of healthcare costs and the reduction of the cost of healthcare in the United States.

A prop is always useful for getting a point across. In this case Severino used a medical boot that he purchased to aid recovery from a torn Achilles tendon. Severino said he was advised by his doctor to purchase the boot and paid his doctor $430 for the treatment aid. He explained that he later looked online and found the exact same boot for sale on Amazon for $70, saying “This boot represents what’s wrong with price transparency.”

OCR is looking at how HIPAA can be updated to address this problem, such as requiring healthcare providers and health plans to provide information about the expected out-of-pocket costs for medical services or equipment before those items or services are provided to patients.

Contractors provide quotes for work in advance and banks provide customers with information on the costs of mortgages before providing the funds, but that doesn’t always happen in healthcare. That is something that needs to change.

Severino also touched on the issue of cybersecurity. Phishing and ransomware attacks cause a high percentage of healthcare data breaches and in many cases the attacks can be prevented by practicing good cybersecurity hygiene.

Ransomware is often installed through the exploitation of vulnerabilities in Remote Desktop Protocol. The failure to address those RDP vulnerabilities has led to several major healthcare ransomware attacks and data breaches.

Phishing attacks have been a major cause of healthcare data breaches for several years. It is not possible to prevent all attacks, but by complying with HIPAA, risk can be significantly reduced. HIPAA calls for covered entities to provide employees with training to help them identify and avoid phishing threats. Severino explained that training is critical, as is conducting phishing simulation exercises to find out how susceptible employees are to phishing.

Other cybersecurity failures that could prevent data breaches include the lack of multi-factor authentication, poor access controls, and the failure to promptly terminate access to systems when employees leave the company.

2019 may have only seen four OCR financial penalties issued to date to resolve HIPAA violations but the year is far from over. Further penalties will be announced this year, including one $2.1 million civil monetary penalty.

Severino did not confirm the reason for the penalty or provide any details, other than saying a final determination has been reached and the penalty will be announced by the department soon.

The post Roger Severino Gives Update on OCR HIPAA Enforcement Priorities appeared first on HIPAA Journal.

Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices

Posted by HIPAA Journal

Internet of Medical Things (IoMT) technology is helping to increase efficiency, improve the quality of healthcare, and lower healthcare costs; however, IoMT introduces risks. The failure to reduce those risks to a low and acceptable level leaves IoMT devices vulnerable to cyberattacks. Those attacks can be expensive to resolve, which drives up the cost of healthcare and can result in patients coming to harm.

Not only must the devices be secured, cybersecurity must also be managed throughout the entire lifespan of the devices. Software and firmware must be kept up to date, patches must be applied promptly to fix vulnerabilities, and the devices need to be returned when they reach end of life and support comes to an end. Without a thorough understanding of the risks, securing IoMT devices can be a major challenge.

The U.S. Department of Veteran Affairs (VA) has taken steps to improve the safety and security of IoMT devices and has been seeking solutions for securing large-scale IoMT device deployments to better protect the 9 million people under its care. The VA, in conjunction with the global safety science organization, UL, launched a Cooperative Research and Development Agreement (CRADA) Program for medical device cybersecurity in 2016. This week, the VA announced that the program has now been completed.

The program was conducted between 2016 and 2018 and used the UL 2900 Series of Standards as a benchmark to identify critical medical device cybersecurity vulnerabilities in large-scale connected medical device deployments, including lifecycle management and created baseline cybersecurity requirements for medical device manufacturers.

“This collaboration helped us uncover new insights and further accelerate the sharing of medical device cybersecurity information, standards and lifecycle requirements with the intention of benefiting not only the VA hospital system but also the larger U.S. healthcare system of providers and manufacturers,” explained Anura Fernando, UL’s chief innovation architect, Life and Health Sciences.

Throughout the two years, the VA and UL tested hypotheses to expand their understanding of medical device cybersecurity and identify security gaps between in-facility and in-home care and ensure product functionality for FIPS 140-2 compliance. A simulated hacking attack was also conducted on a UL 2900 certified medical device at the Veterans Health Administration (VHA) site in Tampa, FL.

The report shows adoption of standards helps to ensure the safety and security of new medical devices. The findings of the study have resulted in the creation of a series of actionable steps that can be taken by healthcare organizations to improve the security of their medical devices.

“The report findings will help the VA ensure safety for its patient community while also serving as a model for how we can continue to drive innovation within the larger healthcare ecosystem,” said Marc Wine, Director, Technical Integration Support and Industry Liaison, U.S. Department of Veterans Affairs.

CRADA findings included:

  • Use of UL 2900 Series of Standards and product testing/certification accelerated adoption of innovative healthcare technologies through improved pre-procurement product vetting and post-procurement product management.
  • Testing and certification improved confidence in product development processes, security control design evaluation, post market patch management support provided by device manufacturers.
  • Compliance with UL 2900 enhanced endpoint security resulted in improved allocation of cybersecurity resources allowing them to be focused on critical threats to veterans’ safety and security.

The post Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices appeared first on HIPAA Journal.

MITA Publishes New Medical Device Security Standard

Posted by HIPAA Journal

The Medical Imaging & Technology Alliance (MITA) has released a new medical device security standard which provides healthcare delivery organizations (HDOs) with important information about risk management and medical device security controls to harden the devices against unauthorized access and cyberattacks.

The new voluntary standard – Manufacturer Disclosure Statement for Medical Device Security (MDS2) (NEMA/MITA HN 1-2019) – was developed in conjunction with a diverse range of industry stakeholders and aligns with the 2018 U.S. Food and Drug Administration (FDA) Medical Device Cybersecurity Playbook, issued in October 2018.

The guidance explains that cybersecurity of medical devices is a shared responsibility. HDOs must collaborate with medical device manufacturers to ensure best practices are adopted. Device manufacturers, HDOs, government entities, and cybersecurity researchers need to work together to ensure threats to medical devices are managed and reduced to reasonable and appropriate levels.

The new standard is intended to help streamline communications between device manufacturers and HDOs, increase transparency of information, and clarify the roles of each with respect to the security of medical devices.

“Transparent information and speed of getting that information from manufacturers to health delivery organizations are crucial, and this Standard helps foster both,” said Tim Walsh, Principal Information Security Analyst – CIS Operations, Mayo Clinic, and member of the MDS2 Canvass Group.

The guidance includes information on the standard security controls incorporated into medical devices to ensure they meet industry standards and can be used safely and securely; however, it is the responsibility of HDOs to ensure that the devices are configured correctly. HDOs need to assess medical device security controls and determine whether they are appropriate, work within their own environments, and allow risk to be effectively controlled and managed.

Worksheets have been created for assessing the features and security capabilities of each medical device, including the specifications, the management of personally identifiable information, audit controls, authorization controls, data backup and disaster recovery functions, data integrity controls, anti-malware protections, connectivity, node authentication, security guidance, how cybersecurity upgrades will be performed throughout the lifecycle of devices, and other key information for HDOs.

Medical device manufacturers should complete the worksheets to provide HDOs with the technical information they will need to conduct their own security risk assessments and build their security risk management programs.

While the MDS2 form contains important technical information on medical devices, MITA warns that it is not intended to be used as the sole basis for medical device procurement, as writing medical device procurement specifications requires more extensive knowledge of an HDO’s security environment and healthcare mission.

The information on the MDS2 form must be combined with detailed information collected about the care delivery environment in which the devices will be used. Tools such as ECRI’s Guide for Information Security for Biomedical Technology are useful in this regard.

The post MITA Publishes New Medical Device Security Standard appeared first on HIPAA Journal.