Latest HIPAA News

32% of Healthcare Employees Have Received No Cybersecurity Training

Posted by HIPAA Journal

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches.

The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada.

The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace.

Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA.

Even when training is provided, it is often insufficient. 11% of respondents said they received cybersecurity training when they started work but had not received any training since. 38% of employees said they were given cybersecurity training each year, and a fifth (19%) of healthcare employees said they had been provided with cybersecurity training but did not feel they had been trained enough.

32% of respondents said they had been provided with a copy of their organization’s cybersecurity policy but had only read it once and 1 in 10 managers were not aware if their company had a cybersecurity policy.  40% of healthcare workers in the United States were unaware of the cybersecurity measures protecting IT devices at their organization.

Training on HIPAA also appears to be lacking. Kaspersky Lab found significant gaps in employees’ knowledge of regulatory requirements. For instance, 18% of respondents were unaware what the Security Rule meant and only 29% of respondents were able to identify the correct meaning of the HIPAA Security Rule.

Kaspersky Lab researchers recommend hiring a skilled IT team that understands the unique risks faced by healthcare organizations and has knowledge of the tools that are required to keep protected health information safe and secure.

It is also essential to address data security and regulatory knowledge gaps. IT security leaders must ensure that every member of the workforce receives regular cybersecurity training and is fully aware of the requirements of HIPAA.

It is also important to conduct regular assessments of security defenses and compliance. Companies that fail to regularly check their cyber pulse can identify and address vulnerabilities before they are exploited by hackers and cause a costly data breach.

The post 32% of Healthcare Employees Have Received No Cybersecurity Training appeared first on HIPAA Journal.

Study Reveals Widespread Noncompliance with HIPAA Right of Access

Posted by HIPAA Journal

A recent study conducted by the health manuscript archiving company medRxiv has revealed widespread noncompliance with the HIPAA right of access.

For the study, the researchers sent medical record requests to 51 healthcare providers and assessed the experience of obtaining those records. The companies were also assessed on their response versus the requirements of HIPAA.

In each case, the record request was a legitimate request for access to patient data. The requests were made to populate a new consumer platform that helps patients obtain their medical records. Record requests were sent for 30 patients at a rate of 2.3 medical requests per patient.

Each of the providers was scored based on their response to the request and whether they satisfied four requirements of HIPAA – Accepting a request by email/fax, sending the records in the format requested by the patient, providing records within 30 days, and only charging a reasonable fee.

Providers were given a 1-star rating for simply accepting a patient record request. Providers received a second star for satisfying the request and meeting all four requirements of HIPAA, but only after the researchers had escalated the request to a supervisor on more than one occasion.

A three-star rating was given to providers that required a single escalation phone call to a supervisor. A four-star rating was given to providers that were fully compliant with the HIPAA right of access. A five-star rating was given to providers that went above and behind the requirements of HIPAA by sending copies of records within 5 days, accepting non-standard forms, and providing patients with copies of their records at no cost.

More than half (51%) of the providers assessed were either not fully compliant with the HIPAA right of access or it too several attempts and referrals to supervisors before requests were satisfied in a fully compliant manner. 27%  of providers were given a one-star rating, 24% received a 2-star rating, and 20% received a 3-star rating. Only 30% of providers were fully compliant. 12% were given a 4-star rating and 18% received 5-stars.

The researchers also conducted a telephone survey on 3,003 healthcare providers and asked about policies and procedures for releasing patient medical records. The researchers suggest as many as 56% of healthcare providers may not be fully compliant with the HIPAA right of access. 24% did not appear to be fully aware of the fee limitations for providing copies of medical records.

The main area of noncompliance was the failure to send medical records electronically, even if it was specifically requested by the patient. 12 of the 14 providers who received a 1-star rating did not email medical records, one refused to send the records to the patient’s nominated representative, and one charged an unreasonable fee.

The researchers note that had they not escalated the requests to supervisors, 71% of all requests would not have been satisfied in a way that was fully compliant with HIPAA.

The post Study Reveals Widespread Noncompliance with HIPAA Right of Access appeared first on HIPAA Journal.

Hackers Demand $1 Million Ransom from Washington Hospital

Posted by HIPAA Journal

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption.

On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee.

Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software, which allowed the attackers to infect more systems. Those systems are still down at the clinics, which are using pen and paper to record patient information.

A spokesperson for the hospital said patient care has not been affected. The hospital is continuing to provide emergency care to patients and appointments are going ahead as scheduled. There have been some delays to appointments and there are still issues accessing patient information. Patients have been told to bring details of their prescriptions and their medical histories and to make that information available at point of care.

The hospital had created backups but it was not possible to recover files as the backups had also been encrypted. As of August 13, 2019, the hospital still had not regained access to its files. The attack has been reported to the FBI and the hospital is assisting with its investigation.

The hospital had previously taken out a cybersecurity insurance policy for $1 million, which may cover the ransom payment. It is unclear whether the ransom has been paid.

No evidence of data access or theft was found, but the possibility could not be discounted. Affected patients had the following information exposed: Full name, address, phone number, date of birth, Social Security number, insurance information, diagnoses, and treatment information.

The hospital has started notifying the 85,000 patients affected by the breach and each has been offered complimentary credit monitoring services. Security measures are being assessed at the hospital and medical group and additional hardware and software solutions will be implemented as appropriate to improve security. Employees will also be provided with additional training.

The post Hackers Demand $1 Million Ransom from Washington Hospital appeared first on HIPAA Journal.

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

Posted by HIPAA Journal

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to Confidentiality of Substance Use Disorder Patient Records regulations known as 42 CFR Part 2.

The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records.

Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient.

The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder.

NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance abuse disorder but says that the continued separation of substance abuse disorder from other diseases perpetuates that stigma. “The principle underlying these rules is that substance use disorder treatment is shameful and records of it should be withheld from other treatment providers in ways that we do not withhold records of treatment of other chronic diseases,” wrote NAAG.

NAAG wants substance abuse disorder to be recognized as the chronic disorder that it is, which would mean aligning the rules covering substance abuse treatment records with those of HIPAA. That would allow substance abuse treatment information to be shared along with other health information, provided protections are in place to keep that information private and confidential.

As it stands, Part 2 regulations are a barrier to treating opioid use disorder. Providers are used to complying with HIPAA, but the requirements of Part 2 can be intimidating. As such, many providers do not offer medicated-assisted treatment (MAT) for substance abuse disorder.

MAT providers are not required to comply with Part 2 requirements if they do not advertise their MAT services, but that means fewer people will take up those services. To effectively tackle the opioid epidemic in the United States, MAT services need to be promoted and should be easily accessible. Currently, many providers are keeping it a secret that they provide MAT programs to patients due to the restrictions of Part 2 regulations.

42 CFR Part 2 privacy regulations were updated in 2018, although the changes made were relatively minor. NAAG is not the only organization calling for more substantial changes and closer alignment between Part 2 and HIPAA regulations. A growing coalition of more than 40 national health care organizations support the changes and there is some support in the House and the Senate.

Reps. Markwayne Mullin (R-OK) and Earl Blumenauer (D-OR) introduced the Overdose Prevention and Patient Safety Act (OPPS Act) (H.R. 2062) and Sens. Joe Manchin (D-WV) and Shelley Moore Capito (RWV) introduced the Protecting Jessica Grubb’s Legacy Act (Legacy Act) (S. 1012) which both align HIPAA with Part 2. However, getting enough people to back the changes is likely to be a major challenge.

The post State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA appeared first on HIPAA Journal.

GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies

Posted by HIPAA Journal

The Government Accountability Office (GAO) conducted a study of 23 federal agencies and found widespread cybersecurity risk management failures.

Federal agencies are targeted by cybercriminals, so it is essential for safeguards to be implemented to protect against those threats. Federal law requires government agencies to adopt a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity risks.

The GAO was asked to conduct its review to determine whether federal agencies had established the key elements of a cybersecurity risk management program, what challenges were faced when developing those programs, and what steps had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their responsibilities with respect to addressing cybersecurity challenges faced by federal agencies.

The study revealed all but one (22) federal agency had appointed a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies assessed for the study.

There were deficiencies in the development of a cybersecurity risk management plan. 16 agencies had not fully established a cybersecurity risk management strategy which delineated the boundaries for risk-based decisions. 17 agencies had not fully established an agency-wide and system-level plan for assessing, monitoring, and responding to cybersecurity risks. A process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks had not been established at 11 agencies. 13 agencies had not established a process for coordinating between cybersecurity and ERM programs for managing all major risks.

Until policies and procedures are changed and the security failures are addressed, federal agencies will face an elevated risk of experiencing cyberattacks that threaten the national security of the United States and personal privacy.

GAO made 58 recommendations that all agencies should incorporate into their risk management processes, including specific recommendations for certain agencies.

Federal agencies have faced several challenges assessing and managing cybersecurity risks. The main challenge was hiring and retaining key cybersecurity management personnel, which was cited as a problem by all 23 agencies.

Managing competing priorities between operations and cybersecurity, establishing and implementing consistent policies and procedures, establishing and implementing standardized technology capabilities, and receiving quality risk data were also common problems.

GAO has recommended that the DHS and OMB develop methods for sharing best practices and successful methods for addressing some of the common challenges faced when implementing consistent cybersecurity risk management practices to ensure those challenges can be overcome quickly and security posture at all of the federal agencies is rapidly improved.

The post GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies appeared first on HIPAA Journal.

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

Posted by HIPAA Journal

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records.

US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation.

The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years.

Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that its systems had been compromised

“Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera’s servers,” wrote Judge Simon.

Considering the data breach affected 10.6 million individuals, a fund of $10 million to reimburse costs may not seem that much. However, Judge Simon determined the figure to be fair because relatively few of the plaintiffs had suffered identity theft as a result of the data breach and the settlement includes $3.5 million to cover the cost of additional credit monitoring services.

The case against Premera was complex and involved a considerable amount of technical information about the data security protections that were put in place. The evidence also spanned several years. “Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s Consumer Protection Act with respect to Premera’s provision of data security are relatively strong claims,” wrote Judge Simon.

The settlement resolves the lawsuit with no admission of liability. In addition to the $74 million, Premera also settled a multi-state lawsuit with 30 states for $10 million over the failure to address known data security risks.

The Premera data breach was also investigated by the HHS’ Office for Civil Rights. It remains to be seen whether a financial penalty will be deemed appropriate.

The post Judge Approves $74 Million Premera Blue Cross Data Breach Settlement appeared first on HIPAA Journal.

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

Posted by HIPAA Journal

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May.

According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records).

One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been affected and more than 20 million records have been confirmed as having been breached.

The report shows the first 6 months was dominated by hacking incidents, which accounted for 60% of all incidents and 88% of breached records. 168 data breaches were due to hacking, 88 involved phishing, 27 involved ransomware or malware, and one involved another form of extortion.

20.91% of all breaches – 60 incidents – were insider breaches. 3,457,621 records were exposed in those breaches or 11% of all breached records. 35% of incidents were classified as being caused by insider error and 22% were due to insider wrongdoing. There were 24 theft incidents were reported involving at least 184,932 records and the cause of 32 incidents (142,009 records) is unknown.

Healthcare providers reported 72% of breaches, 11% were reported by health plans, and 9% were reported by business associates. 8% of breaches could not be classified. While the above distribution of breaches is not atypical, 2019 has been a particularly bad year for business associates.

In three of the first six months of 2019 a business associate reported the largest breach of the month. The largest breach of the year was at a business associate. That breach is already the second largest healthcare data breach of all time. Hacking was the biggest problem area for business associates. 45% of business associate data breaches were due to hacking and other IT incidents.

One business associate, Dominion National, took 8.5 years to discover its systems had been breached. By the time the breach was discovered, the records of 2,964,778 individuals had been compromised. Overall the average time to discover a breach was 50 days. The average time to report a breach to the HHS was 77 days and the median reporting time was 60 days.

“In order for healthcare organizations to reduce risk across their organization and to truly combat the challenges associated with health data security, it is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,”  wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

The post First Half of 2019 Sees 31.6 Million Healthcare Records Breached appeared first on HIPAA Journal.

DHS Issues Best Practices to Safeguard Against Ransomware Attacks

Posted by HIPAA Journal

Ransomware appeared to have gone out of fashion in 2018, but that is certainly not the case in 2019. Q1, 2019 saw a 195% increase in ransomware attacks and a further 184% increase in Q2. Judging by the number of ransomware attacks reported in the past few weeks, the Q3 figures are likely to be even worse.

States, cities, and local governments have been extensively targeted as has the healthcare industry. Many victims have been forced to pay sizable ransoms to regain access to critical data. Others have been forced to permanently close their doors.

In response to the growing number of attacks, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have issued a joint statement in which recommendations are given to help improve resilience to ransomware attacks.

The statement was issued primarily to state, local, territorial and tribal governments, although the recommendations are equally relevant to the healthcare industry and businesses in other industry sectors.

Taking the three steps detailed in the statement (and outlined below) will improve defenses against ransomware and will help to ensure that in the event of an attack, recovery can be made in the shortest possible time frame.

Ransomware Recommendations

  • Backup systems now (and daily)
  • Reinforce cybersecurity awareness training
  • Revise and refine cyber incident response plans

Without valid data backups, ransomware victims will be at the mercy of their attackers. As has already been seen on several occasions this year, payment of the ransom does not guarantee file recovery. Even when keys are supplied to unlock encrypted data, some data loss can be expected.

It is therefore essential to ensure that all critical data, agency and system information is backed up daily, with the backups stored on a separate, non-networked, offline device. Backups and the restoration process must be tested to ensure file recovery is possible. The joint statement instructs all partners to backup systems immediately and daily.

Ransomware is most commonly installed inadvertently by employees as a result of responding to a phishing email or visiting a malicious website. It is therefore important to ensure that the workforce is made aware of the threat and is taught how to recognize suspicious emails, links, and other threats.

Even if training has already been given to staff, refresher training sessions are recommended. The staff should also be made aware of the actions to take if a potential threat is received or if an attack is believed to be in progress, including being advised of out-of-band communication paths.

It may not be possible to prevent all attacks, so it is essential for a ransomware response plan to be developed that can be immediately implemented in the event of an attack. The response plan should include plans that can be implemented if internal capabilities become overwhelmed and instructions and contact information for external cyber first responders, state agencies, and other parties that may be required to assist in the wake of an attack.

The guidance document can be viewed/downloaded on this link (PDF).

The post DHS Issues Best Practices to Safeguard Against Ransomware Attacks appeared first on HIPAA Journal.

More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

More than half a million patients in Bayamón, Puerto Rico have been affected by a ransomware attack on a medical center and associated hospital.

Bayamón Medical Center and Puerto Rico Women and Children’s Hospital discovered on May 21, 2019 that their computer systems had been infected with ransomware. The ransomware encrypted a wide range of files and prevented hospital staff from accessing patient information ‘for a short period of time,’ according to a July 19, 2019 press release announcing the attack.

Approximately 522,000 current and former patients are being notified about the ransomware attack as a precautionary measure. The internal investigation into the attack confirmed that patient information was affected, but no evidence of unauthorized data access or theft was identified.

The information potentially compromised was limited to names, demographic information, clinical information, financial information, and in some cases, diagnosis information, dates of birth, and Social Security numbers.

The ransomware attack only rendered data temporarily inaccessible and all patient information has now been restored without data loss. It is unclear whether the ransom demand was paid for the keys to unlock the encryption or if systems were rebuilt and data restored from backups.

The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights as two separate breaches affecting 422,496 patients of Bayamón Medical Center and 99,943 patients of Puerto Rico Women and Children’s Hospital.

The incident is the latest in a string of ransomware attacks on healthcare organizations. Data from Malwarebytes indicates ransomware attacks increased by 195% in Q1, 2019 and a recently published report from Coveware shows ransomware attacks increased by 184% in Q2. Last month, Carbon Black released the findings of a survey which indicated 66% of healthcare organizations had experienced a ransomware attack in the past 12 months.

Until ransomware stops being profitable or a more lucrative method of attacking businesses is found, ransomware attacks will continue. With ransom payments of tens of thousands of dollars being paid to attackers, it is probable that the problem will get much worse before it gets better.

The post More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.