Latest HIPAA News

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability

Posted by HIPAA Journal

Body:

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Old Maximum Annual Penalty New Maximum Annual Penalty
1 No Knowledge $100 $50,000 $1,500,000 $25,000
2 Reasonable Cause $1,000 $50,000 $1,500,000 $100,000
3 Willful Neglect – Corrective Action Taken $10,000 $50,000 $1,500,000 $250,000
4 Willful Neglect – No Corrective Action Taken $50,000 $50,000 $1,500,000 $1,500,000

 

The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI

Posted by HIPAA Journal

The DICOM image format, which has been in use for around for 30 years, contains a design ‘flaw’ that could be exploited by hackers to embed malware in image files. Were that to happen, the malware would become permanently fused with protected health information.

The DICOM file format was developed to allow medical images to be easily stored and shared. It eliminated the need for physical films and solved hardware compatibility issues. DICOM is now the standard format used for MRI and CT images and is supported by most medical imaging systems. The file format can be read by a range of devices that are used to view patient image files and diagnostic information.

DICOM images contain a section at the start of the files called a Preamble. This section is used to facilitate access to the metadata within the images and ensure compatibility with image viewers which do not support the DICOM image format. By altering the Preamble section of the file, image viewers treat DICOM images as a file type that they support, such as a jpeg, allowing the file to be opened.

This design feature is part of the reason why the DICOM file format is so useful. However, this feature can also be seen as a flaw. Markel Picado Ortiz, a security researcher at Cylera, discovered the preamble section of the file does not have restrictions on what can be added.

Ortiz has a proof-of-concept exploit for the flaw which allows an arbitrary sequence of executable code to be inserted into the image. Provided that code is less than 128 bytes, it can be inserted without affecting compliance with the DICOM standard, altering the image in any other way, or changing any PHI contained in the file. Ortiz has called the attack method PE/DICOM.

By altering the Preamble of a file, a hacker could insert executable code that masquerades as a DICOM file. The DICOM image would become an executable file, yet it would not have a file extension associated with executable files. Headers could also be added that make the file appear to be another file format, such as an executable.

Any hacker that were to use this method of incorporating malicious code would also benefit from HIPAA regulations. Files containing PHI are usually ignored by anti-malware solutions for compliance reasons. Even if they did, it would be unlikely they would detect the presence of any code in the preamble section of the files.

Detecting the malware would therefore prove difficult. Malicious code could remain undetected, but worse, the infected files would be stored within the healthcare provider’s protected environment. The file may also be shared with other healthcare providers would be unaware the files had been infected with malware.

Since the malware contains executable code, it could download other malware onto the network or give an attacker a launch pad to conduct further attacks. Files could be given worm-like properties that allow malware to be propagated throughout the network.

The potential uses of this flaw are numerous. “This [flaw] enables new and existing malware to evolve into more potent variants, optimized for successful compromise of healthcare organizations, by using the infected patient data to hide, protect and spread itself – three of the primary functions that determine the effectiveness of a malware campaign,” said Ortiz.

Were the malware to be identified, healthcare organizations would have a problem with removing the malware. The hybrid file that is created could not have the malware removed without permanently deleting the file, which would result in the permanent loss of the image and patients’ PHI. Healthcare providers may have to keep the infected file due to HIPAA regulations.

“The fusion of fully-functioning executable malware with HIPAA-protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes in ways that did not previously need to be considered,” explained Ortiz.

Unfortunately, since the flaw is present in the DICOM standard itself, it is not possible to issue a patch to correct the flaw. The solution would be for the DICOM standard to be changed to place restrictions on what can be incorporated into the Preamble, but that may prove to be a challenge and would also involve altering a feature of DICOM files that makes them so useful.

Anti-malware solutions could be developed to check for the presence of malicious code inside DICOM images, but that does not solve the issue of what is done with the files if they are determined to contain malware.

While the flaw is serous, in order for it to be exploited, an attacker would first need to have permissions to access the system on which DICOM images are stored and would also need to have permissions to execute commands. Valid Active Directory credentials would therefore be required. That said, there have been many cases of credentials being compromised that have given hackers access to healthcare networks. The flaw could also be exploited by a malicious insider with access to the network.

All healthcare organizations can do to protect against the flaw in the short term is to adopt standard cybersecurity best practices to prevent access to the network being gained, such as changing default credentials, securing the perimeter, and scanning for and addressing vulnerabilities. Network segregation will help to prevent the spread of any malware and intrusion detection systems could detect an attack before DICOM images could be changed.

What is clear is that correcting the flaw and preventing abuse is going to be a major challenge and one that will not easily be solved.

The post Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI appeared first on HIPAA Journal.

HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement

Posted by HIPAA Journal

The HHS’ Office of the National Coordinator for Health IT (ONC) has released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA) and is seeking comments on the updated text.

The purpose of TEFCA is to help ensure there is seamless, interoperable exchange of health information, which is critical to the creation of a health system that empowers providers and patients and delivers better healthcare at a lower cost.

The 21st Century Cures Act promoted a national framework and common agreement for the trusted exchange of health information. The framework is required as there is currently no core exchange mechanism that can be used by healthcare providers, health plans, vendors, public health departments, and federal, state, local and tribal governments. Trusted exchange is too complex.

Currently, multiple exchange methods need to be used. The majority of hospitals use three or four exchange methods and three in ten use more than five methods. This approach is inefficient and expensive. Healthcare organizations are having to build several point-to-point interfaces to communicate health information with each other. The Trusted Exchange Framework will reduce the need for individual interfaces to be developed and maintained.

The five key goals of TEFCA are to create a single on-ramp for nationwide connectivity, to ensure electronic information is available whenever and wherever it is needed, to build a competitive market to allow all entities to compete on data services, to support nationwide scalability for network connectivity, and to achieve long-term sustainability.

In addition to helping healthcare entities efficiently exchange health information, the trusted exchange framework has important benefits for patients, including the ability to find all of their health information that has been recorded by multiple providers, even if they do not remember the names of those providers. This will help patients and their caregivers to participate more fully in their care and manage their health information.

After publishing the first draft of TEFCA, ONC received more than 200 comments from industry stakeholders. After careful consideration of the comments, ONC has made key revisions to the Trusted Exchange Framework (TEF) and the Minimum Required Terms and Conditions (MRTCs) for trusted exchange and has released the first draft of a Qualified Health Information Network (QHIN) Technical Framework.

Together, these documents form the basis of a Common Agreement for QHINs and their participants and include technical and legal requirements for the sharing of electronic health information nationwide across disparate networks.

ONC will be responsible for maintaining the TEF and the HHS is looking to appoint a non-profit industry-based organization – a Recognized Coordinating Entity (RCE) – to develop, update, implement and maintain the Common Agreement. The HHS has announced the release of a notice of funding opportunity to engage an RCE. Applications will be received up until June 17, 2019.

“We expect that the implementation of the Trusted Exchange Framework and the Common Agreement, will bring us all that much closer to achieving the administration’s goals of nationwide interoperability,” said HHS’ national coordinator for health information technology, Dr. Donald Rucker.

The HHS is seeking comments on the second draft of TEFCA until June 17, 2019.

The post HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement appeared first on HIPAA Journal.

HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability

Posted by HIPAA Journal

The Department of Health and Human Services has extended the deadline for submitting comments on its proposed rules to promote the interoperability of health information technology and electronic protected health information to June 3, 2019.

Two new rules were released on February 11, 2019 by the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). The purpose of the new rules is to support the secure access, exchange, and use of electronic health information. The rules cover technical and healthcare industry factors that are proving to be barriers to the interoperability of health information and are limiting the ability of patients to gain access to their health data.

The deadline has been extended to give the public and industry stakeholders more time to read the proposed rules and provide meaningful input that can be used to help achieve the objectives of the rules. The extension has come in response to feedback from many stakeholders who have asked for more time to review the rules, which have potential to cause a range of issues for healthcare organizations.

Two other factors influenced the decision to extend the deadline. There appeared to be some confusion over HIPAA and whether healthcare providers are accountable for how patients use their health data. Also, the ONC has recently released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA), which could factor into comments. While there is not a great deal of overlap between TEFCA and the ONC/CMS proposed rules, both do cover interoperability and operate in the same space.

In addition, the HHS’ Office for Civil Rights has released a new FAQ for patients to explain the HIPAA right of access in relation to health apps used by patients and application programming interfaces (APIs) used by healthcare providers’ electronic health record systems. The FAQ confirms that after a patient discloses health information via an app, subsequent uses and disclosures are only the responsibility of the healthcare provider if the app developer is one of the healthcare provider’s business associates.

The post HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability appeared first on HIPAA Journal.

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

Posted by HIPAA Journal

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017.

Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted.

The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project.

While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the devices have been accessed or misused. Some of the plaintiffs named in the lawsuit alleged they have suffered identity theft/fraud as a result of the breach, but the university maintains that such cases were not the result of the stolen hard drive. The decision was taken to settle the lawsuit to save money. The settlement, while high, is believed to be far lower than the continued cost of legal action.

In January 2019, a settlement of $5.26 million was agreed by the WSU Board of Regents. While the final settlement is lower, it does not include the cost of credit monitoring and identity theft protection services for individuals impacted by the breach. In addition to settlement amount, Washington State University will cover the cost of two years of credit monitoring and identity theft protection services for up to 1,193,190 patients impacted by the breach.

The final cost will depend on the number of individuals who submit claims. WHU will accept claims up to $5,000 from individuals impacted by the breach to cover out-of-pocket expenses and lost time, provided those costs can be proven. The fund for covering those claims is $3.5 million. If that total is exceeded, claim amounts will be reduced pro rata. Approximately $800,000 has been set aside to cover attorneys’ fees and a further $650,000 will cover administrative costs. Washington State University was covered by a cyber-liability insurance policy which will cover the settlement.

The university has also agreed to update policies and procedures and enhance security. Backup data will now be stored in a more secure location, data security assessments and audits will be regularly conducted, and additional training will be provided to staff. IT contracts in relation to the research project will be cancelled and those functions will be handled in house and archived data from the research project will be permanently destroyed.

The settlement highlights the importance of using encryption to protect stored data, especially data stored on portable electronic devices. In the event of loss or theft of a device, data cannot be accessed and such an incident would not be classed as a reportable breach.

The post Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million appeared first on HIPAA Journal.

Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients

Posted by HIPAA Journal

A database containing highly sensitive information of patients who had previously sought treatment for addiction at rehabilitation centers has been discovered to be freely accessible over the internet.

The database contained approximately 4.91 million records which related to an estimated 145,000 patients of the Levittown, PA-based addiction rehabilitation service provider Steps to Recovery.

The unsecured database was discovered on March 24, 2019 by Justin Paine, Director of Trust and Safety at Cloudflare. Following the discovery, Paine notified Steps to Recovery and its hosting provider on March 24. No reply was received from Steps to Recovery, but its hosting company made contact and the database has now been secured and is no longer accessible online.

Paine had performed a search on the Shodan search engine to identify unsecured databases and devices. According to Paine, the ElasticSearch database contained two indexes which included more than 1.45 GB of data. The information could be accessed by anyone over the internet without the need for any authentication. The database was exposed online for more than two years, from the middle of 2016 to the end of 2018.

The types of information contained in the database included patients’ names, details of the treatments and services received at Steps to Recovery, the dates those services were provided, locations visited by patients, and billing information.

Paine was also able to obtain further information on patients with simple Google searches using information contained in the database. For a small sample of patients, Paine was able to discover information such as ages, dates of birth, email addresses, and possible contact telephone numbers.

The number of patients impacted by the breach has yet to be confirmed by Steps to Recovery and the incident is not yet listed on the Department of Health and Human Services’ Office for Civil Rights Breach portal. It is unclear if any other individuals found the database during the time it was accessible online.

The post Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients appeared first on HIPAA Journal.

Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Posted by HIPAA Journal

Blue of Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members.

Blue of Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue of Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals.

The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions.

Upon discovery of the breach, Blue of Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external cybersecurity consultants and financial experts to assess the security of the patient portal and financial transactions that have taken place. All transactions going through the system are being monitored to ensure they are legitimate.

The remittance documents that were accessed did not contain Social Security numbers, driver’s license numbers, bank account information or debit/credit card numbers. The compromised information was limited to names, enrollee numbers, patient account numbers, claims numbers, payment data, procedure codes, provider names, and dates of service.

Members impacted by the breach have been advised to carefully monitor their bank account, credit card, and other financial statements for any sign of fraudulent activity as a precaution, even though financial information was not exposed. Explanation of benefits statements should also be checked for any services listed that have not been provided.

Following the exposure of sensitive information, it is customary to offer free access to credit monitoring and identity theft protection services. If Social Security numbers, financial information, or driver’s license numbers are exposed in a data breach, those services are usually provided for 12 months at no cost.

Even though highly sensitive information was not exposed and there does not appear to have been any attempts to misuse PHI, Blue of Cross of Idaho is offering credit monitoring and identity theft protection services to affected members for three years.

Blue of Cross of Idaho will also be sending new ID cards with different membership ID numbers to all affected individuals in the next few weeks and will continue to monitor the security of its system to ensure that members’ personal information is safe and secure.

The post Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments appeared first on HIPAA Journal.

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

Posted by HIPAA Journal

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty

Posted by HIPAA Journal

In 2018, University of Texas MD Anderson Cancer Center was issued with a $4,348,000 civil monetary penalty by the HHS’ Office for Civil Rights (OCR) following the discovery of multiple alleged HIPAA violations that contributed to three data breaches that were experienced in 2012 and 2013.

OCR launched an investigation into the breaches and determined there had been an impermissible disclosure of the electronic protected health information (ePHI) of 34,883 patients and that HIPAA Rules had been violated as a result of the failure to use encryption. OCR reasoned that had encryption been used, the breaches could have been prevented.

MD Anderson contested the financial penalty and the case was sent to an administrative law judge who ruled that the MD Anderson must pay the financial penalty.

MD Anderson has now filed a complaint against the Secretary of the HHS and has launched an appeal with the U.S. Court of Appeals, Fifth Circuit in Texas.

As reported by Information Security Media Group (ISMG), MD Anderson alleges the civil monetary penalty is unlawful, that OCR has exceeded its authority by issuing the penalty, and the penalty is excessive. MD Anderson is seeking a permanent injunction to prevent OCR from collecting the penalty and have OCR cover its legal costs associated with its case.

Three counts are detailed in the complaint. MD Anderson alleges the CMP is unlawful as OCR only has the authority to issue a CMP against a person, which is either an individual, a trust, estate, partnership, or a corporation. MD Anderson is an academic institution and cancer treatment and research center that is part of the University of Texas and is a state agency and, it is argued, state agencies are except from OCR civil monetary penalties.

MD Anderson also argues that the penalty exceeds the maximum penalty for a HIPAA violation under the reasonable cause tier and that the penalty is in breach of the eighth amendment. In each of the three cases, employees acted against MD Anderson’s policies and procedures and did not take advantage of encryption technologies that were available to them. Further, no evidence has been uncovered to suggest that any information stored on the devices has been accessed, obtained, or misused.

MD Anderson also states that the use of encryption is not a requirement of the HIPAA Security Rule, which MD Anderson claims in the lawsuit is an “optional” standard.

It remains to be seen whether the appeal will be successful; however, OCR has made it clear that addressable standards are ‘optional’ requirements of the HIPAA Security Rule.

“The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI,” wrote OCR on its website. “If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.”

The penalties may appear excessive given the nature of the incidents, but OCR has the authority to issue financial penalties for “reasonable cause” up to a maximum of $1,500,000 per year. In its notice of proposed determination, OCR  stated how it arrived at the penalty amount.

  1. Calendar Year 2011 – 283 days, from March 24 through December 31 (maximum penalty of $1,500,000).
  2. Calendar Year 2012 – 366 days, from January 1 through December 31 (maximum penalty of $1,500,000).
  3. Calendar Year 2013 – 25 days, from January 1 through January 25, 2013 (maximum penalty of $1,500,000).

The post MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty appeared first on HIPAA Journal.