Latest HIPAA News

Massachusetts Physician Convicted for Criminal HIPAA Violation

Posted by HIPAA Journal

Criminal penalties for HIPAA violations are relatively rare, although the Department of Justice does pursue criminal charges for HIPAA violations when there has been a serious violation of patient privacy, such as an impermissible disclosure of protected health information for financial gain or malicious purposes.

One such case has resulted in two criminal convictions – a violation of the Health Insurance Portability and Accountability Act and obstructing a criminal healthcare investigation.

The case relates to the DOJ investigation of the pharmaceutical firm Warner Chilcott over healthcare fraud. In 2015, Warner Chilcott plead guilty to paying kickbacks to physicians for prescribing its drugs and for manipulating prior authorizations to induce health insurance firms to pay for prescriptions. The case was settled with the DOJ for $125 million.

Last week, a Massachusetts gynecologist, Rita Luthra, M.D., 67, of Longmeadow, was convicted for violating HIPAA by providing a Warner Chilcott sales representative with access to the protected health information of patients for a period of 10 months between January 2011 and November 2011.

The access to PHI allowed patients with certain health conditions to be targeted by the firm and facilitated the receipt of prior authorizations for Warner Chilcott pharmaceutical products. When interviewed by federal agents about her relationship with Warner Chilcott, Luthra provided false information and obstructed the investigation.

Luthra had been previously charged for receiving kickbacks from Warner Chilcott in the form of fees for speaker training and speaking at educational events that did not take place. Luthra had accepted payments of approximately $23,500. The DOJ eventually dropped the charges, although the case against the physician continued to be pursued, resulting in the two convictions.

Luthra faces jail time and a substantial fine. The maximum penalty for the HIPAA violation is a custodial sentence of no more than 1 year, one year of supervised release, and a maximum fine of $50,000. The maximum penalty for obstructing a criminal health investigation is no more than 5 years in jail, three years of supervised release, and a fine of up to $250,000.

The post Massachusetts Physician Convicted for Criminal HIPAA Violation appeared first on HIPAA Journal.

OCR Encourages Healthcare Organizations to Conduct a Gap Analysis

Posted by HIPAA Journal

In its April 2018 cybersecurity newsletter, OCR draws attention to the benefits of performing a gap analysis in addition to a risk analysis. The latter is required to identify risks and vulnerabilities that could potentially be exploited to gain access to ePHI, while a gap analysis helps healthcare organizations and their business associates determine the extent to which an entity is compliant with specific elements of the HIPAA Security Rule.

The Risk Analysis

HIPAA requires covered entities and their business associates to perform a comprehensive, organization-wide risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI – 45 CFR § 164.308(a)(1)(ii)(A).

If a risk analysis is not performed, healthcare organizations cannot be certain that all potential vulnerabilities have been identified. Vulnerabilities would likely remain that could be exploited by threat actors to gain access to ePHI.

While HIPAA does not specify the methodology that should be used when conducting risk analyses, OCR explained in its newsletter that risk analyses must contain certain elements:

  • A comprehensive assessment of all risks to all ePHI, regardless of where the data is created, received, maintained, or transmitted, or the source or location of ePHI.
  • All locations and information systems where ePHI is created, received, maintained, or transmitted must be included in the risk analysis, so an inventory should be created that includes all applications, mobile devices, communications equipment, electronic media, networks, and physical locations in addition to workstations, servers, and EHRs.
  • The risk analysis should cover technical and non-technical vulnerabilities, the latter includes policies and procedures, with the former concerned with software flaws, weaknesses in IT systems, and misconfigured information systems and security solutions.
  • The effectiveness of current controls must be assessed and documented, including all security solutions such as AV software, endpoint protection systems, encryption software, and the implementation of patch management processes.
  • The likelihood that a specific threat will exploit a vulnerability and the impact should a vulnerability be exploited must be assessed and documented.
  • The level of risk should be determined for any specific threat or vulnerability. With a risk level assigned, it will be easier to determine the main priorities when mitigating risks through the risk management process.
  • The risk analysis must be documented in sufficient detail to demonstrate that a comprehensive, organization-wide risk analysis has been conducted, and that the risk analysis was accurate and covered all locations, devices, applications, policies, and procedures involving ePHI. OCR will request this documentation in the event of an investigation or compliance audit.
  • A risk analysis is not a one-time event to ensure compliance with the HIPAA Security Rule – It must part of an ongoing process for continued compliance. The process must be regularly reviewed and updated, and risk analyses should be performed regularly. HIPAA does not stipulate how frequently a full or partial risk analysis should be performed. OCR suggests risk analyses are most effective when integrated into business processes.

Once a risk analysis has been performed, all risks and vulnerabilities identified must be addressed through a HIPAA-compliant security risk management process – 45 CFR § 164.308(a)(1)(ii)(B) – to reduce those risks to a reasonable and appropriate level.

Guidance on conducting an organization-wide risk analysis can be found on this link (HHS)

The Gap Analysis

A gap analysis is not a requirement of HIPAA Rules, although it can help healthcare organizations confirm that the requirements of the HIPAA Security Rule have been satisfied.

A gap analysis can be used as a partial assessment of an organizations compliance efforts or could cover all provisions of the HIPAA Security Rule.  Several gap analyses could be performed, each assessing a different set of standards and implementation specifications of the HIPAA Security Rule.

The gap analysis can give HIPAA-covered entities and their business associates an overall view of their compliance efforts, can help them discover areas where they are yet compliant with HIPAA Rules, and identify any gaps in the controls that have already been implemented.

Note that a gap analysis is not equivalent to a risk analysis, as it does not cover all possible risk to the confidentiality, integrity, and availability of ePHI as required by 45 C.F.R. §164.308(a)(1)(ii)(A).

OCR offers the following example of a simple gap analysis:

Source: OCR

The post OCR Encourages Healthcare Organizations to Conduct a Gap Analysis appeared first on HIPAA Journal.

How to Defend Against Insider Threats in Healthcare

Posted by HIPAA Journal

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique.

Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders.

Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed.

Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur.

What are Insider Threats?

Before explaining how healthcare organizations can protected against insider threats, it is worthwhile covering the main insider threats in healthcare.

An insider threat is one that comes from within an organization. That means an individual who has authorization to access healthcare resources, which includes EMRs, healthcare networks, email accounts, or documents containing PHI. Resources can be accessed with malicious intent, but oftentimes mistakes are made that can equally result in harm being caused to the organization, its employees, or its patients.

Insider threats are not limited to employees. Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain tasks could deliberately or accidentally take actions that could negatively affect an organization. That includes business associates, subcontractors of business associates, researchers, volunteers, and former employees.

The consequences of insider breaches can be severe. Healthcare organizations can receive heavy fines for breaches of HIPAA Rules and violations of patient privacy, insider breaches can damage an organization’s reputation, cause a loss of patient confidence, and leave organizations open to lawsuits.

According to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.

Insider threats in healthcare can be split into two main categories based on the intentions of the insider: Malicious and non-malicious.

Malicious Insider Threats in Healthcare

Malicious insider threats in healthcare are those which involve deliberate attempts to cause harm, either to the organization, employees, patients, or other individuals. These include the theft of protected health information such as social security numbers/personal information for identity theft and fraud, the theft of data to take to new employers, theft of intellectual property, and sabotage.

Research by Verizon indicates 48% of insider breaches are conducted for financial gain, and with healthcare data fetching a high price on the black market, employees can easily be tempted to steal data.

A 2018 Accenture survey conducted on healthcare employees revealed one in five would be prepared to access and sell confidential data if the price was right. 18% of the 912 employees surveyed said they would steal data for between $500 and $1,000.

Alarmingly, the survey revealed that almost a quarter (24%) of surveyed healthcare employees knew of someone who had stolen data or sold their login credentials to an unauthorized outsider.

Disgruntled employees may attempt to sabotage IT systems or steal and hold data in case they are terminated. However, not all acts of sabotage are directed against employers. One notable example comes from Texas, where a healthcare worker used hospital devices to create a botnet that was used to attack a hacking group.

Non-Malicious Insider Threats in Healthcare

The Breach Barometer reports from Protenus/databreaches.net break down monthly data breaches by breach cause, including the number of breaches caused by insiders. All too often, insiders are responsible for more breaches than outsiders.

Snooping on medical records is all too common. When a celebrity is admitted to hospital, employees may be tempted to sneak a look at their medical records, or those of friends, family members, and ex-partners. The motivations of the employees are diverse. The Verizon report suggests 31% of insider breaches were employees accessing records out of curiosity, and a further 10% were because employees simply had access to patient records.

Other non-malicious threats include the accidental loss/disclosure of sensitive information, such as disclosing sensitive patient information to others, sharing login credentials, writing down login credentials, or responding to phishing messages.

The largest healthcare data breach in history – the theft of 78 million healthcare records from Anthem Inc.- is believed to have been made possible because of stolen credentials.

The failure to ensure PHI is emailed to the correct recipient, the misdirection of fax messages, or leaving portable electronic devices containing ePHI unattended causes many breaches each year. The Department of Health and Human Services’ Office for Civil Rights’ breach portal or ‘Wall of Shame’ is littered with incidents involving laptops, portable hard drives, smartphones, and zip drives that have stolen after being left unattended.

How to Defend Against Insider Threats in Healthcare

The standard approach to mitigating insider threats can be broken down into four stages: Educate, Deter, Detect, and Investigate.

Educate: The workforce must be educated on allowable uses and disclosures of PHI, the risk associated with certain behaviors, patient privacy, and data security.

Deter: Policies must be developed to reduce risk and those policies enforced. The repercussions of HIPAA violations and privacy breaches should be clearly explained to employees.

Detect: Healthcare organizations should implement technological solutions that allow them to detect breaches rapidly and access logs should be regularly checked.

Investigate: When potential privacy and security breaches are detected they must be investigated promptly to limit the harm caused. When the cause of the breach is determined, steps should be taken to prevent a recurrence.

Some of the specific steps that can be taken to defend against insider threats in healthcare are detailed below:

Perform Background Checks

It should be standard practice to conduct a background check before any individual is employed. Checks should include contacting previous employers, Google searches, and a check of a potential employee’s social media accounts.

HIPAA training

All healthcare employees should be made aware of their responsibilities under HIPAA. Training should be provided as soon as possible, and ideally before network or PHI access is provided. Employees should be trained on HIPAA Privacy and Security Rules and informed of the consequences of violations, including loss of employment, possible fines, and potential criminal penalties for HIPAA violations.

Implement anti-phishing defenses

Phishing is the number one cause of data breaches. Healthcare employees are targeted as it is far easier to gain access to healthcare data if an employee provides login credentials than attempting to find software vulnerabilities to exploit. Strong anti-phishing defenses will prevent the majority of phishing emails from reaching inboxes. Advanced spam filtering software is now essential.

Security awareness training

Since no technological solution will prevent all phishing emails from reaching inboxes, it is essential – from a security and compliance perspective – to teach employees the necessary skills that will allow them to identify phishing attempts and other email/web-based threats.

Employees cannot be expected to know what actions place data and networks at risk. These must be explained if organizations want to eradicate risky behavior. Security awareness training should also be assessed. Phishing simulation exercises can help to reinforce training and identify areas of weakness that can be tackled with further training.

Encourage employees to report suspicious activity

Employees are often best placed to identify potential threats, such as changes in the behavior of co-workers. Employees should be encouraged to report potentially suspicious behavior and violations of HIPAA Rules.

While Edward Snowden did not work in healthcare, his actions illustrate this well. The NSA breach could have been avoided if his requests for co-workers’ credentials were reported.

Controlling access to sensitive information

The fewer privileges employees have, the easier it is to prevent insider breaches in healthcare. Limiting data access to the minimum necessary amount will limit the harm caused in the event of a breach. You should be implementing the principle of least privilege. Give employees access to the least amount of data as possible. This will limit the data that can be viewed or stolen by employees or hackers that manage to obtain login credentials.

Encrypt PHI on all portable devices

Portable electronic devices can easily be stolen, but the theft of a device need not result in the exposure of PHI. If full disk encryption is used, the theft of the device would not be a reportable incident and patients’ privacy would be protected.

Enforce the use of strong passwords

Employees can be told to use strong passwords or long passphrases, but unless password policies are enforced, there will always be one employee that chooses to ignore those policies and set a weak password. You should ensure that commonly used passwords and weak passwords cannot be set.

Use two-factor authentication

Two-factor authentication requires the use of a password for account access along with a security token. These controls prevent unauthorized access by outsiders, as well as limiting the potential for an employee to use another employee’s credentials.

Terminate access when no longer required

You should have a policy in place that requires logins to be deleted when an employee is terminated, a contract is completed, or employees leave to work for another organization. There have been many data breaches caused by delays in deleting data access rights. Data access should not be possible from the second an employee walks out the door for the last time.

Monitor Employee Activity

If employees require access to sensitive data for work purposes it can be difficult to differentiate between legitimate data access and harmful actions. HIPAA requires PHI access logs to be maintained and regularly checked. Since this is a labor-intensive task, it is often conducted far too infrequently. The easiest way to ensure inappropriate accessing of medical records is detected quickly is to implement action monitoring software and other software tools that can detect anomalies in user activity and suspicious changes in data access patterns.

The post How to Defend Against Insider Threats in Healthcare appeared first on HIPAA Journal.

Report: Healthcare Data Breaches in Q1, 2018

Posted by HIPAA Journal

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017.

There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size.

In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records.

Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017.

Individuals Impacted by Healthcare Data Breaches in Q1, 2018

Healthcare Records Breached in Q1, 2018

Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017, January was a relatively good month for the healthcare industry, with just 22 security incidents reported to the HHS’ Office for Civil Rights.

However, January also saw the largest healthcare data breach of the quarter reported – A hacking incident that potentially resulted in the theft of almost 280,000 records. That incident made January the worst month in terms of the number of healthcare records exposed.

The number of reported data breaches also increased each month, In March, breaches were being reported at the typical rate of one per day.

Q1, 2018 Healthcare Data Breaches

Healthcare Data Breaches in Q1, 2018

Main Causes of Healthcare Data Breaches in Q1, 2018

The healthcare industry is something of an anomaly when it comes to data breaches. In other industries, hacking/IT incidents dominate the breach reports; however, the healthcare industry is unique as insiders cause the most data breaches.

Once again, insiders were behind the majority of breaches. Unauthorized access/disclosure incidents, loss of physical records and devices containing ePHI, and improper disposal incidents accounted for 59.74% of the 77 breaches reported in Q1.

The main cause of breaches in Q1, 2018 was unauthorized access/disclosures – 35 incidents and 45.45% of the total breaches reported in Q1. There were 15 breaches involving the loss or theft of electronic devices containing ePHI, all of which could have been prevented had encryption been used.

Causes of Healthcare Data Breaches, Q1, 2018

Healthcare Records Exposed in Q1, 2018 by Breach Cause

Unauthorized access/disclosure incidents were more numerous than hacking incidents in Q1, although more healthcare records were exposed/stolen in hacking/IT incidents than all other causes of breaches combined.

Healthcare Records Exposed by Breach Cause

Location of Breached PHI in Q1, 2018

Healthcare security teams may be focused on securing the perimeter and preventing hackers from accessing and stealing electronic health information, but it is important not to neglect physical records.  As was the case in Q4, 2017, physical records were the top location of breached PHI in Q1, 2018.

Email, which includes social engineering, phishing attacks and misdirected emails, was the second most common location of breached PHI followed by network servers.

Location of Breached PHI - Q1, 2018

Largest Healthcare Data Breaches of Q1, 2018

In Q1, 2018, there were 18 healthcare security breaches that impacted more than 10,000 individuals. Hacking/IT incidents tend to involve more records than any other breach cause, although in Q1, 2018, there were several large-scale unauthorized access/disclosure incidents, including five of the top ten breaches of the quarter.

The two largest breaches of the year to date affected Oklahoma State University Center for Health Sciences and St. Peter’s Surgery & Endoscopy Center. In both cases a hacker gained access to the network and potentially viewed/obtained patients’ PHI.

The five largest breaches of the quarter accounted for 57% of all records exposed in the quarter. The top 18 data breaches accounted for 87% of all records exposed in the quarter.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Oklahoma State University Center for Health Sciences Healthcare Provider 279865 Hacking/IT Incident
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134512 Hacking/IT Incident
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70320 Unauthorized Access/Disclosure
Florida Agency Persons for Disabilities Health Plan 63627 Unauthorized Access/Disclosure
Middletown Medical P.C. Healthcare Provider 63551 Unauthorized Access/Disclosure
Onco360 and CareMed Specialty Pharmacy Healthcare Provider 53173 Hacking/IT Incident
Triple-S Advantage, Inc. Health Plan 36305 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34637 Theft
Mississippi State Department of Health Healthcare Provider 30799 Unauthorized Access/Disclosure
Agency for Health Care Administration Health Plan 30000 Hacking/IT Incident
Decatur County General Hospital Healthcare Provider 24000 Hacking/IT Incident
Barnes-Jewish Hospital Healthcare Provider 18436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11521 Hacking/IT Incident
CarePlus Health Plan Health Plan 11248 Unauthorized Access/Disclosure
Primary Health Care, Inc. Healthcare Provider 10313 Unauthorized Access/Disclosure

Healthcare Data Breaches in Q1, 2018 by Covered Entity

Healthcare providers were the worst affected by healthcare data breaches in Q1, 2018. As was the case in Q4, 2017, 14 health plans experienced a breach of more than 500 records. There were half the number of business associate breaches in Q1, 2018 as there were in Q4, 2017.

Q1, 2018 Healthcare Data Breaches by Entity Type

Healthcare Data Breaches in Q1, 2018 by State

In Q1, healthcare organizations based in 35 states reported breaches of more than 500 records. The worst affected state was California with 11 reported breaches, followed by Massachusetts with 8 security incidents.

There were four security incidents in both Missouri and New York, and three breaches reported by healthcare organizations based in Florida, Illinois, Maryland, Mississippi, Tennessee, and Wisconsin.

Healthcare organizations based in Alabama, Arkansas, Kentucky, Rhode Island, Texas, and Wyoming reported two breaches.

There was one breach experienced in Colorado, Connecticut, District of Columbia, Georgia, Iowa, Maine, Michigan, Minnesota, North Carolina, New Jersey, New Mexico, Nevada, Ohio, Oklahoma, Pennsylvania, Utah, Virginia, Washington and West Virginia.

The post Report: Healthcare Data Breaches in Q1, 2018 appeared first on HIPAA Journal.

Healthcare Compliance Programs Not In Line With Expectations of Regulators

Posted by HIPAA Journal

Healthcare compliance officers are prioritizing compliance with HIPAA Privacy and Security Rules, even though the majority of Department of Justice and the HHS Office of Inspector General enforcement actions are not for violations of HIPAA or security breaches, but corrupt arrangements with referral sources and false claims. There are more penalties issued by regulators for these two compliance failures than penalties for HIPAA violations.

HIPAA enforcement by the HHS’ Office for Civil Rights has increased, yet the liabilities to healthcare organizations from corrupt arrangements with referral sources and false claims are far higher. Even so, these aspects of compliance are relatively low down the list of priorities, according to a recent survey of 388 healthcare professionals conducted by SAI Global and Strategic Management Services.

The survey was conducted on compliance officers from healthcare organizations of all sizes, from small physician practices to large integrated hospital systems. The aim of the study was to identify the key issues faced by compliance officers and determine how compliance departments are responding and prioritizing their resources.

When asked to rank their main priorities, dealing with HIPAA data breaches was overwhelmingly the top priority and the biggest concerns were HIPAA privacy and security.

The list of HIPAA enforcement actions has grown considerably over the past two years but there are still fewer penalties than for false claims and arrangements with referral sources. Even so, ensuring claims accuracy was only ranked third in compliance officers’ priority list and arrangement with referral sources was ranked fifth. The survey shows there is a gap between what OIG and DOJ consider to be the highest risk areas and where compliance officers see the greatest risks.

“The question has to be asked as to why, in the face the enforcement agencies’ priorities, compliance officers are placing these high risk-areas in a lower priority,” said former HHS Inspector General and CEO of Strategic Management Services Richard Kusserow. “The takeaway from the survey is that compliance officers should be prepared to better align their priorities and programs with those set out by the regulatory and enforcement agencies.”

Part of the reason for the focus on HIPAA compliance is the increase in enforcement activity by OCR in the past two years, the media activity surrounding healthcare data breaches, and the relatively high fines for covered entities discovered not to have fully complied with HIPAA Rules. With OCR investigating all breaches of more than 500 records, and data breaches now occurring with increasing frequency, it is easy to see why HIPAA compliance is being prioritized.

Even though HIPAA is the main priority for compliance officers and where most resources are focused, only one in five compliance officers feels their organization is well prepared for a HIPAA compliance audit. Last year when the survey was conducted, 30% of compliance officers said they were highly confident that they were well prepared for a HIPAA audit. The percentage of compliance officers who said they are moderately prepared for a HIPAA compliance audit has increased from 50% to 61%, showing the focus on HIPAA compliance is having a positive effect.

The study suggests the workload for compliance officers is increasing, but budgets are stagnant. Compliance officers are increasingly responsible for conducting internal audits and providing legal counsel in addition to overseeing compliance with HIPAA Privacy and Security Rules. The high workload and limited resources mean other aspects of compliance are being neglected. According to the report, “Compliance offices are being stretched thin to meet their obligations.”

While external compliance assessments are highly beneficial, only a quarter of respondents said they use independent third parties to complete those assessments, with three quarters performing self-assessments, internal surveys, and using compliance checklists to evaluate their compliance programs.

“The 2018 Healthcare Compliance Benchmark Survey gives us a better understanding of compliance program development in the healthcare sector and suggests that effectiveness is being measured in terms of output, rather than outcome,” said SAI Global CEO Peter Grana. “It is abundantly clear that there is a need for healthcare organizations to remove barriers and increased responsibilities being laid on their compliance offices that distract from the development of effective risk controls.”

The post Healthcare Compliance Programs Not In Line With Expectations of Regulators appeared first on HIPAA Journal.

FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity

Posted by HIPAA Journal

The past few years have seen an explosion in the number of medical devices that have come to market. While those devices have allowed healthcare providers and patients to monitor and manage health in more ways that has ever been possible, concerns have been raised about medical device cybersecurity.

Medical devices collect, store, receive, and transmit sensitive information either directly or indirectly through the systems to which they connect. While there are clear health benefits to be gained from using these devices, any device that collects, receives, stores, or transmits protected health information introduces a risk of that information being exposed.

The FDA reports that in the past year, a record number of novel devices have been approved for use in the United States and that we are currently enjoying “an unparalleled period of invention in medical devices.” The FDA is encouraging the development of novel devices to address health needs, while balancing the risks and benefits.

The FDA has been working closely with healthcare providers, patients, and device manufacturers to understand and address any risks associated with the devices. Part of the FDA’s efforts in this area involve the development of new frameworks for identifying risks and protecting consumers.

To further protect patients and help reduce risks to a minimal level, the FDA has developed a five-point action plan (PDF). Under the plan the FDA will continue to encourage the development of new devices to address unmet health needs, while also enhancing security controls to ensure patient data remains private and confidential.

Improving Medical Device Cybersecurity

The FDA will be reorganizing its medical device center and will consolidate its premarket and postmarket offices. By leveraging the expert knowledge of staff in both offices and adopting a more integrated approach the FDA will be able to optimize decision-making. The FDA is also adopting a ‘Total Product Life Cycle’ (TPLC) approach to ensure device safety for the entire lifespan of the products.

While risks can be evaluated before the devices come to market, oftentimes those risks are not fully understood until the devices have been released and are being used by a wide range of patients and providers in different settings.

Naturally, when risks are identified in postmarket devices there needs to be a mechanism in place that allows the devices to be updated. The FDA will be exploring various regulatory options to ensure timely mitigations can be implemented, including the ability for all devices to receive updates and security patches to address newly discovered vulnerabilities.

While the FDA can ensure medical device labelling is improved to make providers aware of the safety and effectiveness of the devices, the FDA is considering additional training for providers and further education of users of the devices. The FDA also plans to develop scientific tool kits that can be used by manufacturers to ensure their premarket devices meet safety standards.

To encourage manufacturers to incorporate advanced medical device cybersecurity controls, the FDA is looking into ways it can streamline and speed up the reviewing of devices that meet and exceed safety standards.

The FDA is already promoting “a multi-stakeholder, multi-faceted approach of vigilance, responsiveness, recovery, and resilience” to ensure devices remain safe throughout their entire life cycle. The FDA is also seeking additional funding and authority to develop a public-private CyberMed Safety Analysis Board to assist with medical device cybersecurity issues, vulnerability coordination, and response mechanisms.

Members of the board would include biomedical engineers, clinicians, and cybersecurity experts who would advise both the FDA and device manufacturers on cybersecurity issues and provide assistance with adjudicating disputes.

The post FDA Develops Five-Point Action Plan for Improving Medical Device Cybersecurity appeared first on HIPAA Journal.

Version 1.1 of the NIST Cybersecurity Framework Released

Posted by HIPAA Journal

On April 16, 2018, The National Institute of Standards and Technology released an updated version of its Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework).

The Cybersecurity Framework was first issued in February 2014 and has been widely adopted by critical infrastructure owners and public and private sector organizations to guide their cybersecurity programs. While intended for use by critical infrastructure industries, the flexibility of the framework means it can also be adopted by a wide range of businesses, large and small, including healthcare organizations.

The Cybersecurity Framework incorporates guidelines, standards, and best practices and offers a flexible approach to cybersecurity. There are several ways that the Framework can be used with ample scope for customization. The Framework helps organizations address different threats and vulnerabilities and matches various levels of risk tolerance.

The Framework was intended to be a living document that can be updated and improved over time in response to feedback from users, changing best practices, new threats, and advances in technology. The new version is the first major update to the framework since 2014 and the result of two years of development.

NIST’s Matt Barrett, program manager for the Cybersecurity Framework, explained that the latest version “refines, clarifies and enhances version 1.0.” While several changes have been made in version 1.1, Barrett explained, “It is still flexible to meet an individual organization’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

Version 1.1 of the Cybersecurity Framework includes several updates in response to comments and feedback received in 2016 and 2017 from organizations that have already adopted the Framework.

Version 1.1 sees refinements to the guidelines on authentication, authorization and identity proofing and a better explanation of the relationship between implementation tiers and profiles. The Framework for Cyber Supply Chain Risk Management has been significantly expanded and there is a new section on self-assessment of cybersecurity risk. The section on disclosure of vulnerabilities as also been expanded with a new subcategory added related to the vulnerability disclosure lifecycle.

“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.”

NIST is also planning to release a companion ‘Roadmap for Improving Critical Infrastructure Cybersecurity’ later this year and will be hosting a webinar later this month to explain and discuss the version 1.1 updates to the Framework.

The post Version 1.1 of the NIST Cybersecurity Framework Released appeared first on HIPAA Journal.

Analysis of March 2018 Healthcare Data Breaches

Posted by HIPAA Journal

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February.

March 2018 Healthcare Data Breaches

Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February.

Records exposed by Healthcare Data Breaches (March 2018)

Causes of March 2018 Healthcare Data Breaches

March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March.

The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause with 9 incidents, followed by hacking/IT incidents with 5 breaches reported.

Severity of Breaches by Breach Cause

Breach Cause Total Records Exposed in March Median Records Exposed Mean Records Exposed
Unauthorized Access/Disclosure 166,859 3,551 11,919
Hacking/IT Incident 54,814 5,207 10,963
Theft 40,018 1,424 8,004
Loss 5,107 1,096 1,277
Improper Disposal 1,412 1,412 1,412

Largest Healthcare Data Breaches Reported in March 2018

There were ten healthcare data breaches reported in March that impacted more than 10,000 individuals. The largest data breach resulted in the exposure of 63,551 individuals’ PHI. That incident occurred and was discovered in December 2016, although the incident has only just been reported to the HHS’ Office for Civil Rights.

While hacking incidents usually result in the highest number of exposed/compromised records, in March it was unauthorized access/disclosure incidents that dominated the breach reports.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Middletown Medical P.C. Healthcare Provider 63,551 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35,136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34,637 Theft
Mississippi State Department of Health Healthcare Provider 30,799 Unauthorized Access/Disclosure
Barnes-Jewish Hospital Healthcare Provider 18,436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15,046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13,942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11,521 Hacking/IT Incident
Primary Health Care, Inc. Healthcare Provider 10,313 Unauthorized Access/Disclosure

March 2018 Healthcare Data Breaches by Covered Entity Type

No data breaches were reported by business associates of HIPAA-covered entities in March. The breach summaries published by the HHS’ Office for Civil Rights suggest there was no business associate involvement in any of the 29 incidents reported.

However, the largest reported incident – the breach at Middletown Medical – is marked as having no business associate involvement, when the breach notice uploaded to the provider’s website indicates the incident was caused by a subcontractor of a business associate. It is possible there were more security breaches in March that had some business associate involvement.

March 2018 Healthcare Data Breaches by Covered Entity Type

Records Exposed by Covered Entity Type

Unsurprisingly, given the number of incidents reported by healthcare providers, these incidents resulted in the highest number of exposed records – 154,325 records – followed by breaches at business associates/subcontractors – 63,551 records – and health plans – 50,334 records.

Breaches at business associates/subcontractors saw the highest number of records exposed per incident (Median & Mean = 63,551 records), followed by health plans (Median=13,943 records / Mean = 16,778 records), and healthcare providers (Median = 1,843 records / Mean = 6,173 records).

Location of Breached Protected Health Information

The main location of breached protected health information in March was portable electronic devices (laptops /other portable devices) with 9 incidents reported. Had encryption been used to protect ePHI on these devices, a breach of PHI could have easily been avoided.

The second biggest problem area was email with 8 reported incidents. These breaches include misdirected emails and phishing incidents.

Securing physical records continues to be a problem. There were five incidents reported in March that involved physical records such as paper and films.

Location of Breached Protected Health Information

March 2018 Healthcare Data Breaches by State

In March 2018, six states experienced multiple healthcare data breaches. While California usually tops the list for the most number of breaches, this month it was Massachusetts-based healthcare organizations that were the hardest hit, with 5 incidents reported.

California was in second place with four security incidents, followed by Missouri and New York with three, and Maryland and Texas with two. The 10 other states where breaches occurred were Arkansas, Colorado, District of Columbia, Florida, Georgia, Iowa, Illinois, Minnesota, Mississippi, and West Virginia.

Financial Penalties for Breaches and HIPAA Violations

There were no civil monetary penalties issued by the Department of Health and Human Services’ Office for Civil Rights in March, and no settlements with HIPAA-covered entities or business associates to resolve HIPAA violations.

The New York attorney general’s office has continued to take a hard line on companies discovered to have violated HIPAA Rules and suffered data breaches as a result with one further settlement reached in March.

Virtua Medical Group agreed to settle violations of HIPAA and state laws for $417,816. That penalty relates to the failure to secure an FTP server, although it was not the healthcare provider that was directly responsible. The error was made by a business associate of Virtua Medical Group.

The post Analysis of March 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

How Long Does It Take to Breach a Healthcare Network?

Posted by HIPAA Journal

A recent survey of hackers, incident responders, and penetration testers has revealed the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, identify sensitive data, and exfiltrate the data.

61% of Surveyed Hackers Took Less than 15 Hours to Obtain Healthcare Data

The data comes from the second annual Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States.

Respondents were asked about the time it takes to conduct attacks and steal data, the motivations for attacks, the techniques used, and the industries that offered the least resistance.

While the least protected industries were hospitality, retail, and the food and beverage industry, healthcare organizations were viewed as particularly soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were relatively easy to attack. As Nuix points out, many of the industries that were rated as soft targets are required to comply with industry standards for cybersecurity.

The retail and food and beverage industries are required to comply with Payment Card Industry Data Security Standard (PCI DSS) and healthcare organizations must comply with HITECH Act requirements and the HIPAA Security Rule, with the latter requiring safeguards to be implemented to ensure the confidentiality, integrity, and availability of healthcare data. As far as hackers are concerned, the data is certainly available. When asked how long it takes to breach the perimeter of a hospital or healthcare provider and exfiltrate useful data, 18% said less than 5 hours, 23% said 5-10 hours, and 20% said 10 to 15 hours. ‘Large numbers’ of hackers said they were able to identify and exfiltrate sensitive data within an hour of breaching the network perimeter.

Even though organizations are required to comply with certain standards for cybersecurity, that does not mean that appropriate safeguards are implemented, or that they are implemented correctly and are providing the required level of protection.

“Most organizations invest heavily in perimeter defenses such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass,” said Chris Pogue, Head of Services, Security and Partner Integration at Nuix and lead author of the report.

How Are Hackers Gaining Access to Networks and Data?

The most popular types of attacks are social engineering (27%) and phishing attacks (22%), preferred by 49% of hackers. 28% preferred network attacks.  The popularity of ransomware has soared in recent years, yet it was not a preferred attack method, favored by only 3% of respondents to the survey.

Social engineering is used sometimes or always by 50% of attackers, with phishing emails by far the most popular social engineering method. 62% of hackers who use social engineering use phishing emails, physical social engineering on employees is used by 22%, and 16% obtain the information they need over the telephone.

The most commonly used tools for attacks were open source hacking tools and exploit packs, which combined are used by 80% of surveyed hackers.

Interestingly, while the threat landscape is constantly changing, hackers do not appear to change their tactics that often. Almost a quarter of hackers only change their attack methods once a year and 20% said they update their methods twice a year.

As for the motivation for the attacks, it is not always financial. 86% hack for the challenge, 35% for entertainment/mischief, and only 21% attack organizations for financial gain.

One take home message from the survey is just how important it is to implement security awareness programs and train staff cybersecurity best practices and to be alert to the threat from social engineering and phishing attacks. With almost half of hackers preferring these tactics, ensuring the workforce can identify phishing and social engineering attacks will greatly improve organizations’ security posture.

The post How Long Does It Take to Breach a Healthcare Network? appeared first on HIPAA Journal.