Latest HIPAA News

HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records

Posted by HIPAA Journal

The Department of Health and Human Services has published its final rule on the Confidentiality of Substance Use Disorder Patient Records, altering Substance Abuse and Mental Health Services Administration (SAMHSA) regulations.

The aim of the update is to better align regulations with advances in healthcare delivery in the United States, while ensuring patient’s privacy is protected when treatment for substance abuse disorders is sought. The final rule addresses the permitted uses and disclosures of patient identifying information for healthcare operations, payment, audits and evaluations.

The last substantial changes to the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2) regulations were in 1987. In 2016, SAMHSA submitted a Notice of Proposed Rulemaking in the Federal Register proposing updates to 42 CFR part 2. The proposed updates reflected the development of integrated health care models and the use of electronic exchange of patient information, while still ensuring patient privacy was protected to prevent improper disclosures.

After considering public comments, a final rule was published by SAMHSA in January 2017, which incorporated greater flexibility for disclosures within the healthcare system while still continuing to protect the confidentiality of substance use disorder records.

A supplemental notice of proposed rulemaking was also issued and public comments were sought on those additional proposals, which covered disclosures related to payment and healthcare operations that can be made to contractors, subcontractors, and legal representatives by lawful holders under the part 2 rule consent provisions, and disclosures for purposes of carrying out Medicaid, Medicare or Children’s Health Insurance Program (CHIP) audits or evaluations.

SAMHSA has now considered all 55 comments received, and has finalized its proposed revisions, taking those comments into consideration.

Several of the commenters sought better alignment with the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health (HITECH) Act to promote better information flow, provide greater discretion for providers and administrators of services, the establishment of uniform workable regulations with respect to treatment, payment and operations, and to promote more innovative models of health care delivery.

SAMHSA has attempted to align the revisions with HIPAA and the HITECH Act as far as is possible, but explained, “It is important to note that part 2 and its authorizing statute are separate and distinct from HIPAA, the HITECH Act, and their implementing regulations.”

“Part 2 provides more stringent federal protections than other health privacy laws such as HIPAA and seeks to protect individuals with substance use disorders who could be subject to discrimination and legal consequences in the event that their information is improperly used or disclosed.”

Comments were received suggesting SAMHSA should make it easier for healthcare providers using alternative payment models to share records, as the lack of information about substance abuse disorders could negatively affect patient care.

There was considerable disagreement in the comments about whether care coordination and case management should be included in the list of permissible activities under payment and health care operations.

SAMHSA has decided not to include care coordination and case management and the list of permissible activities that SAMHSA considers to be payment and health care operations, and the list is ‘substantively unchanged.’

SAMHSA has also included language in the regulatory text that clarifies disclosures to contractors, subcontractors and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment.

SAMHSA will continue to review all of the issues raised in the comments and will explore ways to better align Part 2 with HIPAA and HITECH, including future additional rulemaking for 42 CFR part 2.

A public meeting will also be held prior to March 21, 2018, to determine the effects of 42 CFR part 2 on patient care, health outcomes, and patient privacy. Stakeholders will be given the opportunity to provide input on implementation of part 2, including the changes adopted in the final rule.

The post HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records appeared first on HIPAA Journal.

CMS Clarifies Position on Use of Text Messages in Healthcare

Posted by HIPAA Journal

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy.

SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI.

The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms.

In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information being transmitted. This resulted in the no texting determination.”

In December, the Health Care Compliance Association (HCCA) published an article questioning the stance of the CMS. HCCA said in its Report on Medicare Compliance, that at least two hospitals had received emails from the CMS explaining all forms of text messaging were prohibited.

Nina Youngstrom, Managing Editor of the Report on Medicare Compliance, said in the article that several compliance officers and healthcare attorneys were horrified about the position of the CMS. One attorney said a total ban would be “Like going back to the dark ages.”

CMS explained that concern about text messages in healthcare was not just about transmission security. There was the potential for a lack of access controls on the senders’ and receivers’ devices, stored data may not necessarily be secure and encrypted, and the privacy of patients is not guaranteed. Another concern was information transmitted via text messages also needs to be entered into the patient record and made available for retrieval.

Last year, the Joint Commission relaxed its ban on the use of text messages in healthcare for sending patient orders, only to later backtrack and reinstate the ban. The Joint Commission’s current position is the use of text messaging in healthcare is permitted, provided a secure messaging platform is used. However, the ban on the use of text messages for sending orders for patient care remains in place.

The CMS appeared to be saying no to all forms of text messaging, even though a large percentage of hospitals have switched over to secure text messaging platforms and are finally replacing their outdated pagers. Such a ban would therefore not be too dissimilar to implementing a ban on email, given how text messaging is so extensively used in healthcare.

A recent survey conducted by the Institute for Safe Medication Practices (ISMP) confirms this. In its survey of 788 healthcare professionals, 45% of pharmacists and 35% percent of nurses said texting was used in their facilities. 53% said there was a policy in place prohibiting the use of text messages for patient orders, but despite the Joint Commission ban, 12% said texting patient orders was allowed – 8% only when a secure platform was used and 3% said text messages were permitted under any circumstances.

CMS Confirms The Use of Text Messages in Healthcare is Permitted

On December 28, 2017, a month after the emails were sent, the CMS sent a memo clarifying its position on the use of text messages in healthcare, confirming there is not a total ban in place.

The CMS explained that the ban on the use of all forms of text messaging, including secure text messaging systems, remains in place for orders by physicians or other health care providers. “The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs),” specifically stating §489.24(b) and §489.24(c) apply.

Order entries should be made by providers using Computerized Provider Order Entry (CPOE), or via hand written orders. The CMS explained that, “An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”

The CMS accepts that text messages are an important means of communication in healthcare, and that text messages are now essential for effective communication between care team members. However, in order to comply with the CoPs and CfCs, healthcare organizations must use and maintain text messaging systems/platforms that are secure.

Those platforms must encrypt messages in transit and healthcare organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that “It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”

The stance of the CMS is therefore aligned with that of the Joint Commission. Secure text messaging platforms can be used in healthcare, just not for texting orders. Even though secure text messaging meet HIPAA requirements for privacy and security, the ban remains in place over concerns about inputting orders sent by text messages into the EHR. CPOE is still the preferred method of entry to ensure accuracy.

The post CMS Clarifies Position on Use of Text Messages in Healthcare appeared first on HIPAA Journal.

24,000 Patients Impacted by Emory Healthcare Data Breach

Posted by HIPAA Journal

Emory Healthcare (EHC) has discovered a former employee obtained the protected health information of several thousand EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, where it could potentially be accessed by other individuals.

The former employee was a physician at Emory Healthcare, who now works for the University of Arizona (UA) College of Medicine. EHC says patient information was taken without authorization and without its knowledge. EHC was alerted to the incident by the University of Arizona, and received a list of affected individuals on October 18, 2017.

The OneDrive account could only be accessed by the physician, other former EHC physicians now at UA, UA staff who investigated the incident, and potentially a limited number of other UA staff members who had a specific type of UA email account. PHI was not exposed on the Internet and no other individuals are believed to have been able to view the information.

UA hired a third-party forensic team to conduct an investigation, although no evidence was uncovered to suggest patient information was accessed or used in any way. UA has confirmed that all EHC patient information has been permanently and securely deleted from the account and its systems.

EHC says no Social Security numbers, financial information, addresses, phone numbers, driver’s license numbers, or credit card information was exposed. The data uploaded to the account was limited to names, dates of service at EHC, provider names, medical record numbers, diagnoses, treatment information, treatment locations, and in some cases, dates of birth. The information was largely restricted to patients who had received radiology services at EHC between 2004 and 2014.

EHC is now notifying patients by mail that their protected health information has been exposed, and potentially disclosed. EHC has received no reports to suggest any of the information has been misused; however, as a precautionary measure, patients have been advised to remain vigilant and to take steps to protect themselves against potential fraudulent use of their information.

EHC is now taking steps to prevent incidents such as this from occurring in the future, including enhancing its patient care team education programs and reviewing and improving security measures.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 24,000 patients have been impacted by the breach.

The post 24,000 Patients Impacted by Emory Healthcare Data Breach appeared first on HIPAA Journal.

2017 HIPAA Enforcement Summary

Posted by HIPAA Journal

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017.

In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints.

Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases.

Summary of 2017 HIPAA Enforcement by OCR

Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates.

Covered Entity Amount Type Violation Type
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
Presense Health $475,000 Settlement Delayed Breach Notifications
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement

OCR’s 2017 HIPAA enforcement activities have revealed covered entities are continuing to fail to comply with HIPAA Rules in key areas: Safeguarding PHI on portable devices, conducting an organization-wide risk analysis, implementing a security risk management process, and entering into HIPAA-compliant business associate agreements with all vendors.

Throughout 2016 and 2017, many covered entities have failed to issue breach notifications promptly. In 2017, OCR took action for this common HIPAA violation and agreed its first HIPAA settlement solely for delaying breach notifications to patients.

HIPAA Desk Audits Revealed Widespread HIPAA Violations

In late 2016, OCR commenced the much-delayed second phase of its HIPAA-compliance audit program. The first stage involved desk audits of 166 HIPAA-covered entities – 103 audits on the Privacy and Breach Notification Rules, and 63 audits on the Security Rule. 41 desk audits were conducted on business associates on the Breach Notification and Security Rules.

While the full results of the compliance audits have not been released, this fall OCR announced preliminary findings from the compliance audits.

Covered entities were given a rating from 1 to 5 for the completeness of compliance efforts on each control and implementation specification. A rating of 1 signifies full compliance with goals and objectives of the standards and implementation specifications that were audited. A rating of 5 indicates there was no evidence that the covered entity had made a serious attempt to comply with HIPAA Rules.

Preliminary Findings of HIPAA Compliance Audits on Covered Entities

Listed below are the findings from the HIPAA compliance audits. A rating of 5 being the worst possible score and 1 being the best.

Preliminary HIPAA Compliance Audit Findings (2016/2017)
HIPAA Rule Compliance Controls Audited Covered Entities Given Rating of 5 Covered Entities Given Rating of 1
Breach Notification Rule (103 audits) Timeliness of Breach Notifications 15 67
Breach Notification Rule (103 audits) Content of Breach Notifications 9 14
Privacy Rule (103 audits) Right to Access PHI 11 1
Privacy Rule (103 audits) Notice of Privacy Practices 16 2
Privacy Rule (103 audits) Electronic Notice 15 59
Security Rule (63 audits) Risk Analysis 13 0
Security Rule (63 audits) Risk Management 17 1

 

Almost a third of covered entities failed to issue breach notifications promptly and next to no covered entities were found to be fully compliant with the HIPAA Privacy and Security Rules.

OCR has delayed the full compliance reviews until 2018. While some organizations will be randomly selected for a full review – including a site visit – OCR has stated that poor performance in the desk audits could trigger a full compliance review. Financial penalties may be deemed appropriate, especially when there has been no attempt to comply with HIPAA Rules.

Attorneys General Fines for Privacy Breaches

The HITECH Act gave state attorneys general the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules. Relatively few state attorneys general exercise this right. Instead they choose to pursue cases under state laws, even if HIPAA Rules have been violated.

Notable 2017 settlements with healthcare organizations and business associates of HIPAA covered entities have been listed below.

Covered Entity State Amount Individuals affected Reason
Cottage Health System California $2,000,000 More than 54,000 Failure to Safeguard Personal Information
Horizon Healthcare Services Inc., New Jersey $1,100,000 3.7 million Failure to Safeguard Personal Information
SAManage USA, Inc. Vermont $264,000 660 Exposure of PHI on Internet
CoPilot Provider Support Services, Inc. New York $130,000 221,178 Late Breach Notifications
Multi-State Billing Services Massachusetts $100,000 2,600 Failure to Safeguard Personal Information

The post 2017 HIPAA Enforcement Summary appeared first on HIPAA Journal.

Is Google Voice HIPAA Compliant?

Posted by HIPAA Journal

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without risking a violation of HIPAA Rules?

Is Google Voice HIPAA Compliant?

Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use.

In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way.

That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule.

As with SMS, faxing and email, Google Voice is not classed as a conduit which means that in order for Google Voice to be HIPAA compliant, the service would need to satisfy the requirements of the HIPAA Security Rule.

There would need to be access and authentication controls, audit controls, integrity controls, and transmission security for messages sent through the service. Google would also need to ensure that any data stored on its servers are safeguarded to the standards demanded by HIPAA. HIPAA-covered entities would also need to receive satisfactory assurances that is the case, in the form of a HIPAA-compliant business associate agreement (BAA).

Therefore, before Google Voice could be used in conjunction with any protected health information, the covered entity must obtain a BAA from Google.

Will Google Sign A BAA for Google Voice?

Google is keen to encourage healthcare organizations to adopt its services, and is happy to sign a business associate agreement for G Suite, but Google does not include its free consumer services in that agreement. Google does not recommend businesses use its free consumer services for business use, as they have been developed specifically for consumers for personal use.

Google Voice is a consumer product and is not included in G Suite, Google Apps, or Google Cloud and neither is it mentioned in its BAA.

So is Google Voice HIPAA compliant? No. Until such point that Google releases a version of Google Voice for businesses, and will include it in its business associate agreement, it should not be used by healthcare organizations or healthcare employees in a professional capacity.

The use of Google Voice with any protected health information would be a violation of HIPAA Rules.

The post Is Google Voice HIPAA Compliant? appeared first on HIPAA Journal.

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

Posted by HIPAA Journal

A scrub nurse who took photographs of a patient’s genitals and shared the images with colleagues has been fired, while the patient, who is also an employee at the same hospital, has filed a lawsuit seeking damages for the harm caused by the incident.

The employee-patient was undergoing incisional hernia surgery at Washington Hospital. She alleges in a complaint filed in Washington County Court, that while she was unconscious, a scrub nurse took photographs of her genitals on a mobile phone and shared the photographs with co-workers.

Photographing patients without their consent is a violation of HIPAA Rules, and one that can attract a significant financial penalty. Last Year, New York Hospital settled a HIPAA violation case with the Department of Health and Human Services’ Office for Rights and paid a financial penalty of $2.2 million. In that case, a television crew had been authorized to film in the hospital, but consent from the patients in the footage had not been obtained.

In the Washington Hospital HIPAA breach, the patient, identified in the lawsuit only as Jane Doe, claims she became aware that photos had been shared the day after her operation. She also claims the scrub nurse showed her the photographs that had been taken. Horrified at the violation of her privacy, she reported the incident to her supervisors. The scrub nurse was subsequently fired for the HIPAA violation.

However, in the lawsuit Jane Doe claims that was not the end of the matter. She said, taking action against the scrub nurse resulted in her “being treated like the wrongdoer, not the victim.” As a result of the complaint she was “forced to endure harassment, humiliation and backlash,” and “extreme hostility” at work. That harassment has allegedly continued outside the hospital.

Jane Doe was given two weeks of paid leave as a healing period, and returned to her unit in the same position. However, she suffered migraines, anxiety, and insomnia as a result of the incident. She requested further paid leave of 3 months, as recommended by her physician, but the request was denied. She subsequently took unpaid leave under the Family Medical Leave Act and was terminated in October.

The lawsuit names the hospital, a doctor who was in the operating room but failed to stop the scrub nurse from taking photos and did not report the incident, and several other workers at the hospital. Jane Doe seeks in excess of $75,000 in damages for the “severe physical, emotional and psychological stress” caused. The patient’s husband is also a plaintiff and is suing for loss of consortium.

The post Scrub Nurse Fired for Photographing Employee-Patient’s Genitals appeared first on HIPAA Journal.

New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses

Posted by HIPAA Journal

A new bill (H.R. 4613) has been introduced to the U.S House of Representatives by Congresswoman Cathy McMorris Rodgers (R-Washington) that proposes changes to the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA Rules for healthcare clearinghouses.

The Ensuring Patient Access to Healthcare Records Act of 2017 is intended to modernize the role of healthcare clearinghouses in healthcare, promote access to and the leveraging of health information, and enhance treatment, quality improvement, research, public health and other functions.

Healthcare clearinghouses are entities that transform data from one format to another, converting non-standard data to standard data elements or vice versa. Healthcare clearinghouses are considered HIPAA-covered entities, although in some cases they can be business associates. The bill – Ensuring Patient Access to Healthcare Records Act of 2017 – would see all healthcare clearinghouses treated as covered entities.

Healthcare clearinghouses gather health data from a wide range of sources, therefore they could hold a complete set of records for each patient. If patients are allowed to obtain copies of their health records from healthcare clearinghouses, it could make it easier for patients treated by multiple providers to obtain a full set of their health records.

“Whether it’s because of a move to a new state, switching providers, an unexpected visit to the emergency room, or a new doctor, patients must track down their own records from numerous different sources based on what they can or cannot remember. It shouldn’t be this burdensome,” said Rodgers. “Our bill gives patients the ability to see a snapshot of their health records at just a simple request, allowing them to make better, more informed healthcare decisions in a timely manner.”

While the bill could improve data access for patients, it has been suggested that patients are unlikely to benefit. Healthcare clearinghouses may have longitudinal health records from multiple sources, but in many cases, they only have claims data rather than a full set of clinical data. Even if patients could be provided with copies, it may not prove to be particularly useful.

Patients can choose which healthcare providers they use, but since a healthcare clearinghouse is not chosen by patients, they are unlikely to know which healthcare clearinghouses actually hold their data. Patients rarely have any dealings with healthcare clearinghouses.

The bill would “allow the use of claims, eligibility, and payment data to produce reports, analyses, and presentations to benefit Medicare, and other similar health insurance programs, entities, researchers, and health care providers, to help develop cost saving approaches, standards, and reference materials and to support medical care and improved payment models.”

This is not the first time that the Ensuring Patient Access to Healthcare Records Act has been introduced. None of the previous versions of the bill have made it to the floor and have attracted considerable criticism. In his Healthcare Blog, Adrian Gropper, MD expressed concern over a previous version of the bill (Senate bill S.3530).

“Extending Covered Entity status to data brokers seems like a quantitative shift and possibly a benefit to patients. But the deceptive part is that unlike today’s Covered Entities (hospitals, pharmacies, and insurance companies), data brokers do not have to compete for the patient’s business,” said Gropper. “By giving the infrastructure business the right to use and sell our data without consent or even transparency, we are enabling a true panopticon – an inescapable surveillance system for our most valuable personal data.”

The post New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses appeared first on HIPAA Journal.

Cybersecurity Best Practices for Travelling Healthcare Professionals

Posted by HIPAA Journal

In its December cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) offered cybersecurity best practices for travelling healthcare professionals to help them prevent malware infections and the exposure of patients’ protected health information (PHI).

Many healthcare professionals will be travelling to see their families over the holidays and will be taking work-issued devices with them on their travels, which increases the risk to the confidentiality, integrity, and availability of PHI.

Using work-issued laptops, tablets, and mobile phones in the office or at home offers some protection from cyberattacks and malware infections. Using the devices to connect to the Internet at cafes, coffee shops, hotels, and other Wi-Fi access points increases the risk of a malware infection or man-in-the-middle attack. Even charging portable devices via public USB charging points at hotels and airports can see malware transferred.

Not only will malware and cyberattacks potentially result in data on the device being exposed, login credentials can be stolen leading to a substantial data breach, or malware can be transferred to your organization’s network when you return to work.

Ensure Travel is Covered in Your Risk Analysis

HIPAA-covered entities and business associates must conduct a risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI. The risk analysis must include the risks when healthcare professionals travel, be it on holiday or for business trips. Vulnerabilities and risks identified by the risk assessment must then be managed and reduced to an acceptable and appropriate level through a HIPAA-compliant risk management process.

OCR’s Suggested Cybersecurity Best Practices for Travelling Healthcare Professionals

The following cybersecurity best practices for travelling healthcare professionals are particularly relevant during the holiday season, but apply whenever work-issued devices are removed from the protection of a secured network.

Healthcare organizations that permit healthcare employees to remove work-issued devices should incorporate these cybersecurity best practices into their training programs and ensure all healthcare employees are made aware of the additional risks when travelling and how they can manage those risks.

Leave Portable Devices at the Office or at Home

If you don’t really need to take a work-issued device with you, leave it at home or at the office and make sure it is secured.

Ensure Devices are Fully Patched

All portable devices should be kept patched and up to date, although this becomes even more important when travelling and connecting to public Wi-Fi hotspots. Software, mobile apps, and operating systems should be updated to the latest versions.

Secure the Devices Using Strong Passwords

All devices should be secured with strong passwords. OCR suggests passwords should be more than 10 characters and should include numbers, letters (upper and lower case) and symbols. Passphrases can be used as they are difficult to guess but easy to remember. Multi-factor authentication should also be used if possible.

Activate Additional Security Controls

Activate additional security controls such as fingerprint readers on mobile phones to prevent data and account access in the event of loss or theft. This can buy you more time to secure accounts and change passwords if your device is stolen.

Encrypt all Sensitive Data on Your Devices

OCR suggests laptop computers should have full disk encryption to ensure data cannot be accessed in the event of loss or theft, and to remove data from portable devices if it is not required.

Create Multiple Backups of Files

It is essential that data can be recovered in the event of loss or theft of a portable device or a ransomware attack. Multiple backups should ideally be created on another device with a copy also stored securely in the cloud.

Bring Portable Chargers, Power Cords and Adaptors

Connecting to public charging points in airports and hotels can easily introduce malware. Avoid USB charging points, and charge devices using a portable charging pack or by plugging into the mains supply. If charging ports must be used, only connect after devices have been powered down.

Avoid Public Wi-Fi Hotspots

Avoid all public Wi-Fi networks as they are unlikely to be secure. If you do need to connect to Wi-Fi when travelling, always connect to the Internet via a VPN.

Turn Off Auto Connect for Bluetooth and Wi-Fi

Ensure your portable devices do not automatically connect to Wi-Fi networks and turn off Bluetooth connectivity.

Use Different PIN Numbers

Always use a unique PIN number for each of your devices. Never reuse a PIN anywhere else, such as on the hotel safe.

Never Leave Devices Unprotected

If you cannot lock a portable electronic device in a safe, take it with you. Any possible hiding spot in a hotel room will be checked by thieves. Devices should only ever be taken in hand luggage, never packed in a case that is put in the hold.

Use Geo-Location with Care

While geolocation services have their uses, they can also alert thieves that you are not at home. Consider turning off these services on social media networks when you are away, and avoid posting photos taken on your travels until you return home.

The post Cybersecurity Best Practices for Travelling Healthcare Professionals appeared first on HIPAA Journal.

New Malware Detections at Record High: Healthcare Most Targeted Industry

Posted by HIPAA Journal

Throughout 2017, the volume of new malware samples detected by McAfee Labs has been steadily rising each quarter, reaching a record high in Q3 when 57.6 million new malware samples were detected. On average, in Q3 a new malware sample was detected every quarter of a second.

In the United States, the healthcare industry continues to be the most targeted vertical, which along with the public sector accounted for more than 40% of total security incidents in Q3. In Q3, account hijacking was the main attack vector, followed by leaks, malware, DDoS, and other targeted attacks.

There were similar findings from the recent HIMSS Analytics/Mimecast survey which showed email related phishing attacks were the greatest cause of concern among healthcare IT professionals, with email the leading attack vector.

In Q3, globally there were 263 publicly disclosed security breaches – a 15% increase from last quarter – with more than 60% of those breaches occurring in the Americas. Malware attacks increased 10% since last quarter bringing the total new malware samples in the past four quarters to 781 million – a 27% increase in the space of a year.

Ransomware continues to be a favored moneymaker for cybercriminals, with the number of new ransomware samples increasing by 36% in Q3 – 14% more than the previous quarter. In total, 12.2 million samples of ransomware were detected – a 44% increase over the past four quarters.  One notable ransomware variant was Lukitus – a new form of Locky ransomware that appeared in Q3. The campaign detected by McAfee involved an astonishing 23 million spam emails in the first 24 hours alone.

While not the biggest threat in Q3, fileless malware threats are still a major cause for concern. Script-based malware – written in VBS, JavaScript, PowerShell or PHP – has been steadily increasing over the past two years. The malware is easy to obfuscate and difficult to detect, and is increasingly being used in malware campaigns, with some campaigns consisting entirely of script-based malware.

McAfee reports that while there was a 36% fall in JavaScript malware since Q2, the level is still higher than at any point in 2016 and Q3 saw a 119% increase in PowerShell malware.

“Although many cyberattacks continue to rely on the exploitation of basic security vulnerabilities, exposures, and user behaviors, fileless threats leverage the utility of our own system capabilities,” said Vincent Weafer, Vice President for McAfee Labs. “By leveraging trusted applications or gaining access to native system operating tools such as PowerShell or JavaScript, attackers have made the development leap forward to take control of computers without downloading any executable files, at least in the initial stages of the attack.”

There was also a notable rise in mobile malware, with 21.1 million samples detected – 10% higher than Q2, the increase was largely due to a major rise in Android screen-locking ransomware variants. Macro malware increased by 8% in Q3, while Mac malware saw an increase of 7%. Web-based threats also increased significantly in Q3.

While malware continues to be a major threat, the Carbon Black’s 2017 Threat Report indicates 52% of attacks are non-malware related. Non-malware attacks are now increasing at a rate of 6.8% per month.

The financial services, healthcare providers, and retail stores were the verticals most affected by malware-related cyberattacks in 2017 according to Carbon Black. The main threats are the Kryptik Trojan, Strictor ransomware, the Nemucod downloader, the Emotet banking Trojan, and the Skeeyah Trojan. Carbon Black reports a 328% increase in attacks on endpoints in 2017 alone.

While the healthcare industry has had its fair share of ransomware attacks, it is well down the list of industries targeted with ransomware, coming in 9th out of 10 industries with just 4.6% of the total. The leading targets being tech firms, government organizations/NPOs and legal firms.

Ransomware will continue to be the dominant form of cybercrime in 2018, according to the report. Carbon Black estimates revenues from ransomware will rise to $5 billion by the end of the year, compared to just $24 million in 2015.

The post New Malware Detections at Record High: Healthcare Most Targeted Industry appeared first on HIPAA Journal.