Latest HIPAA News

Email Top Attack Vector in Healthcare Cyberattacks

Posted by HIPAA Journal

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months.

Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year.

While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector.

When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations.

59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations.

Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe email-related security attacks will continue to cause problems, and that they are likely to increase or significantly increase in the future.

A recent study conducted by Malwarebytes showed ransomware attacks are already 62% more prevalent that 2016, and have occurred at almost 2,000 times the rate in 2015. The 2017 Verizon Data Breach Report suggests 72% of all malware used to target the healthcare industry is ransomware.

Those findings were backed up by the HIMSS Analytics survey. Ransomware was seen as the most serious threat by 83% of respondents. Malware was rated second, followed by spear phishing attacks and Business Email Compromise (BEC) attacks.

The importance of securing email is clear. Email is used to communicate protected health information by approximately 80% of healthcare organization. Email is also rated as an essential communication tool and is considered critical by 93% of respondents, while 43% said email was mission critical and that their organization could not tolerate email downtime.

It is understandable given the frequency of email-based attacks and the importance of email in healthcare that organizations have a high level of concern about cybersecurity and their ability to repel email-based attacks.

Resilience to ransomware and malware attacks was rated as the top initiative for building a cyber resilience strategy, while training employees to be more security aware is the second highest priority over the following 12 months. Securing email was third.

David Hood, Cyber Resilience Strategist for Healthcare at Mimecast said, “This survey clearly demonstrates that email is a mission-critical application for healthcare providers and that cyberthreats are real and growing – surprisingly, even more so than the threats to Electronic Medical Records (EMRs), laptops and other portable electronic devices. It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do.”

Mimecast provided five suggestions on how healthcare organizations can reduce the risk of email-based threats:

  1. Train employees on the risks associated with email and provide real-time reminders rather than relying on an annual training session.
  2. Analyze all inbound email attachments and scan for malware and malware downloaders
  3. Implement a web filtering solution to check URLs when a user clicks, not just at the point emails enter the organization.
  4. Inspect outbound emails and check that protected health information is not being sent to individuals unauthorized to receive it, and also to check emails to determine whether email accounts may have been compromised.
  5. Finally, it is essential that data backups are regularly performed to ensure that in the event of a ransomware attack, healthcare organizations do not face data loss and are not forced to pay ransoms.

The post Email Top Attack Vector in Healthcare Cyberattacks appeared first on HIPAA Journal.

Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach

Posted by HIPAA Journal

In April 2016, the Oklahoma Department of Human Services experienced a data breach, and while notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was detected, a breach notice was not submitted to the HHS’ Office for Civil Rights – A breach of HIPAA Rules.

Now, more than 18 months after the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has passed, OCR has been notified. OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA.

The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. The data on the server included names, addresses, dates of birth, and Social Security numbers.

Once the breach was identified, Carl Albert State College secured its systems to prevent further access and implemented new controls to monitor for potential breaches. In May 2016, the HHS Office of Inspector General was notified of the breach, and breach notification letters were sent to all individuals impacted by the attack in August 2016. However, no breach report was sent to the HHS’ Office for Civil Rights.

Now, not only must the Oklahoma Department of Human Services cover the cost of re-notifying 47,000 clients, overlooking the requirements of HIPAA to notify the HHS Secretary of the breach places the health department at risk of a considerable fine for non-compliance.

Earlier this year, OCR sent a message to all healthcare organizations that HIPAA Breach Notification Rule failures would not be tolerated when Presense Health was fined $475,000 for unnecessarily delaying the issuing of breach notification letters. Notifications were issued one month after the 60-day Breach Notification Rule deadline.

The post Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach appeared first on HIPAA Journal.

Is GoToMeeting HIPAA Compliant?

Posted by HIPAA Journal

Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules?

GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations.

In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA.

Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance.

It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality, integrity, and availability of ePHI, it is still possible to use a ‘HIPAA-compliant’ service in a non-compliant manner. It is up to a HIPAA-covered entity or business associate to ensure that any software or communication platform is configured correctly, is used appropriately, that PHI is only shared or communicated to people authorized to receive the information, and that when information is disclosed, the minimum necessary standard applies.

How secure is GoToMeeting? Is GoToMeeting HIPAA compliant?

Is GoToMeeting HIPAA Compliant?

In order to consider GoToMeeting HIPAA compliant, technical safeguards would need to be incorporated to meet the requirements of the HIPAA Security Rule.

To protect data in transit, GoToMeeting employs full end-to-end data encryption. All transmitted data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the current standards for encryption recommended by NIST.

Protecting data in transit is only one element of HIPAA compliance. If PHI is to be transmitted – via email, secure text messages, or conferencing solutions – there must be audit controls. An audit trail must be maintained allowing activity relating to PHI to be examined. GoToMeeting creates logs of connection and session activity, and access to reporting and management tools are available to account managers.

Controls must also be present that ensure only authorized individuals are able to gain access to the system. GoToMeeting is protected by unique meeting codes and includes the option of setting strong passwords. When meetings are set up they are not publicly listed, and meeting organizers have full control over who can join the meetings.

Each user that wishes to join a meeting must identify themselves using a unique email address and/or number along with a unique password, and users are automatically logged off after a period of inactivity, which can be set by the meeting organizer.

GoToMeeting also confirms on its website, “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.”

While the technical safeguards meet HIPAA requirements, HIPAA-covered entities must also enter into a HIPAA-compliant business associate agreement with service providers prior to using a service for communicating PHI. GoToMeeting offers a business associate agreement which covers use of the service, meeting this regulatory requirement.

So, is GoToMeeting HIPAA-compliant? Provided HIPAA-covered entities and business associates enter into a BAA with GoToMeeting prior to using the service for communicating PHI, GoToMeeting can be used in a HIPAA-compliant manner.

However, as GoToMeeting explains, “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”

The post Is GoToMeeting HIPAA Compliant? appeared first on HIPAA Journal.

Second Draft of the Revised NIST Cybersecurity Framework Published

Posted by HIPAA Journal

The second draft of the revised NIST Cybersecurity Framework has been published. Version 1.1 of the Framework includes important changes to some of the existing guidelines and several new additions.

Version 1.0 of the NIST Cybersecurity Framework was first published in 2014 with the aim of helping operators and owners of critical infrastructure assess their risk profiles and improve their ability to prevent, detect, and respond to cyberattacks. The Framework establishes a common language for security models, practices, and security controls across all industries.

The Framework is based on globally accepted cybersecurity best practices and standards, and adoption of the Framework helps organizations take a more proactive approach to risk management. Since is publication in 2014, the Framework has been adopted by many private and public sector organizations to help them develop and implement effective risk management practices.

Following the release of the CSF, NIST has received numerous comments from public and private sector organizations on potential enhancements to improve usability of the Framework. Those comments were taken on board and incorporated in the first revised draft of the Framework which was published in January 2017. The latest draft includes several refinements that take into account feedback received on the first draft of the revised Framework.

Several changes have been made in version 1.1 of the NIST CSF to meet the requirements of the Cybersecurity Enhancement Act of 2014, which led to the creation of the NIST CSF. The first version of the NIST CSF failed to address all of the requirements, although the latest update brings the NIST CSF closer to meeting all of its initial goals.

The latest version of the Framework clarifies some of the language relating to cybersecurity measurement, further guidance is included on improving supply chain security, and changes have been made to incorporate mitigating risk of IoT devices and operational technology.

NIST has also issued an update to its Roadmap for Improving Critical Infrastructure Security which details several topics that will be considered for upcoming revisions of the Framework and details of future planned activities.

Adoption of the Framework is voluntary for most organizations, which can choose an appropriate implementation tier to suit their cybersecurity risk management practices. However, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May 2017 made adoption of the Framework mandatory for all federal agencies.

Comments on the second draft of the revised NIST Cybersecurity Framework are being accepted until January 19, 2018. The final version of version 1.1 of the Cybersecurity Framework is expected to be released in Spring 2018.

The post Second Draft of the Revised NIST Cybersecurity Framework Published appeared first on HIPAA Journal.

HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot

Posted by HIPAA Journal

The Department of Health and Human Services is running a HIPAA Administrative Simplification Optimization Project Pilot and is currently seeking volunteers to have compliance reviews. The aim of the pilot is to streamline HIPAA compliance reviews for health plans and healthcare clearinghouses.

Currently, a variety of different data formats are used for conducting electronic transitions. That variety can cause problems when transferring and sharing data. If communications about billing and insurance related matters are streamlined and healthcare organizations comply with the HIPAA Administrative Simplification transaction standards, providers and health plans can devote fewer resources to these tasks. Compliance with the Administrative Simplification transaction standards will also reduce the burden on compliant entities having to exchange healthcare data with trading partners that are not compliant.

According to the 2016 CAQH Index, industry-wide compliance with the HIPAA Administrative Simplification transaction standards could result in savings of almost $9 billion each year for the healthcare industry. However, for those savings to be made, there must be industry-wide compliance.

One of the ways that the HHS can help to make these savings is by conducting proactive compliance reviews. The purpose of the reviews is to help health plans and other healthcare organizations take action to ensure compliance.

The reviews are not intended to identify noncompliance in order to punish healthcare organizations, instead the aim is to help covered entities comply with the Administrative Simplification transaction standards. According to a recent email communication from the Centers for Medicare and Medicaid Services (CMS), there will be “a progressive penalty process with the goal of remediation, not punishment.”

The reviews will commence with a pilot, for which the HHS is now seeking volunteers. In total, the HSS requires six volunteer organizations for the HIPAA Administrative Simplification Optimization Project pilot – three health plans and three healthcare clearinghouses. Organizations that participate in the pilot will be subjected to a review of their transactions to assess compliance with the HIPAA Administrative Simplification standards, and will cover code sets, adopted standards, unique identifiers, and operating rules.

Health plans and clearinghouse that join the HIPAA Administrative Simplification Optimization Project pilot will be able to verify compliance or identify noncompliance issues.  The compliance reviews will start in January 2018 and will inform the rollout of the Administrative Simplification Optimization Program.

The reviews will require volunteer organizations to submit electronic transaction files, which will be reviewed and tested by the HHS. The HHS suggests the process of submitting electronic files for review should take no longer than 10 hours. Further details of the pilot reviews will be supplied to participants that are selected to take part in the pilot.

Once the reviews have been conducted, all participants that have successfully passed a review will be provided with a certificate by the HHS, which volunteers will be able to share with their partners and business associates.

If non-compliance is discovered, the HHS will provide guidance on areas for optimization and a corrective action plan will need to be developed by the volunteers to address compliance issues.

Any organization that takes part in the pilot will not be selected for a further review for one year following the launch of the HHS Administrative Simplification Optimization Program.

The HHS is accepting applications for the HIPAA Administrative Simplification Optimization Project pilot by email – HIPAAcompliant@cms.hhs.gov – with volunteers chosen from the pool of applicants that have applied by December 13, 2017. All organizations that apply will be notified whether they have been selected or not by December 27, 2017.

The post HHS Seeks Volunteers for HIPAA Administrative Simplification Optimization Project Pilot appeared first on HIPAA Journal.

Data Security and Breach Notification Act Introduced in Senate

Posted by HIPAA Journal

The Senate is to vote on a national data breach notification bill – the Data Security and Breach Notification Act – that aims to standardize breach notification requirements across all states. Currently there is a patchwork of data breach notification laws across the United States, each with different reporting requirements. If passed, the Data Security and Breach Notification Act would replace state laws.

While there is a clear need for national standards to ensure all consumers are equally protected regardless of where they live, all previous attempts to introduce nationwide standards for data breach notifications have failed.

The Data Security and Breach Notification Act was introduced by Sen. Bill Nelson (D-FL), with the bill co-sponsored by Sen. Richard Blumenthal (D-CT) and Sen. Tammy Baldwin (D-WI).

Sen. Nelson first introduced the bill in 2015, and introduced a revised version a year later, both of which failed. Announcing the bill, Nelson highlighted the recent Uber data breach, which saw the names, phone numbers, and email addresses of more than 57 million customers and the names and driver’s license details of 600,000 U.S drivers exposed. Uber became aware of the breach in 2016, negotiated with the hackers and paid them $100,000 to destroy the stolen data, and attempted to coverup the breach. Details of the breach were only recently made public.

Following the announcement of the Uber breach, the massive Equifax breach, and other major breaches that have resulted in considerable harm to U.S. consumers, it is hoped that this time around the bill will progress.

Sen. Baldwin said, “The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage.”

If passed, the Data Security and Breach Notification Act would require notifications of data breaches to be issued to state authorities and breach victims within 30 days of the discovery of a breach.

The breach reporting requirements of the Data Security and Breach Notification Act are tougher than those in most states, as are the penalties for concealing a data breach. Executives of companies that knowingly conceal and fail to report a data breach would face up to five years in jail.

Financial institutions covered by, and in compliance with, the Gramm-Leach-Bliley Act will be deemed to be in compliance with the Data Security and Breach Notification Act, as will organizations that comply with Section 13401 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, or 1173(d) 19 of title XI, part C of the Social Security Act, with respect to data covered by section 13401 of the HITECH Act or the HIPAA Security Rule.

The bill also calls for the Federal Trade Commission (FTC) to develop a new set of security standards that business can follow to help prevent data breaches.

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said, Sen. Nelson. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

The post Data Security and Breach Notification Act Introduced in Senate appeared first on HIPAA Journal.

Effective Identity and Access Management Policies Help Prevent Insider Data Breaches

Posted by HIPAA Journal

The HIPAA Security Rule administrative safeguards require information access to be effectively managed. Only employees that require access to protected health information to conduct their work duties should be granted access to PHI.

When employees voluntarily or involuntarily leave the organization, PHI access privileges must be terminated. The failure to implement procedures to terminate access to PHI immediately could all too easily result in a data breach. Each year there are many examples of organizations that fail to terminate access promptly, only to discover former employees have continued to login to systems remotely after their employment has come to an end.

If HIPAA-covered entities and business associates do not have effective identity and access management policies and controls, there is a significant risk of PHI being accessed by former employees after employment has terminated. Data could be copied and taken to a new employer, or used for malicious purposes. The Department of Health and Human Services’ Office for Civil Rights’ breach portal includes many examples of both.

In its November cybersecurity newsletter, OCR has drawn attention to the risk of these types of insider threats and explains the importance of implementing effective identity and access management policies.

When an employee is terminated or quits, access to PHI must be terminated immediately, preferably before the individual has left the building. There are several ways that access to PHI can be terminated, although most commonly this is achieved by deleting user accounts.

While the employee’s account must be terminated, covered entities must also ensure that other accounts that the employee had access to are secured. Passwords for administrative or privileged accounts should also be changed.

In addition to terminating user accounts to prevent unauthorized accessing of electronic protected health information, OCR reminds covered entities and business associates of the need to also terminate physical access to facilities and health records. Keys and keycards must be returned, users should be removed from access lists, security codes should be changed, and ID cards returned.

If an employee has been issued with a laptop, mobile phone, or other electronic device, they must be recovered. If there is a BYOD policy and employees have been allowed to use their own devices to access or store ePHI, personal devices must be purged.

Since employees may have access to multiple accounts, logs should be created whenever access to PHI or systems is granted, privileges are increased, or equipment is issued. The logs can be used to make sure all accounts are secured and all equipment can be retrieved.

OCR suggests developing a set of standard procedures that can be applied and followed whenever an employee or other workforce member quits or is terminated. A checklist is a good way to ensure that nothing is missed.

Identity and access management policies will only be effective if they are followed 100% of the time. To ensure that is the case, covered entities and business associates should consider conducting audits to confirm procedures are being followed. Audits should also include checking user logs to ensure former employees are not continuing to access systems and data after their employment has been terminated.

Further tips to prevent unauthorized accessing of PHI and ePHI by former employees can be found on this link.

The post Effective Identity and Access Management Policies Help Prevent Insider Data Breaches appeared first on HIPAA Journal.

Survey Reveals Poor State of Email Security in Healthcare

Posted by HIPAA Journal

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard.

The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security.

For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network.

The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC.

Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting patients from phishing attacks spoofing their domains. NH-ISC reports that only 30% of its members have adopted DMARC.

The impersonation of domains is a common tactic employed by phishers to fool victims into believing emails have been sent by trusted organizations. The healthcare industry is at the highest risk of being targeted by fraudulent email, according to the report. Over the past 6 months, 92% of healthcare domains have been targeted by phishers and scammers using fraudulent email. 57% of all emails sent from healthcare organizations are fraudulent or unauthenticated.

DMARC has been widely adopted in industry, although the healthcare industry lags behind. The same is true of federal agencies, which have been slow to implement the email security standard. Last month, the U.S Department of Homeland Security addressed this by issuing a Binding Operational Directive, which required all federal agencies to implement DMARC within 90 days.

The healthcare industry is being urged to do the same. NH-ISAC is already encouraging its members to adopt DMARC, while the GCA has launched a ‘90-Days to DMARC’ challenge, which commences on December 1. Under the challenge, GCA will be releasing guidance, conducting webinars, and making resources available to help healthcare organizations plan, implement, analyze, and adjust DMARC.

“GCA is challenging organizations in all sectors to follow the path set forward by DHS. We applaud NH-ISAC for calling upon its members to implement DMARC,” said Phil Reitinger, President and CEO of GCA.

Jim Routh, CSO, Aetna, said “The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members.”

“Successful DMARC implementations from Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications,” said Patrick Peterson, founder and executive chairman of Agari.

The post Survey Reveals Poor State of Email Security in Healthcare appeared first on HIPAA Journal.

Cottage Health Fined $2 Million By California Attorney General’s Office

Posted by HIPAA Journal

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws.

Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google.

The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was unsecured.

As is required under state laws, the incident was reported to state attorney general Kamala D. Harris. Two years later, while the attorney general’s office was investigating the incident, Cottage Health experienced a second breach. The second breach involved the records of 4,596 patients, and similarly, were left exposed and accessible online without any need for authentication.

The information was accessible for almost two weeks before the error was identified and protections put in place to prevent unauthorised access. The information exposed in the second breach included personally identifiable information and protected health information such as names, addresses, medical record numbers, account numbers, employment information, Social Security numbers, and admission and discharge dates.

Cottage Health claims that while both incidents resulted in the exposure of patient data, there are no indications to suggest any patient information was used inappropriately. The breaches prompted Cottage Health to review its information security controls and strengthen its policies, procedures, and security protections to prevent similar breaches from occurring in the future. In each case, the health network’s security teams acted quickly to limit harm and secure the exposed information. New system monitoring tools have now been implemented, and advanced security solutions are in place that allow vulnerabilities to be identified and mitigated much more rapidly.

The response to the breach may have been reasonable and appropriate, and protections now far better, but it is the lack of protections leading up to the data breaches that warranted a financial penalty. The California state attorney general’s office alleges that Cottage Health breached California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also violated. According to the complaint, “Cottage failed to employ basic security safeguards.” Cottage Health was running outdated software, patches were not applied promptly, default configurations had not been changed, strong passwords were not used, access to sensitive PII was not limited, and regular risk assessments were not conducted.

Announcing the settlement, California Attorney General Xavier Becerra said, “When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra explained that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”

In addition to the $2 million settlement, Cottage Health is required to update and maintain information security controls and ensure security practices and procedures match industry standards.

Specifically, the judgement requires Cottage Health to:

  • Assess hardware and software for vulnerabilities to the confidentiality, integrity, and availability of patients’ medical information.
  • Update access controls and security settings as appropriate
  • Evaluate the response to and protections from external threats, including firewall security
  • Encrypt patients’ medical information in transit to industry standards
  • Maintain reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assessments, incident management, and remediation plan
  • Conduct periodic vulnerability scans and penetration tests to identify and assess vulnerabilities, and remediate any vulnerabilities discovered
  • Conduct employee training on the correct use and storage of patients’ medical information.

The post Cottage Health Fined $2 Million By California Attorney General’s Office appeared first on HIPAA Journal.