Latest HIPAA News

47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket

Posted by HIPAA Journal

Researchers at Kromtech Security have identified another unsecured Amazon S3 bucket used by a HIPAA-covered entity. The unsecured Amazon S3 bucket contained 47.5GB of medical data relating to an estimated 150,000 patients.

The medical data in the files included blood test results, physician’s names, case management notes, and the personal information of patients, including their names, addresses, and contact telephone numbers. The researchers said many of the stored documents were PDF files, containing information on multiple patients that were having weekly blood tests performed.

In total, approximately 316,000 PDF files were freely accessible. The tests had been performed in patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Kromtech researchers said the data could be accessed without a password. Anyone with an Internet connection, that knew where to look, could have accessed all 316,000 files. Whether any unauthorized individuals viewed or downloaded the files is not known. The researchers were also unable to tell how long the Amazon S3 bucket had remained unsecured.

The unsecured Amazon S3 bucket was found by Kromtech researchers on September 29. It took some time to identify the company concerned and find contact details. They were located on October 5 and a notification was sent. While no response was forthcoming, by the following day, all data were secured and files could no longer be accessed online without authentication.

The cloud offers healthcare organizations cost effective and convenient data storage. Provided HIPAA-compliant cloud platforms are used and a business associate agreement is obtained prior to the cloud being used to store ePHI, HIPAA permits use of the cloud. However, having a BAA does not guarantee HIPAA compliance. The actions of users can still result in HIPAA violations and the exposure of sensitive data.

The failure to implement controls to prevent cloud-stored data from being accessed by unauthorized individuals is an easy mistake to make, but one that can have serious consequences, not only for the patients whose PHI has been exposed, but also for the covered entity or business associate.

The failure to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI can result in severe financial penalties from OCR and state attorneys general. A data breach can also result in lawsuits from patients seeking damages to cover the lifelong risk of harm from the exposure of their PHI.

Mistakes are inevitable, and oftentimes those mistakes will result in PHI being exposed, but in the case of unsecured Amazon S3 buckets, it is also easy to check for configuration errors. Kromtech, for example, offers a free software tool – S3 Inspector – that can be used by healthcare organizations to check whether their AWS S3 bucket permissions have been configured correctly to prevent access by the public.

The post 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket appeared first on HIPAA Journal.

Summary of September 2017 Healthcare Data Breaches

Posted by HIPAA Journal

There were 35 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulting in the theft/exposure of 435,202 patients’ protected health information.

September 2017 Healthcare Data Breaches

September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 25 reported incidents, followed by health plans with 8 breaches, and 2 breaches reported by business associates of covered entities.

There was a fairly even split between unauthorized access/disclosures (16 incidents) and hacking/IT incidents (15 incidents). There were three theft incidents and one lost device, all of which involved laptop computers. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI.

 

September 2017 Healthcare Data Breaches - Breach Type

There were five attacks on network servers in September, but email attacks topped the list with 13 incidents. 6 were attributed to hacking, including two confirmed phishing attacks and one ransomware incident. The ransomware attack is also understood to have occurred as a result of an employee responding to a phishing email.

There were 7 cases of unauthorized access/disclosures via email. One of those incidents involved an employee emailing PHI to a personal email account. Another saw a healthcare employee email PHI to a relative to receive assistance with a work-related action.

September 2017 Healthcare Data Breaches - Breach Location

 

Healthcare organizations in 24 states reported data breaches in September. The worst affected states were California, Florida and Texas, with three breaches each. Arkansas, Minnesota, North Carolina, Pennsylvania, Washington and Wisconsin each had two reported incidents.

Largest Healthcare Data Breaches in September 2017

The largest healthcare data breaches in September 2017 have been detailed in the table below. Six of the top ten breaches in September were the result of hacking/IT incidents. Hacking/IT incidents resulted in the exposure of 355,084 records – 81.6% of the records exposed in all reported breaches in September. Unauthorized access/disclosures resulted in the exposure of 73,409 records – 16.87% of the total.

The largest reported data breach in September was a ransomware attack that potentially affected 128,000 patients. Data theft was not suspected, although it could not be ruled out with a high degree of certainty.

Covered Entity Entity Type Breached Records Breach Type Breach Information
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident Ransomware attack
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident Phishing attack
Network Health Health Plan 51,232 Hacking/IT Incident Phishing attack
ABB, Inc. Healthcare Provider 28,012 Hacking/IT Incident
Arkansas Department of Human Services Health Plan 26,000 Unauthorized Access/Disclosure Employee emailed PHI to a personal account
CBS Consolidated, Inc. Business Associate 21,856 Hacking/IT Incident Server hacked
MetroPlus Health Plan, Inc. Health Plan 15,212 Unauthorized Access/Disclosure Employee emailed PHI outside company
Mercy Health Love County Hospital and Clinic Healthcare Provider 13,004 Theft Paper records stolen from a storage unit
The Neurology Foundation, Inc. Healthcare Provider 12,861 Unauthorized Access/Disclosure Employee stole PHI
Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists Healthcare Provider 12,806 Hacking/IT Incident Data theft and extortion attempt

The post Summary of September 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

Internet of Medical Things Resilience Partnership Act Approved

Posted by HIPAA Journal

The passage of the Internet of Medical Things Resilience Partnership Act has been approved by the U.S. House of Representatives.

The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks.

The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors.

If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the devices to cause patients harm. What is certain is that if nothing is done, the devices will be attacked and healthcare organizations and patients are likely to be harmed.

The Internet of Medical Things Resilience Partnership Act was introduced by Representatives Dave Trott (D-MI) and Susan Brooks (R-IN) last week. Rep Brooks said, “It is essential to provide a framework for companies and consumers to follow so we can ensure that the medical devices countless Americans rely on and systems that keep track of our health data are protected.”

“In our nation’s hospitals, technology has helped provide better quality and more efficient health care, but the perpetual evolution of technology – its greatest strength – is also its greatest vulnerability,” explained Rep. Trott.

The bill suggests the working group should be led by the U.S. Food and Drug Administration (FDA), and should include representatives from the National Institute of Standards and Technology (NIST), the HHS’ Office of the National Coordinator for Health Information Technology (ONC), the Cybersecurity and Communications Reliability Division of the Federal Communications Commission (FCC), and the National Cyber Security Alliance (NCSA).

At least three representatives of each of the following groups should also join the working group: health care providers, health insurance providers, medical device manufacturers, cloud computing, wireless network providers, health information technology, web-based mobile application developers, and hardware and software developers.

The group will be tasked with developing a cybersecurity framework for medical devices based on existing cybersecurity frameworks, guidance, and best practices. The working group should also identify high priority gaps for which new or revised standards are needed, and develop an action plan to ensure those gaps are addressed.

The working group will be required to submit its report no later than 18 months from the passing of the  Internet of Medical Things Resilience Partnership Act.

The post Internet of Medical Things Resilience Partnership Act Approved appeared first on HIPAA Journal.

53% of Businesses Have Misconfigured Secure Cloud Storage Services

Posted by HIPAA Journal

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI).

However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed.

A Business Associate Agreement Does Not Guarantee HIPAA Compliance

Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers.

Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly.

As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Configure your account correctly and your data will be secure. Make a mistake and data will be exposed and you could easily violate HIPAA Rules.

Misconfigured Secure Cloud Storage Services

When it comes to secure cloud storage, many organizations believe their cloud environments have been secured, but that is often not the case. How many businesses are leaving data exposed? According to a recent study by cloud threat defense firm RedLock, more than half of businesses have made mistakes that have exposed sensitive data in the cloud.

The report reveals many organizations are not following established security best practices, such as using multi-factor authentication for all privileged account users. To make matters worse, many businesses are failing to monitor their cloud environments which means data is being exposed, but not detected.

The problem appears to be getting worse. RedLock’s last analysis for Q2 revealed 40% of businesses had misconfigured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for example. A new analysis, published in its latest Cloud Security Trends Report, shows that percentage jumped to 53% between June and September 2017.

Key Findings

  • 53% of organizations have at least one exposed cloud storage service
  • 38% of users exposed data through compromised administrative user accounts
  • 81% are not managing host vulnerabilities in the cloud
  • 37% of databases accept inbound connection requests from suspicious IP addresses
  • 64% of databases are not encrypted
  • 45% of Center of Internet Security (CIS) compliance checks are failed
  • 48% of Payment Card Industry Data Security Standard (PCI DSS) compliance checks fail
  • 250 organizations were found to be leaking credentials to their cloud environments on internet-facing web servers

Cloud Misconfigurations Result in Data Breaches

One need look no further than the widespread misconfigured MongoDB installations that were discovered by hackers in January 2017. Misconfigured databases were plundered, data deleted, and ransom demands issued. More than 26,000 MongoDB databases were hijacked and held for ransom.

Is it not just small organizations that are making errors that are resulting in data exposure and data breaches. The Equifax data breach, which saw the records of more than 143 million Americans exposed, was the result of the failure to address a known vulnerability in Apache Struts; a framework that supported its dispute portal web application. Equifax CEO Richard Smith recently told the House Energy and Commerce Committee that the missed patch was due to a mistake by a single employee.

British insurance giant Aviva found out one of its cloud environments had been ‘hacked’ and was being used to mine Bitcoin. Kubernetes administration consoles were used to gain access to its cloud environment with ease. Its administration consoles lacked passwords.

RedLock is not the only company to report on the problem. IBM X-Force said it has tracked more than 1.3 billion records that were exposed as a result of misconfigured servers up to September 2017.

Training will only go so far. You can train your employees never to leave the firewall turned off, yet occasionally that happens. Bad errors can also occur in the cloud that will similarly lead to data breaches. Leave the door open to hackers and they will infiltrate cloud environments, steal data, and hold organizations to ransom.

What organizations must do is to make sure all doors have been closed and locked. Unless organizations proactively monitor their cloud environments, they will be unaware there is a problem until it is too late.

The post 53% of Businesses Have Misconfigured Secure Cloud Storage Services appeared first on HIPAA Journal.

What are the HIPAA Breach Notification Requirements?

Posted by HIPAA Journal

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information (PHI) is discovered. HIPAA training for staff must also include the procedures for reporting breaches of unsecured PHI.

While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started providing a service to Covered Entities may similarly be unsure of the reporting requirements and actions that must be taken following a breach.

The issuing of notifications following a breach of unencrypted PHI is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty in additional to that impose for the data breach itself. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates.

Summary of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires covered entities and their business associates to report breaches of unsecured electronic protected health information and physical copies of protected health information. A breach is defined as the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted by HIPAA Rules.

According to the HHS´ guidance on the HIPAA Breach Notification Rule, an impermissible use or disclosure of unsecured protected health information is presumed to be a breach unless the covered entity or business associate demonstrates there is a low probability the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

HIPAA breaches include unauthorized access by employees as well as third parties, improper disclosures, the exposure of protected health information, and ransomware attacks. Exceptions include: Breaches of secured protected health information such as encrypted data when the key to unlock the encryption has not been obtained; “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure;” An inadvertent disclosure by a person who is authorized to access PHI, to another member of the workforce at the organization who is also authorized to access PHI; When the covered entity or business associate makes a disclosure and has a good faith belief that the information could not have been retained by the person to whom it was disclosed.

In the event of a reportable HIPAA breach being experienced, the HIPAA breach notification requirements are:

Notify Individuals Impacted – or Potentially Impacted – by the Breach

All individuals impacted by a data breach, who have had unsecured protected health information accessed, acquired, used, or disclosed, must be notified of the breach. Breach notifications are also required for any individual who is reasonably believed to have been affected by the breach.

Breach notification letters must be sent within 60 days of the discovery of a breach unless a request to delay notifications has been made by law enforcement. In such cases, notifications should be sent as soon as that request has expired. While it is permissible to delay reporting of a breach to the HHS for breaches impacting fewer than 500 individuals (see below), that delay does not apply to notifications to breach victims.

Breach notification letters should be sent by first class mail to the last known address of breach victims, or by email if individuals have given authorization to be contacted electronically.

The HIPAA breach notification requirements for letters include writing in plain language, explaining what has happened, what information has been exposed/stolen, providing a brief explanation of what the covered entity is doing/has done in response to the breach to mitigate harm, providing a summary of the actions that will be taken to prevent future breaches, and giving instructions on how breach victims can limit harm. Breach victims should also be provided with a toll-free number to contact the breached entity for further information, together with a postal address and an email address.

Notify the Department of Health and Human Services

Notifications must be issued to the Secretary of the Department of Health and Human Services, via the Office for Civil Rights breach reporting tool. The HIPAA breach notification requirements differ depending on how many individuals have been impacted by the breach.

When the breach has impacted more than 500 individuals, the maximum permitted time for issuing the notification to the HHS is 60 days from the discovery of the breach, although breach notices should be issued without unnecessary delay. In the case of breaches impacting fewer than 500 individuals, HIPAA breach notification requirements are for notifications to be issued to the HHS within 60 days of the end of the calendar year in which the breach was discovered.

Notify the Media

HIPAA breach notification requirements include issuing a notice to the media. Many covered entities that have experienced a breach of protected health information notify the HHS, relevant state attorneys general, and the patients and health plan members impacted by the breach, but fail to issue a media notice – a violation of the HIPAA Breach Notification Rule.

A breach of unsecured protected health information impacting more than 500 individuals must be reported to prominent media outlets in the states and jurisdictions where the breach victims reside – See 45 CFR §§ 164.406. This is an important requirement, as up-to-date contact information may not be held on all breach victims. By notifying the media, it will help to ensure that all breach victims are made aware of the potential exposure of their sensitive information. As with the notifications to the HHS and breach victims, the media notification must be issued within 60 days of the discovery of the breach.

Post a Substitute Breach Notice on the Home Page of the Breach Entity’s Website

In the event that up-to-date contact information is not held on 10 or more individuals that have been impacted by the breach, the covered entity is required to upload a substitute breach notice to their website and link to the notice from the home page. The link to the breach notice should be displayed prominently and should remain on the website for a period of 90 consecutive days. In cases where fewer than 10 individuals’ contact information is not up-to-date, alternative means can be used for the substitute notice, such as a written notice or notification by telephone.

Data Breaches Experienced by HIPAA Business Associates

Business associates of HIPAA-covered entities must also comply with the HIPAA breach notification requirements and can be fined directly by the HHS’ Office for Civil Rights and state attorney generals for a HIPAA Breach Notification Rule violation.

Any breach of unsecured protected health information must be reported to the covered entity within 60 days of the discovery of a breach. While this is the absolute deadline, business associates must not delay notification unnecessarily. Unnecessarily delaying notifications is a violation of the HIPAA Breach Notification Rule.

It is usually the covered entity that will issue breach notifications to affected individuals, so any breach notification will need to be accompanied with details of the individuals impacted. It is a good practice to issue a breach notification to a covered entity rapidly, and to provide further information on the individuals impacted once the investigation has been completed. Under the terms of a HIPAA-compliant Business Associate Agreement (BAA), a business associate may be required to issue breach notifications to affected individuals.

Timeline for Issuing Breach Notifications

Breach notifications should be issued as soon as possible and no later than 60 days after the discovery of the breach, except when a delay is requested by law enforcement. Investigating a breach of protected health information can take some time, but once all the necessary information has been obtained to allow breach notifications to be sent they should be mailed.

HIPAA-covered entities must not delay sending breach notification letters. It is possible to receive a HIPAA violation penalty for delaying notifications, even if they are sent within 60 days of the discovery of the breach. There have been several recent cases of HIPAA breach notification requirements not being followed within the appropriate time frame, which can potentially result in financial penalties.

State Breach Notification Laws May Be Stricter than HIPAA

U.S. states have their own breach notification laws. Typically, notifications must be issued to breach victims promptly and a notice also submitted to the state attorney general’s office. Some states require breach notifications to be issued well within the HIPAA deadline.

Delaying breach notifications until the 60-day limit of HIPAA could well see state laws violated, leading to financial penalties from state attorney generals. State laws frequently change so it is important to keep up to date on breach notification laws in the states in which you operate.

Penalties for Violations of HIPAA Breach Notification Requirements

HIPAA covered entities must ensure the HIPAA breach notification requirements are followed or they risk incurring financial penalties from state attorneys general and the HHS’ Office for Civil Rights.

In 2017, Presense Health became the first HIPAA-covered entity to settle a case with the Office for Civil Rights solely for a HIPAA Breach Notification Rule violation – after it exceeded the 60-day maximum time frame for issuing breach notifications. Presense Health took three months from the discovery of the breach to issue notifications – A delay that cost the health system $475,000. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.

Responding to a Healthcare Data Breach

how-to-respond-to-a-healthcare-data-breach

HIPAA Breach Notification Requirements FAQs

What is the difference between a HIPAA breach and a HIPAA violation?

A HIPAA breach is when unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy and Security Rules. A HIPAA violation occurs when a Covered Entity, Business Associate, or a member of the workforce fails to comply with any standard in the Privacy, Security, or Breach Notification Rules. It is not necessary for a breach to occur in order for there to be a HIPAA violation – for example, the failure to respond to a patient access request within 30 days is a HIPAA violation, but not a HIPAA breach.

Why must staff be trained on reporting HIPAA breaches?

Staff must be trained on reporting HIPAA violations to their supervisors, managers, or the Privacy Officer. It is not necessary for staff to know the mechanics of the HIPAA breach notification requirements beyond that point, but they must be aware of the consequences of delaying a report in terms of the impact it will have on patients impacted by the breach, the consequences for their employer if notifications are delayed longer than necessary, and on their own jobs if a breach comes to light weeks after it has happened.

What is the difference between secured PHI and unsecured PHI?

Secured PHI is generally defined as Protected Health Information that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technologies or methodologies specified in § 13402 of the HITECH Act. HIPAA is technology neutral, but the implementation specifications relating to Access Controls and Transmission Security state encryption is required unless an equivalent protection is implemented, or the use of encryption is unreasonable and inappropriate in the circumstances.

What is an example of a “good faith belief” that PHI has not been retained?

If, for example, a healthcare professional shows an X-ray image to a person not authorized to view the image but realizes a mistake has been made before it is likely any information relating to the image has been read, it is highly likely that PHI has not been retained and the Covered Entity can reasonably accept – in good faith – there has been no disclosure of unsecured PHI. In this scenario, it is important the healthcare professional reports the unauthorized disclosure to a higher authority, and that the report – along with the good faith determination – is documented.

Why do individuals have to give authorization before they receive email notifications?

Because email is not a secure communication channel, Covered Entities must obtain the authorization of an individual before sending an email that contains PHI. (If the email does not contain PHI, no authorization is necessary). Breach notifications have to inform individuals what PHI was accessed, so therefore Covered Entities can only communicate a breach by email if they have a prior authorization.

When must a HIPAA breach be reported?

A HIPAA breach must be reported whenever unsecured PHI or ePHI has been used or disclosed impermissibly unless there is a low probability that data has been comprised based on the risk assessment mentioned above. Also mentioned above was the timetable for reporting HIPAA breaches – within sixty days if the breach involves 500 or more records, and by the end of the calendar year if the breach involves fewer than 500 records.

The post What are the HIPAA Breach Notification Requirements? appeared first on HIPAA Journal.

National Cyber Security Awareness Month: What to Expect

Posted by HIPAA Journal

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens.

National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners.

Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure.

DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month:

National Cyber Security Awareness Month Summary

  • Week 1: Simple Steps to Online Safety (Oct. 2-6)
  • Week 2: Cybersecurity at Work (Oct. 9-13)
  • Week 3: Today’s Predictions for Tomorrow’s Internet (Oct. 16-20)
  • Week 4: Careers in Cybersecurity (Oct. 23-27)
  • Week 5: Cybersecurity and Critical Infrastructure (Oct. 30-31)

Week 1 focuses on basic cybersecurity and cyber hygiene – simple steps that can be taken to greatly improve resilience to cyberattacks.

These basic cybersecurity measures are likely to have already been adopted by the majority of businesses, but these simple controls can all too easily be overlooked. The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal is littered with reports of security incidents that have resulted from the failures to get the basics of cybersecurity right. Week 1 is the perfect time to conduct a review of these basic cybersecurity measures to ensure they have all been adopted.

This year has already seen several major data breaches reported, including the massive breach at Equifax that impacted 143 million Americans. In May, WannaCry ransomware attacks spread to more than 150 countries and the NotPetya wiper attacks in June causes extensive damage. FedEx and Maersk have both announced that the attacks could end up costing $300 million.

All three of those cyberattacks occurred as a result of the failure to implement patches promptly. Then there is the recently announced Deloitte data breach. That security breach has been linked to the failure to implement two-factor authentication – Another basic cybersecurity measure.

Stop. Think. Connect

During the first week of National Cyber Security Awareness Month, the NCSA will be promoting its “STOP. THINK. CONNECT.” security awareness campaign, which was developed with assistance from the Anti-Phishing Working Group in 2010. The campaign makes available more than 140 online resources that can be used by U.S. citizens to keep themselves secure and by businesses to improve security awareness of the workforce.

Week 2 will focus on cybersecurity in the workplace, highlighting steps that can be taken by businesses to develop a culture of cybersecurity in the workplace. DHS and NCSA will also be encouraging businesses to adopt the National Institute of Standards and Technology Cybersecurity Framework.

Week 3 will focus on protecting personal information in the context of the smart device revolution, highlighting the importance of secure storage, transmission, and handling of data collected by IoT devices.

Week 4 will focus on encouraging students to consider a career in cybersecurity. By 2019, there is expected to be around 2 million unfilled cybersecurity positions in the United States. Advice will be offered about how to switch careers and embark upon a career in cybersecurity.

National Cyber Security Awareness Month finishes with two days of efforts to improve the resiliency of critical infrastructure to cyberattacks.

OCR Encourages HIPAA-Covered Entities to Go Back to Basics

Late last week in its monthly cybersecurity newsletter, OCR sent a reminder to HIPAA-covered entities about the importance of securing health data, saying, “The security of electronic health information is more critical than ever, and it is the responsibility of all in the regulated community to ensure the confidentiality, integrity, and availability of electronic protected health information.” These basic security measures are essential for HIPAA compliance.

OCR suggests HIPAA-covered entities should go back to basics during National Cyber Security Awareness Month and use the tips and advice being issued to ensure all the i’s have been dotted and the t’s crossed.

OCR suggests a good place to start is conducting a review to make sure:

  • Strong passwords have been set – Consisting of passphrases or passwords of at least 10 characters, including lower and upper-case letters, numerals, and special characters.
  • Regular training is provided – To improve phishing awareness, reporting of potential attacks, and covering other important cybersecurity issues.
  • Use multi-factor authentication – So that in the event that a password is obtained or guessed, it will not result in an account being compromised. MFA is strongly recommended for remote access, privileged accounts, and accounts containing sensitive information.
  • Review patch management policies – To ensure that software updates and patches are always applied promptly, on all systems and devices, to fix critical security vulnerabilities.
  • Devices are locked – All devices should be physically secured when they are not in use.
  • Portable device controls are developed – To prohibit the plugging in of personal portable devices into secure computers or networks without first having the devices scanned to make sure they do not contain malware.
  • Policies are developed on reporting threats – Educate the workforce on the importance of reporting potential threats immediately to ensure action can be taken to mitigate risk.

The post National Cyber Security Awareness Month: What to Expect appeared first on HIPAA Journal.

Is OneDrive HIPAA Compliant?

Posted by HIPAA Journal

Many covered entities want to take advantage of cloud storage services, but can Microsoft OneDrive be used? Is OneDrive HIPAA compliant?

Many healthcare organizations are already using Microsoft Office 365 Business Essentials, including exchange online for email. Office 365 Business Essentials includes OneDrive Online, which is a convenient platform for storing and sharing files.

Microsoft Supports HIPAA-Compliance

There is certainly no problem with HIPAA-covered entities using OneDrive. Microsoft supports HIPAA-compliance and many of its cloud services, including OneDrive, can be used without violating HIPAA Rules.

That said, before OneDrive – or any cloud service – can be used to create, store, or send files containing the electronic protected health information of patients, HIPAA-covered entities must obtain and sign a HIPAA-compliant business associate agreement (BAA).

Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. The BAA includes OneDrive for Business, as well as Azure, Azure Government, Cloud App Security, Dynamics 365, Office 365, Microsoft Flow, Intune Online Services, PowerApps, Power BI, and Visual Studio Team Services.

Under the terms of its business associate agreement, Microsoft agrees to place limitations on use and disclosure of ePHI, implement safeguards to prevent inappropriate use, report to consumers and provide access to PHI, on request, per the HIPAA Privacy Rule. Microsoft will also ensure that if any subcontractors are used, they will comply with the same – or more stringent – restrictions and conditions with respect to PHI.

Provided the BAA is signed prior to the use of OneDrive for creating, storing, or sharing PHI, the service can be used without violating HIPAA Rules.

Microsoft explains that all appropriate security controls are included in OneDrive, and while HIPAA compliance certification has not been obtained, all of the services and software covered by the BAA have been independently audited for the Microsoft ISO/IEC 27001 certification.

Appropriate security controls are included to satisfy the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to HIPAA standards. Microsoft uses 256-bit AES encryption and SSl/TLS connections are established using 2048-bit keys.

There is More to HIPAA Compliance Than Using ‘HIPAA-Compliant’ Services

However, just because Microsoft will sign a BAA, it does not mean OneDrive is HIPAA compliant. There is more to compliance than using a specific software or cloud service. Microsoft supports HIPAA compliance, but HIPAA compliance depends of the actions of users. As Microsoft explains, “Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Prior to the use of any cloud service, a HIPAA-covered entity must conduct a risk analysis and assess the vendor’s provisions and policies. A risk management program must also be developed, using policies, procedures, and technologies to ensure risks are mitigated.

Access policies must be developed and security settings configured correctly. Strong passwords should be used, external file sharing should be disabled, access should be limited to trusted whitelisted networks, and PHI must only be shared with individuals authorized to view the information. When PHI is shared, the minimum necessary standard applies. Logging should be enabled to ensure organizations have visibility into what users are doing with respect to PHI, and when employees no longer require access to OneDrive, such as when they leave the organization, access should be terminated immediately.

So, Is OneDrive HIPAA compliant? Yes and No. OneDrive can be used without violating HIPAA Rules and Microsoft supports HIPAA compliance, but ultimately HIPAA compliance is down to the covered entity, how the service is configured and used.

The post Is OneDrive HIPAA Compliant? appeared first on HIPAA Journal.

HHS Secretary Tom Price Resigns

Posted by HIPAA Journal

It has been a short stint as Secretary of the U.S. Department of Health and Human Services for Tom Price, who resigned from the post on September 29, 2017, two days shy of 8 months in the position. At just 231 days, Price is the shortest serving HHS Secretary in U.S. History.

Price was nominated for the position of HHS Secretary by President Trump on November 29, 2016. The nomination was approved by the Senate Health, Education, Labor, and Pensions Committee on February 1, 2017.

However, Price resigned under pressure following revelations about his extensive use of charter jets and military aircraft to travel across the United States for government work. Rather than use commercial airlines for travel, Price had spent more than $400,000 on private jets, even though commercial airline flights were available.

Price had vowed not refrain from using private charter flights for travel in the future and offered to pay back part of the costs incurred, reportedly $51,887, to cover the cost of seats. President Trump said that would be “unacceptable,” leaving him little choice but to tender his resignation.

Price said in his resignation letter, “I have spent 40 years both as a doctor and public servant putting people first. I regret that the recent events have created a distraction from these important objectives. Success on these issues is more important than any one person. In order for you to move forward without further disruption, I am officially tendering my resignation.”

The response from the White House was short on detail, simply confirming “Thomas Price offered his resignation earlier today and the President accepted.”

Price will be replaced by the current Deputy Assistant Secretary for Health, Don J. Wright of Virginia. Wright was appointed Acting Secretary of the HHS from 11:59 p.m. on September 29. He will serve in the position until a replacement is found.

There are several potential candidates for the position, including Scott Gottlieb, the current commissioner of the Food and Drug Administration, Seema Verma, administrator of the Centers for Medicare and Medicaid Services, and Former Louisiana Gov. and HHS assistant secretary, Bobby Jindal.

The post HHS Secretary Tom Price Resigns appeared first on HIPAA Journal.

HIPAA Compliance and Cloud Computing Platforms

Posted by HIPAA Journal

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure.

Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed.

A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level.

It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform provider.

Cloud Service Providers are HIPAA Business Associates

A HIPAA business associate is any person or entity who performs functions on behalf of a covered entity, or offers services to a covered entity that involve access being provided to protected health information (PHI).

The HIPAA definition of business associate was modified by the HIPAA Omnibus Rule to include any entity that “creates, receives, maintains, or transmits” PHI. The latter two clearly apply to providers of cloud computing platforms.

Consequently, a covered entity must obtain a signed business associate agreement (BAA) from the cloud platform provider. The BAA must be obtained from the cloud platform provider before any PHI is uploaded to the platform. A BAA must still be obtained even if the platform is only used to store encrypted ePHI, even if the key to unlock the encryption is not given to the platform provider. The only exception would be when the cloud platform is only used to store, process, maintain or transmit de-identified ePHI.

The BAA is a contract between a covered entity and a service provider. The BAA must establish the allowable uses and disclosures of PHI, state that appropriate safeguards must be implemented to prevent unauthorized use or disclosure of ePHI, and explain all elements of HIPAA Rules that apply to the platform provider. Details of the contents of a HIPAA-compliant BAA can be obtained from the HHS on this link.

Cloud computing platform providers and cloud data storage companies that have access to PHI can be fined for failing to comply with HIPAA Rules, even if the service provider does not view any data uploaded to the platform. Not all cloud service providers will therefore be willing to sign a BAA.

A BAA Will Not Make a Covered Entity HIPAA Compliant

Simply obtaining a BAA for a cloud computing platform will not ensure a covered entity is compliant with HIPAA Rules. HIPAA Rules can still be violated, even with a BAA in place. This is because no cloud service can be truly HIPAA compliant by itself. HIPAA compliance will depend on how the platform is used.

For example, Microsoft will sign a BAA for its Azure platform; but it is the responsibility of the covered entity to use the platform in a HIPAA-compliant manner. If a covered entity misconfigures or fails to apply appropriate access controls, it would be the covered entity that is in violation of HIPAA Rules, not Microsoft. As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Penalties for Cloud-Related HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights has already settled cases with HIPAA-covered entities that have failed to obtain business associate agreements before uploading PHI to the cloud, as well as for risk analysis and risk management failures.

St. Elizabeth’s Medical Center in Brighton, Mass agreed to settle its case with OCR in 2015 for $218,400 for potential violations of the HIPAA Security Rule after PHI was uploaded to a document sharing service, without first assessing the risks of using that service.

Phoenix Cardiac Surgery also agreed to settle a case with OCR for failing to obtain a business associate agreement from a vendor of an Internet-based calendar and email service prior to using the service in conjunction with PHI. The case was settled for $100,000.

In 2016, OCR settled a case with Oregon Health & Science University for $2.7 million after it was discovered ePHI was being stored in the cloud without first obtaining a HIPAA-compliant business associate agreement.

HIPAA Compliant Cloud Computing Platforms

Both Amazon’s AWS and Microsoft’s Azure platforms can be used by HIPAA-covered entities. Both have all the necessary privacy and security protections in place to satisfy HIPAA requirements, and Amazon and Microsoft will sign BAAs with healthcare providers and agree to comply with HIPAA Rules.

AWS has long been the leading cloud service provider, although Microsoft appears to be catching up. If you are unsure of the best cloud computing platform provider to use, you can find out more information in this comparison of Azure and AWS.

Cloud storage companies that support HIPAA-compliance and can be used by HIPAA-covered entities for storing ePHI (after a BAA has been obtained) include Box, Carbonite, Dropbox, Google Drive, and Microsoft OneDrive.

The post HIPAA Compliance and Cloud Computing Platforms appeared first on HIPAA Journal.