Latest HIPAA News

Beazley Insights: 133% Increase in Healthcare Ransomware Demands

Posted by HIPAA Journal

Beazley has released its half-yearly Insights report detailing the causes of data breaches experienced by its clients between January and June 2017.

Across the four industries covered by the report, hacks and malware – including ransomware- caused the highest percentage of breaches – 32% of the 1,330 incidents that the firm helped mitigate in the first half of 2017.

In the professional services industry, hacks/malware incidents accounted for 44% of the 1H total, in higher education it was 43% and the financial services was on 37%. Only healthcare bucked the trend with hacks/malware accounting for 18% of the total – the second biggest cause of incidents affecting the industry.

The report shows that the first six months of the year saw a 50% increase in ransomware attacks across all industries, with the healthcare sector experiencing the highest increase in ransomware demands, jumping 133% in those six months.

While malware/ransomware attacks may top the list of breach causes, they are closely followed by accidental breaches caused by employees or third-party suppliers, which accounted for 30% of the total. However, for the healthcare industry, accidental data breaches were the leading cause of data security incidents, accounting for 42% of all healthcare industry breaches.

These accidental disclosures of PHI include a wide range of errors such as misdirected faxes and emails and the improper release of discharge papers. Beazley reports that the percentage of these incidents has not changed year over year.

The report authors point out that “This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality.”

The second biggest cause of healthcare data breaches was malware/ransomware incidents – One percentage point higher than last year’s report. Insider theft was in third place causing 14% of incidents, followed by the physical loss of records (8%) and portable device incidents (6%). Social engineering attacks accounted for 3% of the total with payment fraud on 1%. The remaining 8% of incidents were attributed to unknown/other causes.

The report authors point out that “This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality.”

The post Beazley Insights: 133% Increase in Healthcare Ransomware Demands appeared first on HIPAA Journal.

How Often Should Healthcare Employees Receive Security Awareness Training?

Posted by HIPAA Journal

Security awareness training is a requirement of HIPAA, but how often should healthcare employees receive security awareness training?

Recent Phishing and Ransomware Attacks Highlight Need for Better Security Awareness Training

Phishing is one of the biggest security threats for healthcare organizations. Cybercriminals are sending phishing emails in the millions in an attempt to get end users to reveal sensitive information such as login credentials or to install malware and ransomware. While attacks are often ransom, healthcare employees are also being targeted with spear phishing emails.

In December last year, anti-phishing solution provider PhishMe released the results of a study showing 91% of cyberattacks start with a phishing email. Spear phishing campaigns rose 55% last year, ransomware attacks increased by 400% and business email compromise (BEC) losses were up by 1,300%.

In recent weeks, there have been several phishing attacks reported to the Department of Health and Human Services’ Office for Civil Rights. Those attacks have resulted in email accounts being compromised. In July alone, 9 email-related security incidents have been reported to OCR.

The recent WannaCry ransomware attacks may have exploited unaddressed vulnerabilities, but email remains the number one vector for spreading ransomware and malware. Many of these email attacks could have been prevented if employees had been trained to detect threats and knew how to respond appropriately.

Regular Security Awareness Training is a Requirement of HIPAA

Security awareness training is more than just a checkbox item to tick off to demonstrate compliance with HIPAA Rules. If fact, a one-off training session does not meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

45 C.F.R. § 164.308(a)(5)(i) requires covered entities to “Implement a security awareness and training program for all members of its workforce (including management)”. As OCR recently pointed out in its July Cybersecurity Newsletter, all members of staff in an organization “can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.” It may not be possible to reduce risk to zero, but security awareness training can help to reduce risk to an acceptable level.

How Often Should Healthcare Employees Receive Security Awareness Training?

Cybercriminals are constantly changing tactics and new threats are emerging on an almost daily basis.  An effective security awareness program must therefore provide ongoing training; raising awareness of new threats as they emerge and when threat intelligence is shared by Information Sharing and Analysis Organization (ISAOs).

After the provision of initial training, HIPAA requires healthcare employees to receive periodic security updates – 45 C.F.R. § 164.308(a)(5)(ii)(A). While HIPAA does not stipulate how often these “periodic security updates” should be issued, OCR points out that monthly security updates work well for many healthcare organizations, with additional training provided bi-annually.

Some healthcare organizations may require less or more frequent updates and training sessions, which should be determined through the organization’s risk analyses.

The security updates should include details of the latest security threats including phishing and social engineering scams that have been reported by other covered entities or shared by an ISAO. The security alerts can take many forms – email bulletins, posters, newsletters, team discussions, classroom-based training or CBT sessions. It is up to the covered entity to determine which are the most appropriate. Annual or biannual training sessions should be more in-depth and should cover new risks faced by an organization and recap on previous training.

OCR also points out in its recent newsletter that covered entities must document any training provided to employees. Without documentation on the training provided, newsletters sent, updates issued and evidence of workforce participation, it will not be possible to demonstrate to OCR auditors that training has taken place. HIPAA requirements for documenting training are covered in 45 C.F.R. §§ 164.316(b) and 164.530(j).

OCR provides some training materials on privacy and security, with third-party training companies and anti-phishing solution providers offering specific training courses on the full range of cybersecurity threats.

Tailoring training to the needs of the individual will help to ensure that all employees become security assets and organizations develop a robust last line of defense against phishing attacks.

The post How Often Should Healthcare Employees Receive Security Awareness Training? appeared first on HIPAA Journal.

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

Posted by HIPAA Journal

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years.

The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 in annual revenue.

47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years.

Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred.

Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach in the past two years that involved ransomware. 41% of those respondents said they paid the ransom to unlock their data.

70% of organizations that experienced at least one security breach in the past 2 years said a malicious actor hacked their system as a result of an unaddressed vulnerability, 54% of respondents said they had experienced a single-system based malware incident and 36% said employees had responded to phishing emails resulting in a system compromise. 26% said they had experienced a breach of a third-party device or service, while 20% said they had experienced a breach as a result of an insider.

The probability of organizations experiencing a security breach has increased considerably in the past two years, yet there was a decrease in organizations that believed cybersecurity was a board matter. In 2015, 87% of organizations believed cybersecurity was a board issue. This year, only 79% of respondents said they thought cybersecurity was a C-level issue.

KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Investment in cybersecurity protections has also decreased. In 2015, 88% of organizations said they had invested in information protection measures in the past 12 months. This year, only 66% said they had made such an investment.

When it comes to investment, organizations appear to be favoring technology rather than staff. Only 15% believe increases in staff numbers and higher quality staff are important for improving their security posture.

Only 41% of respondents said they were planning on investing in hiring or training staff, with 76% saying they were planning on investment more in technology. Budgets for training staff were low, with a quarter of respondents saying they were investing less than $1,000 per cybersecurity team member. 83% said improvements would be made to policies and data access controls and processes.

KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said, “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” explaining that “Software can only protect you so far and staff is important when it comes time to respond to a data breach.

When asked what they thought the main targeted asset was, only 30% believed it was patient data. Financial information was seen as the data most likely targeted (69%), followed by patient/clinical research (63%) competitive market analysis (49%) and the PII of employees (45%).

The biggest threats were seen to be state-sponsored actors (53%), individual hackers (49%) and hactivists (47%).

The post 47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years appeared first on HIPAA Journal.

Only One Third of Patients Use Patient Portals to View Health Data

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits patients to access the health information held by their providers, yet relatively few patients are exercising that right, according to a recent U.S. Government Accountability Office (GAO) report, at least through patient portals.

The Medicare Electronic Health Record Incentive Program encouraged healthcare providers to transition from paper to electronic medical records and now almost 90% of patients of participating providers have access to patient portals where they can view their health data. Even though patients have been provided with access, fewer than a third of patients are using patient portals to view their health information.

GAO looked at patient health information access from the patients’ perspective, conducting interviews with patients to find out why they are not taking advantage of this valuable resource.

Out of the healthcare organizations that participated in the Medicare EHR Program, 88% of hospitals and 87% of professionals offered patients access to their health information online, yet only 15% of hospital patients and 30% of other providers’ patients accessed their data online.

When patient portals are used to access health data it is usually preceding a medical appointment or soon afterwards to view medical test results. Information is also commonly accessed in order to share health data with a new healthcare provider. However, mostly, patients were using the portals to schedule appointments, set reminders or order medication refills.

The problem does not appear to be a lack of interest in viewing or obtaining health information, rather it is one of frustration. The process of setting up access to patient portals and viewing health data is time consuming. Patients usually have multiple healthcare providers and must repeat the process for each provider. In order to view all their health information, they must use a different portal for each provider and manage separate login information for each. Further, patient portals are not standardized. Each requires patients to learn how to access their information and familiarize themselves with the portal.

When the patient portals have been set up, patients often discover incomplete or inaccurate information, with information inconsistent among different providers. It would make life easier if all information could be transferred electronically between each provider or aggregated in one place, yet patients were confused by the process and were unaware if this was possible, and if so, how it could be done. Many patients did not even know if their health information could be downloaded or transmitted.

GAO pointed out that while the HHS has been encouraging healthcare providers to give patients access to health data via patient portals, there does not appear to have been any follow up. GAO says the HHS appears to be unaware of how effective its program has been. GAO has recommended HHS set up some performance measures to determine whether its efforts are actually working.

The post Only One Third of Patients Use Patient Portals to View Health Data appeared first on HIPAA Journal.

HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management

Posted by HIPAA Journal

HITRUST has launched a new community extension program that will see town hall events taking place in 50 major cities across the United States over the course of the next 12 months. The aim of the community extension program is to improve education and collaboration on risk management and encourage greater community collaboration.

With the volume and variety of cyber threats having increased significantly in recent years, healthcare organizations have been forced to respond by improving their cybersecurity programs, including adopting cybersecurity frameworks and taking part in HITRUST programs. Healthcare organizations have been able to improve their resilience against cyberthreats, although the process has not been easy.

HITRUST has learned that the process can be made much easier with improved education and collaboration between healthcare organizations. The community extension program is an ideal way to streamline adoption of the HITRUST CSF and other HITRUST programs, while promoting greater collaboration between healthcare organizations and encouraging greater community collaboration.

The events will allow healthcare organizations to share best practices and the lessons they have learned from conducting their own risk management programs, including discussing some of the many challenges they have faced.

Tufts Medical Center played an important role in the development of the community extension program, encouraging HITRUST to run the community sessions. Tufts Medical Center CISO, Taylor Lehmann, said “The importance of improving the overall cyber resilience of organizations cannot be overstated. Although it’s a difficult goal, HITRUST provides a number of programs that make the goal achievable and sharing best practices, lessons learned and remediation strategies makes the community stronger.”

HITRUST Assurance Strategy and Community Development Vice President Michael Parisi said, “This program provides significant value by allowing organizations to engage with, and learn from, others in the community about how they approach the challenges related to managing risk, controlling compliance costs while effectively implementing a strong security posture and defending against cyber threats.”

The time it takes to adopt HITRUST programs can be shortened through education and knowledge transfer, which will be a key component of the community extension program sessions.

Some of the main topics that will be covered at the events include:

  • Structuring and implementing an information risk management program
  • Considerations in implementing the HITRUST CSF
  • Leveraging the HITRUST CSF to implement the NIST Cybersecurity Framework
  • Considerations regarding a HITRUST CSF Assessment and reporting options
  • Leveraging the HITRUST Cyber Threat Catalogue
  • Implementing a third-party assurance program and effective vendor risk management
  • How to align information risk management and cyber insurance programs
  • Engaging in cyber information sharing and how it supports cyber threat management regardless of size or cyber maturity

HITRUST Community Extension Program Dates

The events will take place at town halls in major cities and will be hosted by healthcare organizations from each community, assisted by HITRUST CSF assessors. There will be no charge for attendees.

The events are likely to be popular and HITRUST will add more locations to meet demand over the course of the next 12 months.

The first six events will be held in Boston, MA, hosted by Tufts Medical Center; Houston, TX, hosted by Texas Children’s Hospital; Denver, CO, hosted by Centura Health; Dallas, TX hosted by Blue Cross Shield of Texas; Cleveland, OH, hosted by Cleveland Clinic; and Seattle, WA, hosted by Microsoft.

The first event in Boston is scheduled to take place on September 14, 2017, with further dates to be confirmed. Interested parties can now register for the first event and view details of future events on this link.

The post HITRUST Launches Community Extension Program to Promote Collaboration on Risk Management appeared first on HIPAA Journal.

4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted

Posted by HIPAA Journal

Women’s Health Care Group of Pennsylvania, one of the largest healthcare networks in the state, has alerted approximately 300,000 patients that some of their sensitive protected health information has been compromised.

The types of data exposed – and potentially stolen – include names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers.

Identity theft protection services are being offered to all affected patients. Those individuals would do well to activate those services promptly, as hackers gained access to a server and workstation containing the above information in January this year, with access to systems possible until at least May.

In May, a virus was installed on a server/workstation preventing the hospital from accessing patient data. While ransomware can be installed as a result of a phishing email or software vulnerability, in this case it appears to have been deployed by individuals who already had access to its systems. This is not atypical. If hackers manage to gain access to a healthcare network, it is becoming increasingly common for ransomware to be deployed when access to the system is no longer required – Once all useful data have been exfiltrated, for instance.

Women’s Health Care Group of Pennsylvania rapidly isolated the affected devices to prevent the spread of the infection and external cybersecurity experts were called in to conduct a forensic investigation to determine the nature and scope of the security breach. The Federal Bureau of Investigation was also notified.

While a ransom demand had been issued by the attackers, no money was paid as all data could be recovered from a backup. Women’s Health Care Group of Pennsylvania says no protected health information was lost.

The investigation revealed that hackers had first gained access to its systems in January 2017 after taking advantage of a security vulnerability, with the same vulnerability believed to have been used to install ransomware. While Women’s Health Care Group of Pennsylvania did not find any evidence to suggest information on the server or workstation had been viewed or stolen, data access and theft could not be ruled out.

This is the second such incident to be reported in the past few weeks. Earlier this month, Peachtree Neurological Clinic of Atlanta, GA announced that an investigation into a ransomware attack revealed its systems had been compromised 15 months previously.

The post 4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted appeared first on HIPAA Journal.

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Posted by HIPAA Journal

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’.

Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal.

The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules.

OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form.

For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display indefinitely.

OCR Director Roger Severino said last month that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”

While the HITECH Act requires OCR to maintain the portal, the Act does not specify for how long that information must be displayed. One possibility for change would be a time limit for displaying the breach summaries. There was concern from some privacy advocates about the loss of information from the portal, which would make it hard for information about past breaches to be found for research purposes or by patients whose PHI may have been exposed.

This week, changes have been made to the breach portal. The breach list now displays all data breaches that are currently under investigation by OCR. OCR investigates all reported data breaches impacting more than 500 individuals. Currently, the list shows there are 354 active investigations dating back to July 2015.

The order of the list has also been changed so the most recent breach reports are displayed first – A much more convenient order for checking the latest organizations to report data breaches.

Data breaches that were reported to OCR more than 24 months ago along with breach investigations that have now been closed have not been lost, instead they have been moved to an archive. The archive can still be accessed through the site and is searchable, as before.

Since recent data breaches could be in the archive or main list, it has potential to make research and searches more complicated. OCR has tackled this issue by offering a research report containing the full list of breaches dating back to 2009.

The post OCR Data Breach Portal Update Highlights Breaches Under Investigation appeared first on HIPAA Journal.

Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years

Posted by HIPAA Journal

Cases of employees snooping on medical records are relatively common, although an incident at Tewksbury Hospital in Massachusetts stands out due to the length of time that an employee was accessing medical records without authorization before being caught.

The hospital was tipped off about the employee in April after a former patient made a complaint about their medical record being accessed inappropriately. In response to the complaint, the hospital conducted a full review which revealed the former patient’s medical records had been accessed by an employee without any legitimate reason for doing so.

Further investigation revealed it was far from a one off.  The employee had been accessing the records of patients without authorization for a period of 14 years. The first instance dated back to 2003 and the inappropriate access continued until May 2017. During that time, the employee accessed the records of more than 1,000 patients.

Tewksbury Hospital, which is run by the Department of Public Health, has now written to all patients whose medical records were inappropriately accessed, although many of those individuals are now former patients and the hospital no longer holds valid contact information. In an attempt to contact those individuals, a substitute data breach notice has been placed on the Mass.gov website.

The employee was a clerk at the hospital and was required to have access to medical records in order to complete work duties. Those access rights were abused and as a result, the employee was terminated and no longer has access to the EMR system.

The types of information that were potentially accessed includes names, phone numbers, addresses, gender, dates of birth, medical diagnoses, details of medical treatment provided at the hospital and in some cases, Social Security numbers.

Tewksbury Hospitals says steps have now been taken to reduce the probability of similar incidents occurring in the future and to make sure that if records are accessed inappropriately, incidents are detected promptly. Those steps included conducting a review of policies and procedures regarding access to its EMR system and a reassessment of how access logs to medical records are reviewed. Staff will also be provided with additional training on the privacy and security of protected health information.

Tewksbury Hospital says the investigation did not uncover any evidence to suggest protected health information was misused in any way.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, which investigates all data breaches that have impacted more than 500 individuals. If the investigation reveals HIPAA Rules have been violated by the hospital, the penalty is likely to be severe for a breach of this duration.

The post Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years appeared first on HIPAA Journal.

Model HIPAA-Compliant PHI Access Request Form Released by AHIMA

Posted by HIPAA Journal

The American Healthcare Informatics Management Association (AHIMA) has announced it has released a model PHI access request form for healthcare providers to give to patients who want to exercise their right under HIPAA to obtain copies of their health data.

The model PHI access request form is compliant with HIPAA regulations and can be easily customized to suit the needs of each healthcare organization.

AHIMA claims that until now, a model PHI access request form was not available to healthcare providers. HIPAA-covered entities have had to develop their own forms and there is considerable variation in the forms used by different healthcare organizations. Patients with multiple healthcare providers often find the process of obtaining their health data confusing.

AHIMA has listened to feedback from its members and industry stakeholders who explained that the process of accessing medical records was often confusing for patients. Even some healthcare organizations are confused about what is permitted and not permitted under HIPAA Rules when it comes to providing access to health data. The new model form should help clear up confusion.

It is hoped that the new form will be used as a standard across the industry which will make it easier for patients to exercise their rights under HIPAA, regardless of which healthcare providers they use.

AHIMA interim CEO Pamela Lane said, “Our hope is that it will help connect patients with their health information and make them more empowered healthcare consumers.”

Streamlining the Process of Providing Copies of Health Data to Patients

The ONC recently issued a report in which HIPAA-covered entities were given tips to help streamline the process of providing patients with access to their healthcare data.

The ONC report explained its research has shown that oftentimes patients are confused about the process of accessing their health data. Forms are confusing and patients are often unaware of their rights under HIPAA. For example, many are unaware that under HIPAA Rules they are permitted to have PHI provided in the format of their choosing. Paper copies can be requested or they are entitled to have their health data in electronic form – electronic copies can be sent via email or provided on a portable storage device such as a CD or zip drive.

The new model PHI access request form ties in with the advice given by the ONC and patients can stipulate how they would like their PHI copies to be delivered. The form should also make processing requests straightforward for healthcare providers and help them to streamline the processing of PHI access requests.

The form is suitable for use by all types of healthcare providers, from large multi-hospital health systems to individual physicians, clarifying what patients have the right to access and what healthcare organizations must provide.

Lane said the the model PHI access request form is “Written in easy-to-understand language for all patients” explaining, “this model form and explanation of use provides healthcare providers with a customizable tool that both ensures their compliance and captures patient request information in a clear, simple format.”

The final version of the PHI access request form can be downloaded from AHIMA on this link.

Recommendations for HIPAA Covered Entities Wishing to Use the Model PHI Access Request Form

The model PHI access request is self-explanatory for patients, but AHIMA has given additional recommendations for healthcare providers who wish to start using the new form.

AHIMA suggests the form should be customized to match the capabilities of healthcare providers’ systems and can be updated as required when systems are upgraded. Healthcare providers can also add their address, logos and barcodes to the forms should they so wish.

While the form is HIPAA-compliant in its original form, healthcare providers that customize the form must ensure that any changes comply with HIPAA Rules. Healthcare providers are told they should read 45 CFR 164.524(c)(3) to ensure the form stays compliant.

Internal policies can be developed by HIPAA-covered entities, but AHIMA stresses those policies must be in line with HIPAA guidance and should not serve as a barrier to health data access. HIPAA Rules allow covered entities to charge patients fees for providing copies of their health data. AHIMA recommends providers consult OCR guidance on fees as well as state laws to ensure compliance.

The post Model HIPAA-Compliant PHI Access Request Form Released by AHIMA appeared first on HIPAA Journal.