Latest HIPAA News

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.

Patient Records Must be Disclosed by Organ Procurement Organization, Rules Supreme Court Judge

Posted by HIPAA Journal

A New York Supreme Court Judge has recently ruled that patient records held by the New York Organ Donor Network must be turned over to a plaintiff and that the request cannot be denied based on HIPAA.

Patrick McMahon claims he was fired from his position of Transplant Coordinator by the New York Organ Donor Network following complaints he made about organ harvesting from four patients who were still showing clear signs of life and had not been declared legally dead.

The New York Organ Donor Network maintains the plaintiff was fired for poor performance while he was still a probationary employee. The allegations about the procurement of organs have been denied.

McMahon requested the New York Organ Donor Network turn over the medical records of the four patients as they are ‘material and necessary’ to show the patients showed signs of brain activity at the time the organs were harvested.  The New York Organ Donor Network had previously denied McMahon’s request, instead providing contact details of the patients’ next of kin, informing McMahon that he needed to obtain consent forms allowing the release of the information.

McMahon claims he attempted to obtain consent forms, but despite diligent attempts, was unable to obtain the authorizations. Without access to the medical records of patients, McMahon is unable to provide the proof related to his asserted cause of action.

McMahon argued that the New York Organ Donor Network is not a HIPAA-covered entity and therefore would not be in breach of HIPAA-Rules by turning over the patients’ records.

The New York Organ Donor Network confirmed that it is not an entity covered by HIPAA Rules, but that it has a duty to maintain patient confidentiality. The defendant also pointed out it has entered into memorandums of understanding (MOUs) with hospitals in which access to PHI was gained in order to facilitate the organ donation process. The New York Organ Donor Network says “it would defeat the purpose of HIPAA if it were required to comply with plaintiffs’ requests.”

While HIPAA Rules protect the privacy of patients, Manhattan Supreme Court Justice Arlene Bluth ruled that the New York Organ Donor Network is not a HIPAA-covered entity, and even if it were, HIPAA Rules do not prevent document disclosure. Bluth explained that organ procurement organizations (OPOs) are allowed to be provided with PHI and that MOUs “seek to assure the covered entities who provide information to defendant that protected health information will be kept confidential.” However, Bluth said, “MOUs between [the] defendant and certain hospitals do not compel this Court to deny plaintiffs motion.”

Bluth said, the “defendant failed to identify a federal regulation or case law that would prevent this Court from requiring disclosure,” and ruled the documents must be turned over as requested by the plaintiff.

Explaining the ruling, Bluth said “HHS could have promulgated a rule stating that any protected health information received by an OPO from a covered entity must remain subject to HIPAA’s privacy protections as if the OPO were a covered entity; HHS did not.” Bluth also pointed out that HHS could have included OPOs in its definition of covered entities but it did not.

Bluth explained that “Providing this information might negatively impact these MOUs. But that possibility merely underscores the need for additional federal regulations addressing OPOs and their relationship with HIPAA.”

The New York Organ Donor Network must turn over the patients’ records no later than April 26, 2017. McMahon has been prohibited from using the information in the medical records for anything other than litigation.

The post Patient Records Must be Disclosed by Organ Procurement Organization, Rules Supreme Court Judge appeared first on HIPAA Journal.

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information.

Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois.

On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI.

The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules.

CCDH had provided paper records relating to 10,728 patients without officially advising FileFax, by means of a BAA, of the firm’s responsibilities to safeguard patients’ data. CCDH also received no HIPAA-compliant assurances that appropriate safeguards had been implemented to ensure the confidentiality, integrity, and availability of PHI prior to the disclosure.

FileFax had been storing documents containing the PHI of patients of CCDH since 2003, yet the earliest business associate agreement produced by CCDH and FileFax was dated October 12, 2015.

CCDH has agreed to pay OCR $31,000 to resolve the potential HIPAA violations and will adopt a corrective action plan that involves updating policies and procedures, conducting staff training on those policies and procedures and ensuring one or more employees are made responsible for ensuring HIPAA-compliant business associate agreements are obtained from all business associates.

HIPAA-covered entities are permitted to disclose the PHI of patients to their business associates; however, before any PHI is disclosed, the covered entity must enter into a contract with the business associate. The contract must explain the responsibilities the business associate has to ensure PHI is secured and safeguards are implemented to prevent unauthorized disclosures. The business associate must also be advised of the allowable uses and disclosures of PHI and must agree not to use or disclose any PHI unless required to do so under the terms of the contract or if required to do so by law.

The business associate must also be advised of the requirement to notify the covered entity in the event that any PHI is accidentally or deliberately accessed or disclosed along with the timescale for doing so. The business associate must also be advised that the failure to comply with HIPAA Rules can result in financial penalties being issued.

Further information on HIPAA Rules concerning business associate agreements can be viewed on this link.

2017 HIPAA Settlements

Last year, OCR issued one civil monetary penalty and agreed to settle potential HIPAA violations with 12 covered entities to resolve HIPAA violations – More than any other year since the HIPAA Enforcement Rule was introduced.

This year looks set to see even more HIPAA enforcement actions. The Center for Children’s Digestive Health HIPAA settlement is the sixth financial penalty in less than four months, bringing the total amount of HIPAA fines in 2017 to $11,806,000.  The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

Posted by HIPAA Journal

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation.

The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited.

Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information.

At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity.

At the hearing, Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC), explained that failing to take action to combat cybersecurity threats is putting patient safety at risk. In some cases, this could be a life or death matter for affected patients.

Ransomware can prevent patients’ health records from being accessed by healthcare providers; however, Anderson explained that data manipulation could be an even bigger problem. If cybercriminals were to change medical records, they could then demand a ransom from the healthcare provider to divulge which records had been changed. Data manipulation could result in patients being incorrectly diagnosed or provided with the wrong medications. That could have fatal consequences.

The healthcare industry has many small to medium-sized healthcare organizations that lack the capital and resources to deal with cybersecurity issues. They cannot keep up with the practices that are required to keep patients’ data secured. Many are faced with a choice – purchase essential medical equipment or a new cybersecurity tool. There is little incentive to choose the latter.

Cybersecurity Incidents Often Go Unreported

The number of cybersecurity threats has increased significantly in recent years, as has the number of reported healthcare data breaches, yet those reported breaches are just a fraction of the security incidents that are now plaguing the healthcare industry. Many cybersecurity threats and security incidents go unreported.

Evidence gathered from normal security monitoring suggests there are far more breaches occurring than current data breach reports suggest. Terry Rice, vice president of IT risk management and chief information security officer at Merc, suggested that while laws are in place that require healthcare organizations to report security incidents, current disclosure laws have limited requirements for reporting incidents and many organizations are not submitting or delaying incident reports.

Threat Information Sharing is Critical

While it is important for further efforts to be made to educate the healthcare industry on the importance of sharing threat information, education alone is unlikely to solve the problem. Sharing threat information carries a cost that many small healthcare providers simply cannot afford.

Anderson suggests that while there are clear benefits to participating in information sharing efforts, threat intelligence sharing should not be mandatory. Healthcare organizations should be given a choice. However, healthcare organizations can be encouraged to share information if they are offered financial incentives for doing so.

She also suggested ISACs should be offered tax breaks, that information shared through ISACs should be protected, and that organizations that share threat intelligence should be provided with better legal protections.

Congress was also advised to create permanent cybersecurity liaisons and leaders. Those individuals should be experienced cybersecurity professionals that are aware of the threats, vulnerabilities and cybersecurity issues faced by the healthcare industry.

Michael McNeil, global product security and services officer for Royal Phillips pointed out that cyberattacks on medical devices pose a serious threat to patients and potentially place patients’ lives at risk.

He suggested medical device manufacturers should be included in conversations about cybersecurity and should ensure security is considered at every stage of the manufacturing process. Device manufacturers must also address cybersecurity issues at every stage of the product lifecycle, not just until their devices come to market.

Device manufacturers also need to collaborate and agree to a set of standards that can be adopted to improve cybersecurity. There should be regulatory requirements covering cybersecurity for device manufacturers.

The post Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing appeared first on HIPAA Journal.

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

Posted by HIPAA Journal

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches.

The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records.

33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches.

The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS cost reports. Unlinked hospitals included those run by the Department of Veteran Affairs and military hospitals and long term care hospitals.

The study revealed that larger hospitals were statistically more likely to experience a data breach. More than one third of hospitals (37%) that had experienced a data breach are classed as major teaching hospitals.

Linked hospitals had a median of 262 beds, while an analysis of 2852 acute care hospitals that had not reported a data breach had a median of 134 beds. 265 (9%) of those unbreached hospitals were major teaching hospitals.

The researchers found that both the size of hospitals and their teaching status were positively associated with the risk of experiencing data breaches.

The researchers used multivariable and regression analyses to compare the 141 linked acute care hospitals with other hospitals to determine why they faced a higher risk of experiencing data breaches.

The researchers suggest the reason why larger hospitals and teaching hospitals experience more data breaches is due to having broader access to sensitive patient data. The more individuals who require access to data, the greater the risk of data breaches occurring. The report suggests “There is a fundamental trade-off between data security and data access.” When data are made available to a greater number of individuals for research and education purposes it makes “zero breach” an extremely challenging objective.

While investment in information technology such as EHRs has certainly made hospitals more efficient and has improved the provision of care to patients, it has also made security and privacy breaches more likely.

While many hospitals have invested heavily in cybersecurity defenses to reduce the risk of data breaches, the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights clearly show that healthcare data breaches are increasing in frequency.

The fast-evolving threat landscape requires hospitals to invest in cybersecurity defenses to mitigate data breach risk and hospitals must continuously evaluate data security risks and apply best data security practices to prevent breaches from occurring; however, it is difficult for hospitals to determine which technologies and best practices are the most effective at preventing data breaches.

Lead author of the study, Ge Bai, an assistant professor at John Hopkins Business School said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”

The post Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches appeared first on HIPAA Journal.

More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack

Posted by HIPAA Journal

San Antonio, TX-based ABCD Pediatrics has discovered cybercriminals gained access to its servers and encrypted data with ransomware, including the protected health information of its patients. The individuals behind the attack may also have gained access to data stored on the healthcare provider’s servers prior to ransomware being deployed. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 55,447 patients have been impacted.

The attack involved a variant of CrySiS ransomware called Dharma, which started encrypting data on February 6, 2017. Dharma ransomware is not known to exfiltrate data; however, an analysis of the attack revealed a number of suspicious user accounts on the servers, suggesting access had been gained prior to the ransomware being installed. User logs were also discovered that indicated programs or users may have been on the servers for a limited period of time prior to the ransomware being installed.

Fortunately, the encryption process was hampered by the anti-virus solution used by ABCD Pediatrics. ABCD Pediatrics, via its IT company, was able to isolate the affected servers and take them offline limiting the effectiveness of the attack. ABCD was not able to determine with a high degree of certainty that data were not viewed or stolen, although no evidence was uncovered to suggest data were accessed or exfiltrated.

The types of information potentially compromised included patients’ names, addresses, telephone numbers, demographic information, dates of birth, Social Security numbers, insurance billing information, medical records, procedural codes and lab test results. To protect patients from identity theft and fraud, ABCD Pediatrics has offered 12 months of credit monitoring and identity theft protection services to affected individuals via Equifax Personal Solutions.

Fortunately, ABCD Pediatrics was able to restore all encrypted and corrupted data from a backup that was securely stored on a different system. No data were lost as a result of the attack and no ransom was paid. ABCD Pediatrics reports that no ransom demand was actually received from the attackers.

The ransomware attack occurred in spite of a host of security defenses that had been deployed. Those defenses included “network filtering and security monitoring, intrusion detection systems, firewalls, antivirus software, and password protection.”

The forensic investigation identified the source of the attack and additional security solutions have now been deployed to prevent future attacks, including state-of-the-art network cyber monitoring.

The incident shows that even with advanced cybersecurity solutions in place, ransomware attacks remain a threat. While it may not be possible to prevent all ransomware attacks, risk can be reduced to an acceptable level with cybersecurity solutions and securely stored backups of data will ensure ransom demands will not have to be paid.

A good backup policy to adopt is the 3-2-1 approach. There should be three copies of data, two should be stored locally on two different mediums and one should be stored off site. The local media should be disconnected after a backup has been performed.

The post More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack appeared first on HIPAA Journal.

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

Posted by HIPAA Journal

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained.

Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password.

The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data

The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud.

Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name TheDarkOverlord conducted a number of attacks on healthcare organizations. The protected health information of patients was stolen and organizations were threatened with the publication of data if a sizable ransom payment was not made. In some cases, patient data were published online when payment was not received.

There are reasons why IT departments require FTP servers to accept anonymous requests; however, if that is the case, those servers should not be used to store any protected health information of patients. If PHI must be stored on the servers, they cannot be configured to run in anonymous mode.

In anonymous mode, any information stored on the server can potentially be accessed by the public. Hacking skills would not be required. Default usernames are freely available on the Internet.

Even if PHI is not stored on the servers, healthcare organizations may still be at risk. Any sensitive data could be accessed and used against the organization, ransomware could be installed or the servers could be used by hackers and other cybercriminals to store illegal content or malicious tools.

In the alert, the FBI said “In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud.”

Large healthcare organizations may already have ensured their servers are not configured to allow anonymous access or that all sensitive information has been removed from those servers; however, that may not be the case for smaller healthcare organizations. Smaller medical and dental organizations are more likely to be placing patient data and other sensitive information at risk.

The FBI suggests all healthcare organizations should instruct their IT departments to check the configuration of their FTP servers to ensure they are not running in anonymous mode and to take immediate action to secure those servers and reduce risk if they are.

The post FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks appeared first on HIPAA Journal.

SAFER Guides Updated by ONC: Ransomware Prevention and Mitigations Now Included

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has updated its SAFER Guides to include information to help healthcare providers protect against ransomware attacks and mitigate attacks should they occur.

The Safety Assurance Factors for Electronic Health Record Resilience (SAFER) Guides were first released in January 2014 to help healthcare providers improve the usability of their EHRs and address the risks that EHR technology can introduce. The SAFER Guides can also be used to reduce the potential for patients to suffer EHR-related harm.

The SAFER Guides cover a range of key focus areas and include evidence-based best practices that can be adopted by healthcare providers to improve the usability and safety of their EHRs. Over the past three years, technology has changed as have the threats faced by the healthcare industry.

The guides were therefore due an update to keep them useful and relevant. Prior to issuing the updated guides, ONC sought feedback from healthcare providers and developers of EHRs. The comments and recommendations received from the National Academy of Medicine, the National Quality Forum, the American Medical Informatics Association, the Electronic Health Record Association and other organizations have been used to develop new best practices that healthcare providers should adopt.

The SAFER Guides include checklists and recommendations for healthcare organizations along with note templates that can be used to improve the safety and usability of EHRs. ONC says the guides have been developed to help reduce data-related burdens.

The guides now cover ransomware prevention strategies and mitigations to reduce the impact of ransomware attacks, including how to manage downtime following ransomware attacks and how to respond when EHR systems are slow or inaccessible.

The updated SAFER Guides can help organizations with EHR contingency planning to ensure compliance with that aspect of the HIPAA Security Rule. The SAFER guides now include an EHR contingency planning self-assessment to help in this regard.

The guides also include a new recommendation to the Test Results and Follow-Up Reporting Guide to help healthcare organizations communicate abnormal results to patients. The update incudes advice ONC received from the National Academy of Medicine.

To date, more than 52,000 users have downloaded the SAFER Guides and many EHR developers are now using the guides to help their customers set up their EHR systems and improve both safety and usability.

ONC says the SAFER Guides are particularly useful for technical assistance providers to help smaller healthcare organizations improve care quality and participate in the Medicare Quality Payment Program.

The post SAFER Guides Updated by ONC: Ransomware Prevention and Mitigations Now Included appeared first on HIPAA Journal.