Latest HIPAA News

Roger Severino Named New Director of HHS’ Office for Civil Rights

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has a new leader. The Trump Administration has chosen former civil rights trial attorney Roger Severino to lead the HIPAA enforcement efforts of the Office for Civil Rights.

Severino joins OCR from the Heritage Foundation’s DeVos Center for Religion and Civil Society, Institute for Family, Community, and Opportunity, where he served as Director since May 2015.

A formal announcement about the appointment of the new OCR Director has yet to be issued; however, the Heritage Foundation has confirmed that Severino is no longer on the staff and his name has been added to the HHS website. A spokesperson for OCR has also confirmed that Severino will be the new director and Severino’s LinkedIn profile has also been updated to include his new position as OCR chief.

Severino has a background in civil rights litigation, having worked as a trial attorney for the Department of Justice for seven years in the Housing and Civil Enforcement division. During his time at the DOJ, Severino enforced the Fair Housing Act, Title II and Title VI of the Civil Rights Act of 1964 and the Religious Land Use and Institutionalized Persons Act. Severino has also worked as Legal Counsel for the Becket Fund for Religious Liberty between July 2003 and May 2008.

While Severino has civil rights experience and has spent time working in the section of the DOJ that enforces criminal HIPAA statutes, he does not appear to have much experience of privacy and security issues.

LGBT Groups Express Concern About New OCR Appointment

Many human rights organizations have expressed concern over the appointment of Severino as head of OCR due to the views he has previously expressed about transgender people and same-sex marriages. Severino has authored a number of reports in which he has spoken out in opposition of LGBT rights and pro-LGBT legislation. Severino has also spoken out against Planned Parenthood.

JoDee Winterhof, senior vice president of policy and political affairs at the Human Rights Campaign went as far as saying ‘There isn’t a more dangerous person to lead HHSGov’s Office for Civil Rights than LGBTQ opponent Roger Severino.”

Wade Henderson, president and CEO of The Leadership Conference on Civil and Human Right, said “The Office for Civil Rights at HHS is essential to ensuring that all people can lead healthy lives, free of discriminatory barriers. Section 1557 of the Affordable Care Act, which bans discrimination based on race, sex, disability and age in health programs and activities, is key to achieving this goal. Henderson went on to say, “Strong and experienced leadership at OCR committed to fully enforcing Section 1557 is therefore critical. Mr. Severino is not that leader.”

OCR is likely to be taken in a different direction under Severino’s leadership than it was under the directorship of Jocelyn Samuels. What impact Severino will have on OCR’s HIPAA enforcement activity and HIPAA guidance remains to be seen.

The post Roger Severino Named New Director of HHS’ Office for Civil Rights appeared first on HIPAA Journal.

What Can Small Healthcare Providers Do To Prevent Ransomware Attacks?

Posted by HIPAA Journal

Ransomware attacks on healthcare providers are occurring with alarming frequency. Figures from the FBI suggest as many as 4,000 ransomware attacks are occurring every day.

Healthcare organizations are targeted because they hold large volumes of data and access to those data is required to provide medical services to patients. Without access to patients’ health information, healthcare services can be severely disrupted. Such reliance on data makes healthcare providers attractive targets as they are more likely than other companies to give in to ransom demands to obtain keys to unlock their data.

All businesses, and healthcare organizations especially, should implement a number of defenses to prevent ransomware attacks. Policies and procedures should also be developed to ensure that in the event of an attack, business operations are not severely disrupted and data can be recovered quickly.

There is no one technology solution that can be deployed to prevent ransomware attacks from occurring, although there are a number of actions that can be taken to improve resilience against ransomware attacks and ensure a fast recovery can be made at minimal cost.

How to Prevent Ransomware Attacks

Listed below are some of the steps that healthcare providers should take to improve their defenses against ransomware:

  • Deploy and configure an anti-spam solution – Consider all of the email attachments that are likely to be required by employees and block all others, especially JavaScript (JS) and Visual Basic (VBS) files, executables (.exe), screensaver files (SCR)
  • Configure computers to display file extensions. Double extensions are often used to trick end users into believing files are harmless. Invoice.xlsx.scr for example. Displaying file extensions will help users to identify malicious files
  • Ensure Office installations are configured to block macros, or at least ensure macros must be run manually. Make sure all employees are warned of the dangers of enabling and running macros
  • Ransomware infections often occur via Windows PowerShell. Unless PowerShell is essential, consider disabling it
  • Ensure all software is kept up to date and patches are applied promptly
  • Segment your network – An attack on one device should not allow all of the company’s data to be encrypted
  • Provide training to all employees on security best practices and instruct them never to open email attachment – or visit links – contained in emails from unknown senders
  • Consider an Internet filtering solution that can be used to block end users from visiting malicious websites
  • Ensure anti-virus software is installed and virus definitions are set to update automatically. Consider installing a popup blocker in web browsers
  • Block all unused ports on computers
  • Train all staff members on basic cybersecurity and best practices
  • Conduct dummy phishing email tests to ensure training has been effective
  • Ensure all employees are trained on the correct response to a potential attack. Ensure staff members are made aware of the importance of reporting any suspicious emails and how to respond if they believe they may have inadvertently installed ransomware
  • Ensure that policies and procedures are developed that can be instantly implemented in the event of an attack. Fast reaction can limit the harm caused and will ensure the fastest possible recovery from an attack
  • Consider encrypting data. While this will not prevent a ransomware attack, if an attack does occur and encrypted data are encrypted by ransomware, patient notifications will not need to be issued and a breach report will not need to be submitted to Office for Civil Rights

Most important of all is to ensure data are backed up daily. Backups should be stored securely in the cloud. Local backups should be stored on air-gapped devices. Backup drives should not be left connected after backups have been performed. Backup drives can also be encrypted by ransomware.

Reporting Ransomware Attacks and Notifying Patients

HIPAA Rules require ransomware attacks to be reported if the protected health information of patients has been accessed or encrypted, unless the covered entity can demonstrate there was a low probability that patient data were compromised in an attack.

While some healthcare organizations have disclosed ransomware attacks, many are not reporting the incidents. The failure to report a ransomware attack and notify patients that their ePHI has been compromised can potentially result in financial penalties for noncompliance with HIPAA Rules.

To avoid a HIPAA penalty, a covered entity must be able to demonstrate there was a low probability of patient data being accessed or copied during an attack. The Department of Health and Human Services’ Office for Civil Rights released guidance for covered entities on ransomware infections last year. In the guidance, covered entities are advised of the steps that should be taken following a ransomware attack and the criteria for determining whether patient notifications must be issued. The guidance can be downloaded/viewed on this link.

The post What Can Small Healthcare Providers Do To Prevent Ransomware Attacks? appeared first on HIPAA Journal.

WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks

Posted by HIPAA Journal

WEDI, the Workgroup for Electronic Data Interchange, has issued a new white paper exploring some of the common cybersecurity vulnerabilities that are exploited by threat adversaries to gain access to healthcare networks and patient and health plan members’ protected health information.

The white paper – The Rampant Growth of Cybercrime in Healthcare – is a follow up to a primer released in 2015 that explored the anatomy of a cyberattack.

WEDI points out the seriousness of the threat faced by the healthcare industry. Cyberattacks are costing the healthcare industry around $6.2 billion each year, with the average cost of a healthcare data breach around $2.2 million.

Cyberattacks and other security incidents having risen sharply in recent years. More records are now being exposed than at any other time in history and the number of healthcare data incidents being reported reached record levels last year.

The Department of Health and Human Services’ Office for Civil Rights received 315 reports of major healthcare data breaches last year and recent research by Fortinet showed that in the final quarter of 2016, the U.S. healthcare industry was being attacked more than 700,000 times per minute.

The healthcare industry is in a unique position. Healthcare organizations hold data that is more valuable to cybercriminals that held by other industries. Healthcare organizations also typically have a much larger attack surfaces to defend and more attack vectors to block.

WEDI points out that “attack surfaces have multiplied as organizations cobbled together a health information technology (health IT) infrastructure comprised of new components, legacy hardware and antiquated software from multiple vendors.”

Yet while healthcare IT systems require increased investment, many healthcare organizations are relying on basic security tools to defend their networks and keep data secure. Those tools focus on “antivirus, malware and firewall vulnerabilities, but lack a deeper set of prevention, encryption, detection, authentication and protection strategies.”

In the report, WEDI explores the most common types of threat adversaries, their characteristics and the level of threat that each poses. The report also details the types of vulnerabilities and attacks that most commonly occur, including zero-day vulnerabilities in software, phishing, spear phishing and whaling attacks, and malicious software such as viruses, worms, malware and ransomware.

WEDI sought advice from industry stakeholders in roundtable discussions between November 2015 and April 2016 and identified best practices that can be adopted by healthcare organizations to mitigate risk and keep networks and data secure.

WEDI suggests a cultural change is required and healthcare cybersecurity must have a higher profile. That process should start by raising awareness and educating stakeholders of the unique threats faced by the healthcare industry and the cost of cyberattacks and other data breaches.

Cybersecurity must become a C-suite matter, not an area dealt with by IT departments. Strategies must be effectively planned and sufficient resources devoted to protecting networks from attack. WEDI suggests healthcare organizations should also adopt cybersecurity frameworks to improve reliance against cyberattacks and apply the lessons learned from other industries.

The post WEDI Offers Healthcare Cybersecurity Tips to Improve Resilience Against Cyberattacks appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

Posted by HIPAA Journal

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.

NY State HIE Improves Care Quality and Operational Efficiency of Emergency Departments

Posted by HIPAA Journal

A recent study of the Health Information Exchange adopted in New York State has shown the value of investing in an HIE and the positive impact it has on patient outcomes and operational efficiency.

Following considerable investment in the New York State HIE, patient stays have been reduced, the likelihood of readmission has fallen, as have the number of physicians needed to examine patients in emergency departments. The study has shown that quality of care has been improved along with operational efficiency, resulting in considerable cost savings and improved patient outcomes.

The study examined almost 86,000 emergency department encounters over a period of 19 months between July 1, 2012 and January 31, 2014 at four emergency departments linked to the HealthLinkNY Health Information Exchange.

During that time, there were 46,270 patient visits which were attended by 326 physicians. Emergency departments were selected for the study as they are high pressure environments where physicians are required to treat patients with a wide range of medical conditions and must gather information on patients as quickly as possible.

Dr. Demirezen, Assistant Professor of Operations and Supply Chain Management at SUNY Binghamton’s School of Management, was a co-author of the study. He explained one of the key benefits of the HIE was the amount of physicians’ time that was saved, “If the attending physician has a question, the answer might already exist in the patient’s medical record. Looking up the record in the HIE saves a lot of time.”

The study focussed on three areas to measure efficiency and healthcare delivery quality:

Length of stay;

Readmission risk; and,

Number of doctors seen by each patient.

The study showed that following the adoption of the HIE there was a 7.04% decline in length of stays, a 4.5% reduction in the likelihood of readmission within 30 days, and a 12% drop in consultations by multiple physicians.

The average length of stay fell from 22 hours and 23 minutes to 20 hours and 48 minutes. The fall was explained by the reduction in the need for duplicate tests to be performed and the HIE allowing physicians to access information that can help them identify underlying causes and complications that could be contributing to patients’ condition.

Readmission rates were studied over a period of 60 days following discharge. The study looked at readmission to other healthcare facilities in the state, not just the emergency department where the patient was treated.

Physicians who encounter patients with medical conditions outside their area of expertise usually call on a specialist to evaluate the patient. However, access to the HIE allows physicians to check recent encounters with other physicians and specialists, reducing the need to call on specialists for second opinions in an emergency department setting.

It can take time for physicians to get used to using the HIE, but over time efficiency improves and they get better outcomes with experience. Dr. Demirezen said “The conclusion we drew is that providers should actively promote and support clinician use of the HIE and invest time and effort into training them on its use,”

Christina Galanis, President and CEO of HealthlinkNY, explained the significance of the results of the ground-breaking study and the benefits of implementing an HIE, “Now providers have the evidence they need to make HIE use a priority for their organizations. The study proves that New York State’s visionary investment in HIEs is really paying off.”

The post NY State HIE Improves Care Quality and Operational Efficiency of Emergency Departments appeared first on HIPAA Journal.

Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

Wauwatosa, WI-based Metropolitan Urology Group has recently discovered a ransomware attack that affected two computer servers potentially resulted in the attackers gaining access to the protected health information of 17,634 patients.

The ransomware attack occurred on November 28, 2016, although it was initially unclear whether access to patients’ PHI had been gained by the attackers.

Metropolitan Urology Group contracted an international information technology company to perform a thorough analysis of the affected servers and its systems to determine the nature and extent of the attack.

On January 10, 2017, Metropolitan Urology Group was informed that patient data may have been accessed as a result of the infection. The firm was able to successfully remove the ransomware infection and restore the medical group’s systems.

Current patients are unaffected by the security breach. The data stored on the servers related to patients who had received medical services at the medical group’s facilities between 2003 and 2010.

The types of data that were potentially accessed include patients’ full names, procedural codes, dates of service, patient control numbers, patient account numbers and provider identification numbers. Only five of the 17,634 patients had their Social Security number stored on the servers.

When ransomware was detected, the servers were promptly isolated and external access was blocked. The medical group said it has now implemented ‘the best firewall and secure email system’, its information technology vendor – Digicorp – and its employees have all undergone further training on information security and a risk analysis is being performed to identify any further vulnerabilities in its IT systems to prevent future attacks. If any vulnerabilities are detected, rapid action will be taken to mitigate risk. Policies and procedures will also be updated to reflect technological changes that have been implemented in response to the attack.

All patients impacted by the incident have now been notified of the potential privacy breach by mail and have been offered 12 months of credit monitoring services without charge as a precaution against fraud and identity theft.

The post Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

68% of Healthcare Organizations Have Compromised Email Accounts

Posted by HIPAA Journal

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web.

Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare networks.

63% of data breaches in the United States occur as a result of compromised email credentials and healthcare email credentials are being sold freely on the dark web.

Evolve used its Dark Web ID analysis technology for the study and reviewed 1,000 HIPAA covered entities and business associates. Evolve discovered 68% of those organizations had employees with visibly compromised email accounts. 76% of those compromised accounts included actionable password information and that information was freely available on the dark web.

Depending on the industry segment, between 55.6% and 80.4% of organizations had compromised email accounts. Medical billing and collections organizations fared the best, with 55.6% of organizations having at least one compromised account, while regional healthcare plans the worst affected with 80.4% of organizations having compromised email accounts.

Evolve points out that in many cases the passwords associated with the email accounts were outdated, but explained that even outdated passwords are valuable to hackers.

Passwords are often recycled, so an old password could allow a hacker to gain access to other online accounts. Evolve also says “hackers can create a user profile and determine a person’s new password fairly accurately by using simple guessing or sophisticated automated algorithms.” Even when passwords are hashed, hackers can crack the hash, conduct brute force attacks and use lookup, reverse lookup, and rainbow tables to guess the passwords.

In the majority of cases, email accounts were compromised as a result of a data breach (55% of compromised accounts). While just 6% of compromised accounts were the result of a phishing attack, Evolve points out that equated to 450 separate email accounts that were compromised as a direct result of phishing attacks.

Preventing email compromise incidents is an essential part of any cybersecurity strategy. Evolve suggests three main methods that all healthcare organizations should embrace to reduce risk: Proactive threat intelligence, continuous security management, and rapid incident response and recovery.

By obtaining up to date threat intelligence, healthcare organizations can discover the latest vulnerabilities and threats before they are exploited by criminals. Continuous security management should involve real-time security analyses and infrastructure management, which will help healthcare organizations stay one step ahead of hackers.

Even if security best practices are adopted and the latest cybersecurity technologies are implemented, it will not be possible to prevent all security breaches. Organizations must therefore have the policies and procedures in place to ensure a quick recovery. Fast action following a security breach will limit the harm caused.

The EvolveIP Report can be found on this link.

The post 68% of Healthcare Organizations Have Compromised Email Accounts appeared first on HIPAA Journal.

Updated HIPAA Compliance Audit Toolkit Issued by AHIMA

Posted by HIPAA Journal

Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits are now well underway. Late last year, covered entities were selected for desk audits and the first round of audits have now been completed. Now OCR has moved on to auditing business associates of covered entities.

At HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially penciled in for Q1, 2017, are to be delayed. This gives covered entities more time to prepare.

The phase 2 HIPAA compliance desk audits were more detailed than the first phase of audits conducted in 2011/2012. The desk audits covered a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules, although they only consisted of a documentation check to demonstrate compliance.

The onsite audits will be much more thorough and will look much deeper into organizations’ compliance programs. Not only will covered entities be required to show auditors documentation demonstrating compliance with HIPAA Rules, OCR will be looking for evidence of HIPAA in action.

To help with the audit preparation process, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. The toolkit can be used by covered entities to assess their compliance efforts and determine whether they have all the necessary documentation, policies, and procedures in place to meet all Health Insurance Portability and Accountability Act requirements.

The new toolkit details the legal process of the HIPAA compliance audit program, OCR processes, and now incorporates the updated HIPAA audit protocol used by OCR in the second phase of the compliance audits.

The new toolkit contains HIPAA compliance checklists covering policies, procedures, and documentation that is likely to be requested by Office for Civil Rights auditors, together with a master policy template for the privacy and security rule compliance program.

AHIMA has also included tips and best practices that can be adopted by HIPAA-covered entities and their business associates to help them meet all of their responsibilities along with an HIPAA audit preparation guide.

AHIMA members can access the HIPAA audit readiness toolkit free of charge in the HIM Body of Knowledge section of the AHIMA website or through its web store.

The onsite audits may have been delayed, but covered entities should ensure they are ready for an audit. Even if the audits slip into 2018 as hinted by McGraw, OCR still investigates all breaches of more than 500 records. In the event of a data breach, OCR will require evidence of compliance with HIPAA Rules and heavy fines await organizations found not to have complied with the HIPAA Privacy, Security and Breach Notification Rules.

The post Updated HIPAA Compliance Audit Toolkit Issued by AHIMA appeared first on HIPAA Journal.

87% of Healthcare Organizations will Adopt Internet of Things Technology by 2019

Posted by HIPAA Journal

The healthcare industry is embracing Internet of Things technology. 60% of healthcare organizations have already introduced IoT into their infrastructure – The third highest adoption rate of any industry. According to a recent study by Hewlett Packard subsidiary Aruba, in just two years, 87% of healthcare organizations will have adopted Internet of Things technology.

The study revealed that the most common area where IoT is being utilized is for patient monitoring and maintenance. 73% of surveyed healthcare executives said they used IoT in this area, while 42% said this was the main use for IoT. The healthcare industry leads the way in this area with the highest adoption rate of any industry sector. 64% of respondents said they use IoT for patient monitors, 56% use IoT for energy meters, and 33% use IoT for imaging devices.

Remote operation and control was the second most common use of IoT, used by 50% of providers, while the third most common use is for location-based services, with adoption at 47%.

The benefits of IoT are clear. 80% of healthcare executives said IoT has improved innovation, 76% said visibility across their organization has improved, while 73% said they have enjoyed cost savings following the introduction of IoT.

57% of respondents believe workflow productivity will improve as a result of the adoption of IoT, resulting in considerable cost savings. 36% believe IoT will create new business models, while 27% said the use of IoT technology would improve collaboration with colleagues and patients.

However, there are disadvantages to introducing IoT. Adoption of IoT brings additional security risks, with healthcare organizations finding security a major headache. 89% of healthcare organizations that have adopted IoT said they have suffered a security breach as a result, while 49% said malware was an issue.

Even with the potential risks, healthcare organizations believe the benefits of Internet of Things technology outweigh the disadvantages.

While the benefits are considerable, any healthcare organization that has adopted IoT must implement appropriate safeguards to keep networks secure and prevent the devices from being used for malicious activities.

Chris Kozup, vice president of marketing at Aruba, said “If businesses do not take immediate steps to gain visibility and profile the IoT activities within their offices, they run the risk of exposure to potentially malicious activities.”

The post 87% of Healthcare Organizations will Adopt Internet of Things Technology by 2019 appeared first on HIPAA Journal.