Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services

Rocky Mountain Health Care Services of Colorado Springs has discovered an unencrypted laptop has been stolen from one of its employees. This is the second such incident to be discovered in the space of three months.

The latest incident was discovered on September 28. The laptop computer was discovered to contain the protected health information of a limited number of patients. The types of information stored on the device included first and last names, addresses, dates of birth, health insurance information, Medicare numbers, and limited treatment information.

The incident has been reported to law enforcement and patients impacted by the incident have been notified by mail.

Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long Term Care, also discovered on June 18, 2017 that a mobile phone and laptop computer were stolen from a former employee. The devices contained names, dates of birth, addresses, limited treatment information, and health insurance details.

To date, only one of those incidents has appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal. That incident, reported on November 16, indicates 909 patients were impacted. It is unclear whether this is the first or second laptop theft.

In response to the breaches, Rocky Mountain Health Care Services has been reviewing its policies and procedures with respect to the security of patient information and portable electronic devices, and is considering incorporating mobile device management technologies and data encryption for its portable electronic devices.

As the Office for Civil Rights breach portal shows, the loss and theft of unencrypted portable electronic devices is still a major cause of healthcare data breaches, and one that the use of data encryption technologies can easily prevent. So far in 2017, there have been 31 breaches reported by covered entities and business associates that have involved the loss or theft of unencrypted laptop computers and other portable electronic devices.

The post Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services appeared first on HIPAA Journal.

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff.

The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed.

The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials.

Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established that access to the email accounts was gained by unauthorized individuals, it was not possible to determine whether emails containing protected health information had been accessed or viewed, or if any sensitive information was stolen. Since the attack occurred, no reports of misuse of patient information have been received.

To protect individuals against identity theft and fraud, credit monitoring and identity theft restoration services have been offered to breach victims free of charge, but only to those individuals whose Social Security numbers were compromised.

Medical College of Wisconsin reports that in addition to some faculty staff and Medical College of Wisconsin patients, some individuals who received treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been impacted by the breach.

The latest Medical College of Wisconsin phishing attack comes just 10 months after a similar incident resulted in the exposure of 3,200 patients’ protected health information.

The post 9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack appeared first on HIPAA Journal.

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October.

The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by

Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed.

Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017.

The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the past few months hacking has been the leading cause of breaches. That trend has continued in October. Hacking was behind 35.1% of all incidents, insider incidents accounted for 29.7% of the total, with the loss and theft of devices behind 16.2% of incidents. The causes of the remaining 18.9% of breaches is not yet known.

While hacking incidents usually result in more records being exposed or stolen, in October insider errors exposed more healthcare data. 65% of all breached records involved insider errors.

157,737 individuals had their PHI exposed due to insider errors and insider wrongdoing, while hacks resulted in the theft of 56,837 individuals’ PHI. Protenus notes that three incidents were due to the hacking group TheDarkOverlord.

In total, there were 11 breaches that were the result of insiders – five  due to errors and six due to insider wrongdoing. The biggest breach involving insider error was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 individuals: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the mailing of flyers to individuals where PHI was visible through the envelope – A major incident that potentially caused considerable harm, as the information viewable related to patients’ HIV status.

The average time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare organizations are still struggling to detect data breaches rapidly.

Two HIPAA-covered entities reported breaches to OCR well outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was detected. In that case, the breach involved a nurse who was stealing patient records and using the information to file false tax returns. The median time from discovery to reporting was 59 days.

Healthcare providers reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four incidents were known to involve a business associate.

California and Florida were the worst hit states in October with four incidents apiece, followed by Texas and New York.

The post November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches appeared first on HIPAA Journal.

PCI and HIPAA Compliance Comparison

PCI and HIPAA Compliance Comparison

For organizations in healthcare-related industries, who both have access to PHI and accept credit card payments, a PCI and HIPAA compliance comparison can help find overlaps and similarities in their compliance obligations. These overlaps and similarities can assist organizations with their risk assessments in order to avoid duplication and better mitigate the risk of a data breach.

In this comparison between PCI compliance and HIPAA compliance, we have used the PCI Data Security Standard v3.2 as our reference. Readers are advised to review the PCI Security Standards website periodically for updates to the Data Security Standard that may affect the accuracy of this PCI and HIPAA compliance comparison.

PCI and HIPAA Compliance Comparison – Introduction

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that accepts credit card payments, or that stores, processes or transmits cardholder data and/or sensitive authentication data. Similarly, the Healthcare Insurance Portability and Accountability Act (HIPAA) applies to any organization that creates, stores, processes or transmits Protected Health Information.

As will be demonstrated in our PCI and HIPAA compliance comparison, there are many similarities between the PCI DSS and the physical, technical and administrative safeguards of the HIPAA Security Rule. In fact, by complying with some of the PCI compliance requirements (i.e. the encryption of data), organizations will automatically be complying with the encryption requirements within HIPAA.

PCI DSS Compliancy Requirements

On the current version of the PCI Data Security Standard (v3.2), there are twelve compliance requirements. These mirror security best practices that should be present in any organization managing sensitive data, should minimize the likelihood of a data breach using a combination of security mechanisms and security policies. The twelve requirements (with HIPAA compliance comparisons) are:

Install and maintain a firewall configuration to protect cardholder data.

Although the HIPAA Security Rule is “technology neutral”, a suitable firewall or UTM appliance should be the first line of defense against hackers and malicious software attempting to obtain Protected Health Information (PHI). In May 2013, Idaho State University was fined $400,000 for network security inadequacies that included the disconnection of a firewall protecting the ePHI of 17,500 patients.

Do not use vendor-supplied defaults for system passwords and other security parameters.

In HIPAA, passwords are covered within §164.308 of the Security Rule´s administrative safeguards. Individually identifiable passwords are not only required for monitoring access to ePHI, but training should be given to network users about creating complex passwords (to mitigate the risk of brute force attacks) and changing them as often as found necessary by the organization´s risk assessment.

Protect stored cardholder data.

Most organizations subject to HIPAA regulations will be aware they have an obligation to protect stored patient data, not only against unauthorized disclosure, but also against unauthorized amendment and deletion. Organizations should implement whatever security mechanisms are necessary to protect ePHI – whether it is stored on servers, mobile devices or in the cloud.

Encrypt transmission of cardholder data across open, public networks.

Although the HIPAA encryption requirements are an “addressable safeguard of the Security Rule, there are very few justifiable circumstances in which data encryption is not required. Should an organization fail to encrypt ePHI at rest and in transit, it has to record the reasons why in its risk assessments or obtain permission from individuals to store and communicate their PHI without it being encrypted.

Protect all systems against malware and regularly update antivirus software and programs.

A malware infection is regarded as a security incident under §164.304 of the HIPAA Security Rule and, once the infection is detected, organizations must initiate a security incident and response procedure. If there is the likelihood ePHI has been compromised, the incident must be reported to HHS OCR. Ideally, all systems should be protected against malware with the most suitable mechanisms to mitigate risk.

Develop and maintain secure systems and applications.

In a healthcare environment, this not only relates to electronically-stored ePHI, but physical PHI maintain in paper format or other media. The PCI requirement to develop and maintain secure systems and applications is an accurate description of all the requirements in the Security Rule´s technical, physical and administrative safeguards.

Restrict access to cardholder data by business need to know.

This PCI requirement is strikingly similar to the HIPAA Privacy Rule´s “minimum necessary” rule that stipulates organizations must make reasonable efforts to limit the disclosure of PHI to the minimum amount necessary in order to accomplish the intended purpose of the use, disclosure or request. This is particularly appropriate when Covered Entities are sharing PHI with Business Associates.

Identify and authenticate access to system components.

This wide-ranging requirement of PCI – when put into the context of a PCI and HIPAA compliance comparison – can mean everything from implementing secure messaging on mobile devices to implementing access controls to cloud-based data storage facilities. A comprehensive risk assessment will identify which system components require access and authentication controls.

Restrict physical access to cardholder data.

This standard could be interpreted as restricting physical access to ePHI as required by the HIPAA Security Rule §164.310. However, it could also be interpreted as preventing unauthorized personnel from viewing ePHI displayed on a computer monitor or EHR. Organizations should interpret this requirement with relevance to their own specific circumstances and record their conclusions in a risk assessment.

Track and monitor all access to network resources and cardholder data.

With regard to electronically-stored ePHI, this has a close similarity with the “addressable” validation procedures of the HIPAA Security Rule and the password management requirement. Password management and monitoring tools are available to assist compliance with this requirement; and, unless the tools are storing ePHI, no Business Associate Agreement needs to be in place to use them.

Regularly test security systems and processes.

Although the HIPAA Security Rule does not stipulate how frequently risk assessments should be conducted, the Office of National Coordinator recommends security systems and processes should be tested at least once a year, and whenever new technology is implemented or work practices change. If an organization is applying for Meaningful Use incentive payments, an annual test is required anyway.

Maintain a policy that addresses information security for all personnel.

As the HIPAA Security Rules stipulate policies must be created to demonstrate how organizations comply with each of the technical, physical and administrative safeguards, it is highly likely a policy has already been created by HIPAA Covered Entities to address information security. It is also important that a sanctions policy is implemented in order to advise users of the penalties for non-compliance.

PCI and HIPAA Compliance – Conclusion

Although there are many similarities between PCI and HIPAA compliance, because an organization complies with one set of regulations, it does not necessarily follow it complies with the other. For example, a HIPAA-compliant organization may have a justifiable and chronicled reason to avoid data encryption. The lack of encrypted data would make the organization non-compliant with PCI.

Furthermore, in the same way as different states have different laws that can influence how some HIPAA requirements are implemented, each payment card brand (Visa, Mastercard, American Express, etc.) also has its own program for compliance, validation and enforcement. Organizations are advised to research each brand´s requirements to complement their PCI compliance, and review our “HIPAA Compliance Guide” for further information on the HIPAA-related points listed above.

The post PCI and HIPAA Compliance Comparison appeared first on HIPAA Journal.

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email.

While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device.

It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers.

The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital, UPMC Susquehanna Lock Haven, Sunbury Community Hospital, Soldiers and Sailors Memorial Hospital in Wellsboro, Williamsport Regional Medical Center and Divine Providence Hospital in Williamsport.

UPMC Susquehanna responded quickly to the breach, terminating unauthorized access. Staff have also been provided with “intensive retraining” on hospital policies and appropriate federal and state laws to prevent any recurrence. UPMC Susquehanna stated this training was in addition to the annual training sessions already provided to all staff members on the privacy and confidentiality of patient health information. UPMC Susquehanna has also conducted a complete review of its policies and procedures for keeping patient information secure.

All patients impacted by the incident have been offered complimentary identity theft protection services and have now received notifications in the mail. Patients have also received instructions on the steps they can take to protect their accounts and credit in case their information is misused.

The post Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI appeared first on HIPAA Journal.

Is Slack HIPAA Compliant?

Slack is a powerful communication tool for improving collaboration, but is Slack HIPAA compliant? Can Slack be used by healthcare organizations for sharing protected health information without risking a HIPAA violation?

Is Slack HIPAA Compliant?

There has been considerable confusion about the use of Slack in healthcare and whether Slack is HIPAA compliant.

Since its launch, Slack has not been HIPAA compliant, although steps have been taken to develop a version of the platform that can be used by healthcare organizations. That version is called Slack Enterprise Grid.

Earlier this year, Geoff Belknap, Chief Security Officer at Slack, said “our team has spent over a year investing our time and effort into meeting the rigorous security needs of our customers who work in highly regulated industries.”

Slack Enterprise Grid was announced at the start of 2017. Slack Enterprise Grid is not the same as Slack. It has been built on different code, and has been developed specifically for use by companies with more than 500 employees.

Slack Enterprise Grid incorporates several security features that support HIPAA compliance. Those features include data encryption at rest and in transit, customer message retention to create an audit trail, and support for data loss prevention to ensure that audit trail is maintained.

Slack Enterprise Grid creates detailed access logs, and administrators can remotely terminate connections and sign users out from all connected devices. Team owners can delete all customer data within 24 hours – useful for when users leave the company. Slack also includes team-wide two-factor authentication, creates offsite backups, and is compliant with NIST standards, as well as SOC2 and SOC3.

As Slack explains on its website, “Slack Enterprise Grid customers in regulated industries can benefit from our DLP and eDiscovery support to become HIPAA and FINRA compliant.”

So is Slack HIPAA compliant? No. Is Slack Enterprise Grid HIPAA compliant? It can be.

However, before Slack Enterprise Grid can be used by healthcare organizations for any activities involving PHI, there is the matter of the HIPAA business associate agreement (BAA).

Will Slack Sign a Business Associate Agreement?

A business associate agreement must be signed with a company prior to its platform being used to send or receive protected health information (PHI). And as Slack points out on its website, “Customer must not use, disclose, transmit or otherwise process any “Protected Health Information” as defined in HIPAA.”

Slack also states that, “Unless Customer has entered into a written agreement with Slack to the contrary, Customer acknowledges that Slack is not a “Business Associate,” suggesting Slack is prepared to sign a BAA for Slack Enterprise Grid.

However, the BAA is not universally offered and is not available on the Slack website. Healthcare organizations considering using Slack Enterprise Grid must contact Slack and request a copy, and scrutinize the BAA – if one is offered.

With a signed BAA, healthcare organizations must then carefully configure the platform. An audit trail must be maintained, user logins carefully set up, policies and procedures developed covering the use of the platform, and staff must be trained. The eDiscovery function must also be activated.

Even with a BAA in place, it will be possible for Slack Enterprise Grid to be used in a manner that is not HIPAA compliant.

The post Is Slack HIPAA Compliant? appeared first on HIPAA Journal.