Social Engineering Campaign Targets Hospital IT Helpdesks

Posted by Steve Alder

Warnings have been issued by the American Hospital Association (AHA) and the Health Sector Cybersecurity Coordination Center (HC3) about a social engineering campaign that targets IT helpdesk at U.S. hospitals. According to the AHA, the campaign uses the stolen identities of revenue cycle employees or employees in other sensitive financial roles. The threat actor contacts the IT helpdesk and uses stolen personally identifiable information to answer security questions posed by IT helpdesk staff. Once the threat actor has navigated the questions, they request a password reset and ask to enroll a new device, often with a local area code, to receive multi-factor authentication (MFA) codes.

Once the new device has been enrolled, the threat actor logs into the user’s account and successfully passes the MFA check, the MFA code is sent to the newly registered device. The AHA warns that these attacks can also bypass phishing-resistant MFA. The main purpose of the campaign appears to be to divert legitimate payments. Once access has been gained to an employee’s email account, payment instructions are changed with payment processors, resulting in fraudulent payments to U.S. bank accounts. Access may also be used to install malware on the network.

HC3 is aware of this social engineering campaign and said IT helpdesks are told that the user has broken their phone so they cannot receive any MFA codes. The helpdesk is provided with the last four digits of the target employee’s social security number (SSN), corporate ID number, and demographic details to pass security checks. HC3 suggests the information is likely to have been obtained from publicly available sources such as professional networking sites and/or past data breaches. The tactics in the campaign mirror those used by a threat group known as Scattered Spider (UNC3944). Scattered Spider claimed responsibility for a similar campaign targeting the hospitality and entertainment industry, which led to BlackCat ransomware being used to encrypt files on the network. Ransomware is not believed to have been used in the campaign targeting the healthcare sector and it is unclear which threat group is behind the campaign.

The AHA was first made aware of the campaign in January 2024 and issued a warning to hospitals. The warning has now been reissued due to an uptick in incidents. “The risk posed by this innovative and sophisticated scheme can be mitigated by ensuring strict IT help desk security protocols, which at a minimum require a call back to the number on record for the employee requesting password resets and enrollment of new devices,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Organizations may also want to contact the supervisor on record of the employee making such a request. In addition, a video call with the requesting employee might be initiated and a screenshot of the employee presenting a valid government-issued ID be captured and preserved.” One large health system has changed its policies and procedures following a successful attack and now requires employees to visit the IT helpdesk in person in order to change their password or register a new device.

You can view the HC3 alert and recommended mitigations here.

The post Social Engineering Campaign Targets Hospital IT Helpdesks appeared first on HIPAA Journal.

HIPAA Compliance for Email

Posted by Steve Alder

Standards relevant to HIPAA compliance for email appear throughout the HIPAA Administrative Simplification Regulations – from the applicability and preemption standards of Part 160 (the General Requirements) to the privacy, security, and breach notification standards of Part 164. Due to the potential complexities of HIPAA email compliance, this article discusses:

  • Who do the HIPAA email rules apply to?
  • Preemptions and exclusions to HIPAA email compliance
  • HIPAA email policies and the Privacy Rule
  • Security standards for HIPAA compliant email
  • What are the HIPAA email encryption requirements?
  • HIPAA compliance for email breach notifications

Who do the HIPAA Email Rules Apply to?

The HIPAA email rules apply to individuals and organizations that qualify as HIPAA covered entities or business associates. Most – but not all – health plans, health care clearinghouses, and healthcare providers qualify as HIPAA covered entities, while third party service providers to covered entities qualify as business associates when the service provided for or on behalf of a covered entity involves uses or disclosures of Protected Health Information (PHI).

However, the HIPAA email rules only apply to HIPAA covered entities and business associates when PHI is created, received, stored, or transmitted by email. If – for example – a covered entity sends an email that does not include PHI, the standards relevant to HIPAA compliance for email do not apply. Similarly, if a prospective patient submits a contact form by email that does not include PHI, the HIPAA email rules do not apply to the contact form or the email.

Preemptions and Exclusions to HIPAA Email Compliance

In all applications of HIPAA, the HIPAA Rules apply unless a provision of state law has more stringent requirements or provides more individual rights than the equivalent HIPAA standard. This is relevant to HIPAA email compliance because, in 2008, the Department for Health and Human Services (HHS) issued guidance stating “

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume […] that e-mail communications are acceptable to the individual.”

However, several subsequently passed state laws have adopted “affirmative opt-in” requirements. These requirements mean a covered entity or business associate must obtain an individual’s clear consent before communicating with them by email. States in which these requirements preempt HIPAA include Connecticut, Colorado, Texas, Tennessee, Virginia, Utah, Montana, Iowa (from January 2025), and Indiana (from January 2026).

In addition, under §164.522(b) of the Privacy Rule individuals have the right to request confidential communications by alternative means. If the requests are reasonable, covered entities are required to comply with them – even if this means covered entities cannot comply with the HIPAA email compliance requirements. In such circumstances, covered entities should warn individuals of the risks, request written consent, and document both the warning and the consent.

HIPAA Email Policies and the Privacy Rule

Many sources of information discussing HIPAA compliance for email tend to focus on the requirements of the Security Rule. However, it is important not to overlook Privacy Rule compliance requirements. The Privacy Rule is relevant because it defines what is considered PHI under HIPAA and lists the permissible uses and disclosures of PHI – important standards when developing HIPAA email policies for members of the workforce.

HIPAA email policies should be covered in general HIPAA training rather than in security awareness training because of the frequency with which members of the workforce may email patients, each other, or members of other covered entities’ workforces. The provision of training on HIPAA email policies will benefit general HIPAA compliance as members of the workforce will be more conscious of requirements such as the minimum necessary standard.

Other areas of the Privacy Rule which may influence HIPAA compliance for email include the requirements for Business Associate Agreements. The Privacy Rule requirements (in §164.502 and §164.504) stipulate what must be included in a Business Associate Agreement for the Agreement to be in compliance with HIPAA, whereas the standards relating to Business Associate Agreements in the Security Rule just require that an Agreement is in effect.

Security Standards for HIPAA Compliant Email

The security standards for HIPAA compliant email require covered entities and business associates to implement access controls, audit controls, integrity controls, ID authentication, and transmission security mechanisms. This is in order to restrict access to PHI, monitor how PHI is communicated via email, ensure the integrity of PHI at rest, ensure 100% message accountability, and protect PHI from unauthorized access during transit

In addition, if PHI is stored in emails, covered entities and business associates should adopt an email archiving and retention system that ensures they are able to respond to individuals’ access requests and Accounting of Disclosure requests within the timeframe specified under the Privacy Rule (currently 30 days). This may require the adoption of an external HIPAA compliant archiving and retention service in addition to a HIPAA compliant email provider.

As well as the implementation specifications mentioned above, some requirements – such as maintaining an audit trail and preventing the improper modification of PHI – can be complex to resolve. So, although emails systems can be compliant at a point in time, ongoing compliance may require significant IT resources and a continuing monitoring process to ensure authorized users are communicating PHI in adherence with HIPAA email policies.

What are the HIPAA Email Encryption Requirements?

The HIPAA email encryption requirements are that a mechanism must be implemented to encrypt and decrypt electronic PHI at rest, and technical security measures must be implemented to guard against unauthorized access to electronic PHI transmitted over a communications network. Although these are “addressable” implementation specifications, they must be implemented unless equally effective measures are implemented in their place.

Due to technological advances, the encryption mechanisms and security measures that existed when the Security Rule was first published are long out of date (i.e., the DES algorithm). Covered entities and business associates are advised to follow the latest guidelines on electronic mail security published by the National Institute of Standards and Technology (NIST) which, in the context of HIPAA compliance for email, can be found in  SP 800-45 Version 2.

While the NIST guidelines clarify the HIPAA email encryption requirements, they can raise challenges about which type(s) of encryption to adopt. For example, TLS encrypts the communication channel when emails are in transit, but not the content of the email itself, while S/MIME encrypts the content of email – making malware invisible to email filters. In many cases, it may be necessary to adopt more than one type of encryption mechanism or security measure.

HIPAA Compliance for Email Breach Notifications

Even when a covered entity or business associate has implemented all the required safeguards to support HIPAA compliance for email, it is still necessary to be aware of the breach notification requirements. §164.404(d) of the HIPAA Breach Notification Rule requires notifications to be sent to individuals by first class mail. It is only possible to notify individuals by email if they previously consented to receive “electronic notifications”.

The wording of the standard implies that, if an individual has affirmatively opted in to receive emails or requested communications by email, the document(s) used to obtain consent should note that the consent includes electronic notifications. If the consent document does not include the electronic notification requirement – or a notification email is sent to individuals who have not previously consented – this may be considered a HIPAA violation.

HIPAA compliance for email breach notifications is just one example of how covered entities and business associates can fall foul of the HIPAA email rules due to the potential complexities of HIPAA email compliance. If your organization is unsure of its HIPAA compliance for email, or requires assistance in adopting the necessary measures to comply with HIPAA, it is recommended you seek advice from a compliance professional.

HIPAA Compliance for Email FAQs

Why is it important to encrypt emails?

It is important to encrypt emails because unencrypted emails are sent from sender to recipient in plain text. During the communication process, they “rest” on various servers and could be read by any man-in-the-middle technology in the same way as email filters read emails to look for spam. Encrypting emails so they are unreadable by unauthorized persons is the best way to maintain the confidentiality of PHI.

Do I need to sign a BAA with my email service provider?

You do need to sign a BAA with your email service provider because email service providers have “persistent access” to ePHI, even when an email is encrypted. Please note that not all email services are willing to sign a BAA. For example, most free services will require you to subscribe to a business email service before entering into a BAA.

Is consent necessary to send PHI by email?

In most states, consent is not necessary to send PHI by email to patients, but it is recommended. HHS´ guidance states that if an individual provides a health care provider with an email address or initiates a communication by email, consent is implied. However, individuals should be warned of the risks of communicating PHI by email and the warning should be documented. In all other cases, consent should be sought before communicating PHI by email to patients.

What are the risks of communicating PHI by email?

There are several risks of communicating PHI by email other than the risks of unencrypted emails being intercepted. For example, emails sent to a patient may be viewed by family members if a patient leaves their mobile phone unattended, or by work colleagues if the email is sent to a work email address. Depending on the content of the email, this could be interpreted as a breach of individuals´ rights if consent has not been previously obtained.

What training do employees require regarding HIPAA compliance for email?

With regards to what training employees require regarding HIPAA compliance for email, as well as email basics – such as checking that the email address is correct before clicking the send button – employees should be reminded that, even when emails are encrypted, the content of the email has to comply with the Privacy Rule standards relating to permissible uses and disclosures and the Minimum Necessary Rule.

What are the HIPAA email rules for access and message accountability?

The HIPAA email rules for access and message accountability appear throughout the Administrative and Technical Safeguards of the Security Rule. These include (but are not limited to) unique user identifiers, login monitoring, access reports, automatic log-off, encryption, email backup/archiving, and the termination of credentials when a member of the workforce leaves.

Is email HIPAA compliant?

Email is HIPAA compliant provided all the necessary safeguards are in place to ensure the confidentiality, integrity, and availability of PHI, a Business Associate Agreement is signed with the email service provider, and members of the workforce are trained on email best practices to mitigate the risk of an email being misdirected. If communicating with a patient or plan member via email, it is also a best practice to obtain the recipient’s written consent before sending PHI by email.

What are the HIPAA email requirements?

The HIPAA email requirements (according to HHS guidance) are to apply reasonable safeguards when emailing PHI, comply with the minimum necessary standard, and ensure the transmission of electronic PHI is in compliance with the Security Rule. The guidance does not mention entering into a Business Associate Agreement with an email service provider, but this is one of the most important HIPAA email requirements whenever emails containing PHI are sent to any recipient.

What is HIPAA email compliance?

HIPAA email compliance means complying with the applicable standards of the HIPAA Administrative Simplification Regulations developed to protect the privacy of individually identifiable health information communicated in an email and to ensure the confidentiality, integrity, and availability of the email. Compliance with these standards does not guarantee the content of an email will remain secure, but it will mitigate the risk of impermissible disclosures and breaches of unsecured PHI.

Is it a HIPAA violation to email PHI?

It can be a HIPAA violation to email PHI if the necessary and appropriate safeguards have not been put in place to protect the privacy of PHI and comply with the Security Rule. Even if these safeguards are in place, HIPAA violations can still occur if an email contains more than the minimum necessary PHI to achieve the purpose of the email or if account credentials are misused to transmit PHI for an impermissible purpose.

Should all emails include a HIPAA compliance email disclaimer?

Emails can include a HIPAA compliance email disclaimer, but it won’t absolve the sender of a HIPAA violation if an email containing PHI is sent to the wrong recipient. Consequently, although a HIPAA email disclaimer may help reassure genuine recipients that an organization complies with the Privacy and Security Rules, it serves no other worthwhile purpose.

The post HIPAA Compliance for Email appeared first on HIPAA Journal.

One Third of Healthcare Websites Still Use Meta Pixel Tracking Code

Posted by Steve Alder

A recent analysis of healthcare websites by Lokker found widespread use of Meta Pixel tracking code. 33% of the analyzed healthcare websites still use Meta pixel tracking code, despite the risk of lawsuits, data breaches, and fines for non-compliance with the HIPAA Rules.

Website Tracking Technologies in Healthcare

A study conducted in 2021 that looked at the websites of 3,747 U.S. hospitals found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties, and an analysis in 2022 of the websites of the top 100 hospitals in the United States by The Markup/STAT revealed one-third of those hospitals used tracking technologies on their websites that transferred visitor data, including protected health information (PHI), to third parties.

In December 2022, the HHS’ Office for Civil Rights issued guidance to HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that these technologies violate HIPAA unless there is a business associate agreement (BAA) in place with the provider of the code or authorizations are obtained from patients. OCR and the Federal Trade Commission wrote to almost 130 healthcare organizations in July 2023 warning them about the compliance risks of using tracking technologies, after these tools were discovered on their websites. In March 2024, OCR updated its guidance – believed to be in response to a legal challenge by the American Hospital Association –  however, OCR’s view that a BAA or authorizations are required has not changed.

Several hospitals and health systems have reported the use of these tracking technologies to OCR as data breaches, and many lawsuits have been filed against hospitals over the use of these tools, some of which have resulted in large settlements. For example, Novant Health agreed to pay $6.6 million to settle a lawsuit filed by patients who had their PHI transferred to third parties due to the use of these tracking tools. The FTC is also actively enforcing the FTC Act with respect to trackers, with BetterHelp having to pay $7.8 million to consumers as refunds for disclosing sensitive health data without consent. States have also taken action over the use of Meta pixel and other website trackers, with New York Presbyterian Hospital settling a Pixel-related HIPAA violation case with the New York Attorney General for $300,000.

Lokker’s 2024 Study of Website Tracking Technologies

Lokker, a provider of online data privacy and compliance solutions, conducted a study of 3,419 websites across four industries (healthcare, technology, financial services, and retail), that explored three critical areas of risk.

  • Unauthorized consumer data collection through third-party trackers, tags, and pixels.
  • How privacy tools are often failing to meet the requirements of emerging laws.
  • The escalating complexities of protecting consumers’ data privacy.

The study looked at the threat of data brokers sharing consumer data with foreign adversaries. Across all industries, 12% of websites had the TikTok pixel, including 4% of healthcare companies. While the privacy risks associated with this pixel are lower than other tracking technologies, the information collected by TikTok pixel may be transferred to China. 2% of websites, including 0.55% of healthcare websites, were found to use pixels and other web trackers that originated in China, Russia, or Iran. Data transfers to foreign nations are a major concern for the U.S. government. In February this year, President Biden signed an Executive Order to prevent the sharing of Americans’ data with foreign countries.

Alarmingly, given the considerable media coverage, HIPAA guidance, regulatory fines, and lawsuits associated with website tracking technologies, 33% of healthcare organizations were still using Meta pixel on their websites. Lokker found an average of 16 trackers and a maximum of 93 trackers on healthcare websites. The most common trackers used by healthcare organizations were from Google (googletagmanager.com, doubleclick.net, google-analytics.com, google.com, googleapis.com, youtube.com), Meta (facebook.com, facebook.net), ICDN (icdn.com), and Microsoft (linkedin.com). There appears to be confusion about obtaining consent from website visitors about the collection of their data through tracking technologies such as pixels and cookies. According to OCR guidance, the use of a banner on a website advising visitors about the use of tracking technologies does not constitute a valid HIPAA authorization. These consent banners were identified on the websites of 59% of healthcare organizations.

These consent banners often do not function as intended, as 98.5% of websites load cookies on page load, with Lokker reporting that, on average, 33 cookies are loaded before consent banners appear, and these banners often misclassify or overlook cookies and trackers. Lokker also found that technologies such as browser fingerprinting are often excluded from consent tools, and the rapidly evolving web means tracker changes may go unnoticed by consent tools, resulting in users unwittingly consenting to undesired data collection.

In addition to compliance risks related to HIPAA, there is also a risk of Video Privacy Protection Act (VPPA) violations. 3% of healthcare companies had Meta pixel or other social media trackers on pages containing video players, putting them at risk of VPPA lawsuits. In 2023, more than 80 lawsuits were filed alleging VPPA violations due Meta pixel being used to gather and disseminate video viewing data from websites without user consent, some of which have led to multi-million-dollar settlements.

“LOKKER’s research sheds light on critical issues that businesses often underestimate. Unauthorized data collection through third-party trackers and related technologies is far more pervasive than most people realize. We all build websites with third-party tools, and they use other third-party tools, and so on. Many of these are essential and necessary. However, this web of interconnected technologies produces dozens to hundreds of URLs collecting data on a single webpage and is the engine that powers the data broker market,” said Ian Cohen, founder and CEO of LOKKER. “Moreover, data collection on websites and ad tech happens in real time; existing privacy tools are not real-time, and therefore not getting the job done. As a result, we’re seeing a dramatic increase in privacy violations, lawsuits, and fines.” The findings are published in Lokker’s Online Data Privacy Report March 2024.

The post One Third of Healthcare Websites Still Use Meta Pixel Tracking Code appeared first on HIPAA Journal.