HIPAA Compliance for Medical Practices
59.3K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

5 keys to managing a data breach

5 keys to managing a data breach | HIPAA Compliance for Medical Practices | Scoop.it

Unfortunately, data breaches have become an extremely common occurrence. Not all of them have the high-profile of a Target, Ashley Madison, Home Depot or Anthem breach, but the damage to a company and its reputation is very real.


While companies can purchase cyber insurance to help manage the risks associated with a breach, there are also steps a business can take to maximize the relationship with their breach team and minimize the fallout following the cyber event.


Here are five factors to consider when it comes to managing a company’s cyber attack or data breach.


 1. Assess the risk

So how does a company prepare for such an eventuality and what steps should be taken after a breach occurs?


“Start with what you will face if a breach occurs,” advises Anthony Roman, president of Roman & Associates, a global investigation, risk management and computer security consultation firm. “Corporations of all sizes that hold any information that can be deemed private or personal are going to face a number of very serious hurtles in a breach that will encourage them to have a breach plan.”


Roman says this includes class action suits for the “undue release or allowing the release of personal and private information. The average class action suit is settling for $2.9 to $3 million.” He estimates the legal costs to defend a company in a class action suit will range anywhere from several hundred thousand dollars to well over one million.


“You may face government sanctions for local, state, federal or legal violations, some of which are criminal in nature and some which are civil in nature,” he explains. Criminal violations can pierce the corporate veil and involve specific individuals within the corporation.


There could also be regulatory sanctions if the company violated any Federal Communications Commission (FCC) regulations or any other regulatory agency’s regulations regarding cyber security. “That should be a wonderful motivator for anyone to have a robust and compliant breach program,” he adds.


Roman recommends that companies work with their brokers to craft coverage that will reduce their risk, review the policy exclusions, and ensure that they are insured to cover the types of information that will be affected and the resulting exposures from a breach.


2. Avoid these mistakes

The saying goes, “Fail to plan and plan to fail,” and nowhere is that more true than with cyberattacks and breaches. “Not having a well thought out and documented roadmap for the ‘what, when, where, who and how’ of responding to a suspected data breach is a recipe for disaster,” says Paul Nikhinson, Esq., privacy breach response services manager for Beazley.


Related: Many businesses unprepared for cyber attacks

“Most post-incident mistakes could be avoided or mitigated by implementing appropriate pre-incident prevention and response plans,” adds Kevin Kalinich at Aon. He says that some of the major mistakes companies make include:


  • Internal company denial regarding the potential magnitude of the incident. Appropriate resources and attention must be allocated immediately to determine the magnitude of the incident. The financial impact of cyber incidents is not always directly correlated with the size of the incident, but the financial statement impact is often correlated to the effectiveness of the response.
  • Automatically characterizing an “incident” (no immediate legal liability connotations) as a “breach” (immediate legal liability connotations under various laws, regulations and insurance policies).
  • Passing the buck rather than developing a comprehensive coordinated response.
  • Defensive reaction to regulators rather than an open and frank dialogue.
  • Failure to timely notify any and all potentially applicable insurance carriers.


Overreacting or underreacting to the event can also be a problem says Nikhinson. “Where there’s smoke, there’s fire; however, not every bit of smoke necessarily means a five-alarm fire. Going too quickly to the media and clients without an adequate command of the facts often causes far more harm than good.”


He also says that a company can’t just put its “head in the sand and hope for the best. This isn’t just an ‘IT’ problem. It’s something that could result in catastrophic financial and reputational damage to the company.”


Other problems include not having a plan at all, not following the established plan, not engaging a breach coach or team, and having poor communication between breach team members.


3. Working effectively with your breach team

After a company experiences a breach is not the time to be pulling together a team to address the problem. Assuming that a company already has a highly qualified team in place involving legal, IT, security, human resources, risk management and public relations professionals, experts recommend notifying legal counsel as soon as a cyber incident is discovered. “Counsel should handle retaining outside experts to maintain privilege, which puts the company in the best defensible position possible,” counsels Bob Parisi, Marsh’s cyber product leader

.

Kalinich concurs. “Legal counsel should be involved as soon as a cyber incident is identified for a variety of risk mitigation, contractual liability, privacy liability, legal compliance and financial statement impact reduction reasons. Thereafter, depending upon the nature of the incident, the chief information security officer (CISO), IT security, privacy officer and management responsible for cyber incident response should be simultaneously notified. Outside parties such as customers, partners, vendors, suppliers, etc. need not be notified until the entity understands what happened (subject to notification laws, of course).”


Roman recommends activating the company’s internal breach team as soon as a breach is revealed since most breaches occur way before they are discovered. “As you’re noticing it happened, it probably occurred earlier and they are sucking you dry of confidential information, client information, individuals’ personal information, corporate secrets and information that may be sensitive from a public relations perspective.”


There should also be a designated team leader and decision-maker says Roman, “Someone who can take all of the advice and says this is what we will do and has the authority to do it.” He also recommends that executives resist the urge to micromanage the problem. “They should assess the decisions made by the professionals and act accordingly.”


Communication between team members is critical to successfully managing the breach. “Do your best to break down internal information silos,” recommends Beazley’s Nikhinson. “Does legal know what IT/IS is investigating and how it is being documented? Does IS know that risk purchased a cyber-insurance policy and that it has certain reporting requirements? At what point do you bring in corporate communications? Coordination between all of the internal stakeholders is essential, and having someone akin to a project manager to facilitate that coordination can make all the difference in the world.”


4. Experience matters

Insurance brokers, legal counsel, public relations professionals and other vendors on the breach team should have extensive experience in cyber attacks and breaches. An experienced insurance broker can help a client find a cyber policy that best matches their needs and risks says Parisi. “The broker should have assisted the client in fully understanding coverage as well as the value-added services that are part of today’s cyber coverage. By doing that the client will be able to fully utilize the benefits of the coverage when a breach or event happens.”


Clients should report a breach to their broker or agent as soon as it occurs. According to Aon’s Kalinich, an experienced cyber broker will be able to:


  • Identify the applicable insurance policies.
  • Provide the insured with the required insurance notice requirements.
  • Detail any specific insurance policy requirements (i.e., third-party forensic experts must be selected from the insurance company panel in order to be covered by the insurance policy).
  • Arrange a call between insurance broker legal cyber incident claims specialist and the insured.
  • Determine whether, and in what manner, notice is required to insurers.
  • Describe past cyber incident best practices that reduce the total cost of risk.
  • Maintain consistent and timely communications between the insured and the insurers.


5. Practice makes perfect

Roman recommends that companies hold periodic breach rehearsals, which can be conducted by a firm outside of the business. “Surprise your team. Tell them this is a drill and there is a breach,” he advises. This gives executives an opportunity to see how quickly the breach team can be pulled together and how they will react to a real breach. It also gives them an opportunity to role play some of the critical elements of the plan.


Brokers can assist their clients by ensuring they have the right coverage for their business exposures as well as “a proactive relationship with their carrier’s breach response team so their first meeting doesn’t occur in the middle of a firefight,” adds Nikhinson.

Waiting until after a cyber breach occurs is too late to begin managing its effects, and can have dire consequences to a company’s reputation and its bottom line. Being proactive will help mitigate some of the damage and give the company a roadmap for successfully managing the breach.

more...
No comment yet.
Scoop.it!

Hospital to pay $218,400 for HIPAA violations

Hospital to pay $218,400 for HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

St. Elizabeth's Medical Center must pay $218,400 for HIPAA violations through an agreement with the Department of Health and Human Services' Office for Civil Rights.


In 2012, the OCR received a complaint alleging that the Brighton, Massachusetts-based health center did not analyze the risks of an Internet-based document sharing app, which stored protected health information for almost 500 individuals, according to anannouncement from OCR.


During its investigation, OCR found that the health center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome." In addition, St. Elizabeth's in 2014 submitted notification to OCR that a laptop and USB drive had been breached, putting unsecured protected health information for 595 consumers at risk.

OCR also is requiring that St. Elizabeth's adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.


"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," OCR Director Jocelyn Samuels said in an announcement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


A recent report from application security vendor Veracode found that the healthcare industry fares poorly compared to other industries in reducing application security risk.


Healthcare also is near the bottom of the pack when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated.


While Phase II of the federal HIPAA audit program remains "under development,"Samuels reiterated in March that OCR is "committed to implementing a robust audit program," FierceHealthIT previously reported.

more...
No comment yet.
Scoop.it!

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.


The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.


Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.


OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."


"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."


Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:


  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.


Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.


Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."


The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.


The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."


Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."


The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.


The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.


But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.


"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

more...
No comment yet.
Scoop.it!

Smaller companies seek cybersecurity

Smaller companies seek cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to hacker attacks and data breaches, small businesses are targets, too.


In fact, the origin of the infamous Target breach of 2013, which compromised information on 40 million customer credit cards, has been traced to the hacking of the computer system of a refrigeration company in the Pittsburgh area doing work for the Minneapolis-based retailer.


One or more of Fazio Mechanical Services’ employees had access to Target’s data network for electronic billing, contract submissions and project management, and one of its employees apparently opened a malware-laced email from an outside hacker, according to published reports.



How ownerscan keep dataout of harm’s way
  1. Keep paper files, flash drives and CDs with sensitive data on them under lock and key. Shred such paper documents before recycling.
  2. Require employees to have a unique user name and a strong password that is changed several times a year. Also, encrypt data.
  3. Use antivirus and anti-spyware software, and don’t open email attachments or other downloads unless they are from trusted sources.
  4. Install updates to security, Web browser, operating system and antivirus software as soon as they become available. These contain the "patches" that address security vulnerabilities.
  5. Enable your operating system’s firewall. Take special precautions when allowing remote access.
  6. If you have a Wi-Fi network, make sure it is encrypted, hidden from the public, and that users need a password to get in.
  7. Make sure third parties that have access to your data have proper data protection practices.
  8. Talk to your insurance broker about cybersecurity insurance.

 


Cybersecurity consultant Karl Kispert used the experience of Fazio as a cautionary tale Wednesday in speaking to a gathering of about 70 information technology professionals and small-business owners at William Paterson University in Wayne. The event, a cybersecurity conference presented by the New Jersey Small Business Development Center, emphasized the risks and the potential for financial liabilities at smaller companies, which experts said are real and growing, and business owners need to be prepared.


"If I’m a hacker, the weakest link is a vendor with few, if any, controls around their IT environment," Kispert said. "Small to midsized companies are as at risk as any of the companies you read about in the newspaper."


But when hacking incidents and data breaches occur at small companies, they rarely become known to the public, Kispert said Thursday. Thomas Ryan, enterprise security expert at Hewlett Packard, said that, on average, it takes 240 days to discover that you’ve been breached.


"It’s not will you get breached, it’s when," said Roseland lawyer Karen Painter Randall, a partner at Connell Foley LLP. "No one is immune."

The art of hacking, pioneered by clever young tricksters who got their kicks vandalizing websites, has evolved into a global underworld of thieves, spies and saboteurs, sometimes state-sponsored, who embrace the Internet as their playing field of choice. Stolen personal information is sold to identity thieves and other criminals on shady websites.


In January, President Obama called for new laws requiring companies to disclose when they’ve been hacked, and several cybersecurity-related bills are now pending.


Obama’s statement followed a breach at Home Depot involving 56 million customer credit cards as well as an incident at Staples that exposed information on more than 1 million payment cards.


Fortune 500 companies are likely to have cybersecurity insurance to offset the cost of responding to data breaches — which typically involve notifying victims and providing them with credit monitoring for a year. Target said earlier this year that its 2013 data breach would cost an estimated $252 million and the company expected insurance to cover only $90 million.


But smaller companies by and large are not insured, and general liability insurance does not include coverage for cyberattacks.

"Cyber insurance is becoming one of those essential products," said North Brunswick business consultant Carol Gabel, chief executive officer of Seven Pearls LLC, a risk management specialist and one of the conference organizers. As demand increases, "it will become more affordable and more available," she said.


The cyber insurance market has existed since the late 1990s, and the amount of coverage being sold is small compared to coverage for more traditional risks.


Cyber insurance, however, is one of the fastest-growing sectors in the insurance market, according to Marsh’s U.S. Insurance Market Report 2015. Factors considered in pricing policies include the size of the company, the number of customers, its presence on the Web, and the type of data collected and stored.


Policies might include coverage for liability for exposing confidential information and for paying the bill to notify customers of a breach and providing them with credit-monitoring services.


Costs from business interruption, especially from disruption of service attacks by hackers, are another risk that can be covered.


From Jan. 1 through June 23, 380 breaches were reported by companies and other organizations in the United States. More than 117 million records were exposed, according to the Identity Theft Resource Center’s website, which gleans information from law enforcement and media sources.


The resource center said a breach occurs when an individual’s name along with his or her Social Security number, driver’s license number, medical record, or a financial record like a credit- or debit-card number, are put at risk.


The breaches included 10 companies either based in New Jersey or with a major presence in the state, including TD Bank, Toys "R" Us and Chubb & Son.


A Toys "R’’ Us representative said Friday in an email that the breach involved an attempt in late January to gain unauthorized access to the accounts of "a small percentage’’ of its Rewards "R" Us members who had requested password changes.


In only one of the New Jersey breaches, which occurred at Jersey City Medical Center, was the number of exposed records reported — 1,447.


In February, health insurance giant Anthem announced a data breach caused by a hacking attack from outside that company that compromised as many as 80 million records. The exposed information includes names, Social Security numbers and dates of birth.

"In the past, in the health care industry, it’s been mishaps — somebody loses a laptop or maybe a disgruntled employee steals some data," said Jeanmarie Tenuto, chief executive officer of Healthcare Technical Solutions in Newark. "Now, it’s attacks from the outside."


Earlier this year, reports emerged that an employee with a company working for a private physicians group that provided emergency services at The Valley Hospital in Ridgewood, Englewood Hospital and Medical Center, and Holy Name Medical Center in Teaneck stole names, Social Security numbers and birth dates of patients.


The average loss for a breach of 1,000 records would be between $52,000 and $87,000, according to Mount Laurel-based Verizon Enterprise Solutions’ latest report on data breaches worldwide.

Verizon’s Data Breach Investigations Report said there were 2,122 confirmed data breaches last year around the world. The report estimates the global financial loss from 700 million compromised records at $400 million.


Public entities and the information and financial services industries were the top victims, and a large majority of the attacks were from external sources.


RAM scraping is a kind of malware that grabs payment-card information before it is encrypted. It is reportedly the device used in the Target breach.


"RAM scraping has grown in a big way," the report said. "This type of malware was present in some of the most high-profile retail breaches."

"Malware is getting more sophisticated," and "phishing remains a serious threat," said Bhavesh Chauhan, regional security engineering manager at Verizon Enterprise Solutions.

more...
No comment yet.
Scoop.it!

Four Things MSPs Should Know About HIPAA Compliance and the Cloud

Four Things MSPs Should Know About HIPAA Compliance and the Cloud | HIPAA Compliance for Medical Practices | Scoop.it

While managed service providers (MSPs) are certainly well-versed in the areas of cloud-based file sharing and data storage, it pays to be just as familiar with some of the areas of interest of your clients. As MSPs see more healthcare companies migrating their services to the cloud – whether due to a relaxation of restrictions or a decision to evolve – the need for familiarity in this potentially lucrative market is as important as ever.


When the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, data security and privacy on the internet were not exactly the big concerns of the day. Then again, the MSP business model we know and love today didn’t even exist.


Fast forward about 20 years – and through a couple of generations of computing platforms – and HIPAA compliance has become a hot topic as health care organizations, at long last, begin to crawl out from under mountains of paper and into the digital world.


The 2013 HIPAA Omnibus Rule is the modification to HIPAA that defines the rules governing data security for “covered entities” (healthcare providers, mostly) and their “business associates,” i.e. you, their MSP.


As the rule states, “These modifications [to the original HIPAA law] make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.” Here are the four most important things you need to know to comply with HIPAA regulations:


1. Business Associate Agreements


Law now requires that when you’re doing business with a “covered entity” (CE), you must execute agreements – called Business Associate Agreements (BAAs) – that define the permitted uses and disclosures of “protected health information” (PHI) by the business associate. Don’t start doing business with a healthcare client or other “covered entity” without a Business Associate Agreement in place. The same goes for subcontractors. You’ll want to make sure that anybody touching PHI is covered in the BAA.


2. Providing cloud storage makes you liable for HIPAA privacy


According to the HIPAA Omnibus rule, anything you store in the cloud – even on behalf of a client – that contains protected health information must be compliant with HIPAA privacy protections.  This applies whether you ever view that data or not. If you retain, maintain, or transmit protected health information for a client, then you are bound by their business associate agreement.


3. Less access = lower liability risk


According to an FAQ published by the Center for Democracy and Technology, if you don’t have the capability to access your client’s data and adhere to HHS (Department of Health and Human Services) standards with respect to encryption, you should have little liability risk as a business associate. The FAQ also states that, “if the covered entity controls the decryption keys and the CSP has no ability to access the plain text of the data, it would not be reasonable to expect the CSP to comply with the provisions... that require a BA to ‘make available’ PHI for certain purposes.”


4. Breach thresholds have been lowered


Prior to the enactment of the Omnibus rule, a security breach only had to be reported to the HHS if it posed “significant risk of reputational, financial or other harm” to individuals. Now, all breaches of unsecured PHI – information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons – must be reported. However, if the BAA established between you and your healthcare client includes a multi-factor risk assessment that determines low probability of data compromise, the breach may not need to be reported. It’s probably worthwhile to check out your your legal obligations for notification.

more...
No comment yet.
Scoop.it!

10 ways to prevent a data breach and protect your small business

10 ways to prevent a data breach and protect your small business | HIPAA Compliance for Medical Practices | Scoop.it

Today, virtually all businesses collect personal information about customers, employees and others. This information is valuable to hackers – evidenced by the increasing frequency and severity of data breaches across the globe.

Big businesses are not the only ones who are vulnerable. Small and medium-sized businesses with fewer data security resources are often targets for cybercriminals. In fact, research we’ve conducted with the Ponemon Institute shows that more than half have experienced a data breach and nearly three out of four report they can’t restore all their data.


The good news is that businesses can take steps to protect themselves from destructive cyber intrusions. To preempt hacking activity, you must think like a hacker. Here are a few tips to get you started.

1. Think beyond passwords. Never reuse them and don’t trust any website to store them securely. To increase the level of security, set up a two-factor authentication for all your online business accounts. This authentication relies on something only you should know (your password) and authenticates something only you should have (typically your phone) to verify your identity.

2. Stop transmission of data that is not encrypted. Mandate encryption of all data. This includes data at “rest” and “in motion.” Consider encrypting email within your company if personal information is transmitted. Avoid using WiFi networks, as they may permit interception of data.

3. Outsource payment processing. Avoid handling credit card data on your own. Reputable vendors, whether it’s for point-of-sale or web payments, have dedicated security staff that can protect data better than you can.

4. Separate social media activity from financial activity. Use a dedicated device for online banking and other financial activities, and a different device for email and social media. Otherwise, just visiting one infected social site could compromise your banking machine and sensitive business accounts.

5. “Clean house” and update procedures. Evaluate your assets and valuable data to identify where your organization is most at risk. It’s important to reduce the volume of information you keep on hand (only keep what you need!) and properly destroy all paper documents, CDs/DVDs and disks before disposal. Consider assessing your business’s email infrastructure, browser vulnerability, and ID system. Do not use Social Insurance Numbers as employee ID numbers or client account numbers. You should also question the security posture of your business lines, vendors, suppliers or partners.

6. Secure your browser. Watering holes – malicious code installed on trusted websites – are a common method of attack against businesses. How do you know which websites to trust? Focus on keeping up-to-date with the latest version of your browser. Then, test your browser’s configuration for weakness.

7. Secure your computers and operating system. Implement password protection and “time out” functions (requires re-login after period of inactivity) for all business computers. Require strong passwords that must be changed on a regular basis. Also be sure to update all operating systems, which have major security improvements baked in. It’s far easier to break into older operating systems like Windows XP or OS X 10.6.

8. Secure your internet router. Make sure someone can’t intercept all the data sent through it. Consider configuring your wireless network so the Service Set Identifier (SSID) – the name the wireless network broadcasts to identify itself – is hidden.

9. Safeguard and back up your data. Lock physical records containing private information in a secure location and create backups. These should be encrypted and off-site in case there’s a fire or burglary.

10. Educate and train employees. Establish a written policy about data security, and communicate it to all employees. Educate them about what types of information are sensitive or confidential and what their responsibilities are to protect that data. In addition, restrict employee usage of computers for only business purposes. Do not permit use of file sharing peer-to-peer websites or software applications and block access to inappropriate websites.

It’s important to remember that no business is “too small” for a hacker–all businesses are vulnerable. The sooner you can get ahead of potential hacking activity, using the above steps, the sooner you’ll be prepared to thwart, mitigate and manage a data breach.

more...
No comment yet.
Scoop.it!

Lessons from the Sony Hack: The Importance of a Data Breach Response Plan

Lessons from the Sony Hack: The Importance of a Data Breach Response Plan | HIPAA Compliance for Medical Practices | Scoop.it

In a decision emphasizing the need for employers to focus on data security, on June 15, 2015, the U.S. District Court for the Central District of California refused to dismiss a lawsuit filed by nine former employees of Sony Pictures Entertainment who allege the company’s negligence caused a massive data breach. 


In November 2014, Sony was the victim of a cyber-attack, which has widely been reported as perpetrated by North Korean hackers in relation for “The Interview,” a Sony comedy parodying Kim Jong Un. According to the complaint in this case, the hackers stole nearly 100 terabytes of data, including sensitive personal information, such as financial, medical, and other personally identifiable information (“PII”), of at least 15,000 current and former Sony employees.  The hackers then posted this information on the internet and used it to threaten individual victims and their families.  The nine named plaintiffs purchased identity protection services and insurance, as well as took other measures, to protect their compromised PII.

The plaintiffs filed a class action lawsuit alleging Sony failed to implement and maintain adequate security measures to protect its employees’ PII, and then improperly waited at least three weeks to notify plaintiffs that their PII had been compromised.  The plaintiffs asserted claims of negligence, breach of implied contract, and statutory violations of California, Virginia, and Colorado law.

Sony moved to dismiss the complaint.  First, Sony argued that plaintiffs lacked standing because they had not alleged a current injury or a threatened injury that is currently impending.  The court disagreed, concluding that the allegations of increased risk of future identity theft sufficiently established certainly impending injury.

Sony then challenged the viability of each claim.  While the court dismissed certain of the claims, the court allowed the plaintiffs to proceed with their claims of negligence and violations of California’s Confidentiality of Medical Information Act and Unfair Competition Law.  Key to the court’s decision on the negligence claim were its findings that (a) the costs plaintiffs incurred related to credit monitoring, identity theft protection, and penalties resulting from frozen credit constituted a cognizable injury, and (b) an exception to the economic loss doctrine applied because the parties had a “special relationship” whereby plaintiffs had to provide their PII to Sony in order to get paid and receive benefits.

Regarding the Confidentiality of Medical Information Act claim, the court found sufficient the allegations that Sony failed to maintain the confidentiality of the plaintiff’s medical information, which Sony has admitted included HIPAA-protected health information, and failed to institute reasonable safeguards to protect that information from unauthorized use.

While it remains to be seen whether the plaintiffs will prevail on any of their theories of recovery against Sony, this matter should be a lesson to companies that have not implemented appropriate data security measures more than just the loss of proprietary information. 

Employers have a duty to protect the personal sensitive information that they obtain from their employees, and the failure to take preventative measures may result in legal claims, reduction in employee morale, and loss of reputation.

Employers should begin by auditing their information technology infrastructure and network for security vulnerabilities.  Any such audit should be done under the supervision of counsel to maintain the privilege and confidentiality of the audit.  Based on that audit, employers should take steps to mitigate the vulnerabilities found to a reasonable and appropriate level given the threats to the organization.

 The Sony breach, like nearly all recent breaches, had an element of social engineering. To protect against these types of attacks employers should also train their workforces on information security best practices.  Finally, employers should be prepared to respond to breaches when they occur.  Employers should formulate and implement a breach response plan to minimize the time from the discovery of the compromise to the reporting of the incident to affected persons.

If a data breach does occur, the company should immediately execute the data breach response plan and quickly investigate the nature and scope of the data breach.  A forensic review should be conducted using an IT specialist that can trace the origins of the breach.  Employees and anyone affected should be notified so that they may take appropriate steps to prevent or limit identity theft and other damages.  Employers also should consider proactively notifying the police to work with the local cyber-crimes unit, as well as filing a civil suit against the perpetrator(s) to obtain injunctive relief and reduce further damage.  Appropriate legal counsel can assist in pursuing these options.

more...
No comment yet.
Scoop.it!

Your Cyber-Risk Policy: What it Covers and What it Doesn't

Your Cyber-Risk Policy: What it Covers and What it Doesn't | HIPAA Compliance for Medical Practices | Scoop.it

In healthcare, we deal with highly sensitive and very private electronic information, so of course our ears perk up every time we see headlines about the latest cyber threat or breach. The natural question is whether this could happen to us. This is constructive if it leads to cyber risk-prevention. But all too often, folks are responding with, "it could not happen to me," or "my insurance policy covers this so I'm prepared." These folks are ignoring the growing cyber threat around all of us. They are whistling past the "cyber" graveyard.

We live in a digital age where almost everything is accessible — even more now with the evolution of EHRs — so we have to run our businesses as though we are all at risk. To be prepared, we must first understand the common sources of cyber risk. Second, we must understand the basics of cyber insurance policies we may or may not have in place.


There are several ways breaches at small healthcare organizations may occur:


1. Disgruntled employees are one of the leading reasons for cyber attacks. They know your systems — likely better than you do — so keep a close watch on them and what type of data they have access to. Really pay close attention to new staff and those that may be on their way out. Also make sure they know they are monitored.

2. Cyber criminals are looking for remote Internet access services with weak passwords. Require and enforce more complex passwords and require employees to change their passwords regularly.


A smart form of cyber protection is a cyber-risk insurance policy. These provide bundled services designed to help you quickly respond to a data breach. However, there are many cyber insurance product options to consider. These range from standalone policies with high limits and comprehensive services to policy add-on coverages typically offering less coverage.


Rather than stumbling through a maze of complicated cyber-related insurance rhetoric, do yourself a favor and review your options with an experienced broker:


• Carefully scrutinize "free" cyber coverage or riders added onto your base coverage. While not totally worthless, the majority come nowhere near covering the exposure of a potential cyber breach (which explains why they are typically thrown in at no additional cost). In reviewing your insurance coverages with your broker, it's easy to brush by this one and mentally check off the fact that you have cyber coverage. Drill into the details of what's covered, as outlined below.

• Find out how much you are covered for and what out-of-pocket expenses you could expect. A data breach at a small physician practice could run into the hundreds of thousands of dollars or even higher. This type of uncovered damage could put a small practice out of business. Some expenses physicians can expect to incur when a breach occurs include legal fees, IT forensic costs, notification costs, credit monitoring costs, and public relations and advertising expenses to reclaim patient goodwill as well as making the public aware of the steps taken to address the breach.


Cyber risk is not just a technology issue. It affects all elements of the healthcare business and needs to be well-planned and mitigated through ongoing education and risk-management programs.

more...
No comment yet.
Scoop.it!

Data breaches cost an average of US$3.8M: Study

Data breaches cost an average of US$3.8M: Study | HIPAA Compliance for Medical Practices | Scoop.it

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday.


The total average cost of a data breach is now US$3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp.


The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.


Data breaches are becoming more common and significant, with high-profile attacks on Sony Corp, JPMorgan Chase and retailers Target Corp and Home Depot Inc in the past year and a half.


"Most of what's occurring is through organized crime," said Caleb Barlow, vice president of IBM Security. "These are well-funded groups. They work Monday to Friday. They are probably better funded and better staffed than a lot people who are trying to defend against them."

IBM, which sells cybersecurity services to companies, has a vested interest in highlighting the costs of data breaches.


The cost of a data breach is now $154 per record lost or stolen, up from $145 last year, according to the study, based on interviews with 350 companies from 11 major countries that had suffered a data breach.


The study's authors said average costs did not apply to mega-breaches affecting millions of customers, such as those suffered by JPMorgan Chase, Target and Home Depot, which cost the companies far greater sums. Target alone said last year its breach cost $148 million.


The study found that the health care was most at risk for costly breaches, with an average cost per record lost or stolen as high as $363, more than twice the average for all sectors of $154.


That reflects the relatively high value of a person's medical records on the underground market, said IBM, as Social Security information is much more useful for identity theft than simple names, addresses or credit card numbers.

more...
No comment yet.
Scoop.it!

Nearly 1,000 patients' data at risk after breach at MetroHealth Hospital

Nearly 1,000 patients' data at risk after breach at MetroHealth Hospital | HIPAA Compliance for Medical Practices | Scoop.it

Data on nearly 1,000 patients that was stored on a computer was attacked by malware at MetroHealth Hospital, the hospital reported on Monday.


A spokesperson said the breach appears to have been an attempt to get patients' banking information, but said no such data was stored on the machine.


Health information from 981 patients who underwent cardiac catheterizations was on the computer.


"While unlikely, it is possible that this unauthorized access could lead to a compromise of some patient information. MetroHealth has no indications that the information has been accessed or used by any unauthorized individual. The circumstances surrounding the event and typical uses made of this malware indicate that the computers were hacked in an effort to obtain banking information and credentials used to log into financial accounts. No such information is stored on these computers."


The hospital reported that the breach happened after an employee turned off malware protection to update the computer in July 2014.


more...
Yasmina Lee C's curator insight, June 9, 2015 8:56 AM

Importante tener base de respaldo de datos de pacientes para no perder toda la informacion en casos como este, todos estamos expuestos a los hackers.....

Scoop.it!

4 Ways That HIPAA Encourages the Disclosure of Health Information - HITECH Answers

4 Ways That HIPAA Encourages the Disclosure of Health Information - HITECH Answers | HIPAA Compliance for Medical Practices | Scoop.it

What’s the first word that comes to mind when you see the term “HIPAA”? For many individuals in the healthcare market, the word is “NO.” “Just say no” is a common answer for covered entities and business associates when they are faced with a decision about whether to disclose health information.


But what if I told you that HIPAA actually permits (and even requires) you to say “yes” to many disclosures of health information?

One of the most overlooked aspects of HIPAA is that there are sections that encourage the free-flow of information. Examples include: (1) disclosures for treatment purposes, (2) disclosures for patient access, (3) disclosures to minimize an imminent danger, and (4) disclosures that are required by state laws.


Disclosures for Treatment Purposes


Let’s get one thing clear: HIPAA allows the disclosure of health information for treatment purposes.


A common misconception among providers is that HIPAA prevents or limits health care providers from sharing health information between each other to provide care for a patient.


This is not true.


I also commonly hear the idea that HIPAA requires a Business Associate Agreement in order for a provider to share health information for the purpose of treating a patient.


This is not true.


In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between health care providers AND the “coordination or management of health care” by a provider and a third party.


The third party does not even have to be a health care provider!

For example, an eye doctor can disclose health information to a contact lens distributor in order to confirm a prescription. The distributor is not a health care provider, but the disclosure is for the purpose of treatment of the patient.


Patient Access


One common idea is that patients do not have an unfettered right to access their entire medical record.


Many providers feel that they, not the patient, have ownership of the patient’s health information and have no obligation to give the patient unrestricted access.


This opinion has lead to more than one Office of Civil Rights investigation.


In reality, HIPAA gives patients broad rights to access their health information and health care providers are required to honor patient requests. Patients are also not required to fill out an Authorization for Release of Records when requesting their own health care information.

With that said, there are some important exceptions to the patient’s access rights under HIPAA, including the limitation on accessing psychotherapy notes, information compiled in anticipation of a lawsuit, or if the access is prohibited under some other law.


But in general, patients have the right to access all of their health information that a provider uses to make treatment decisions about a patient. This includes any health information that a provider received from other providers.


Denial of such access could constitute a HIPAA violation.


Disclosures to minimize an imminent danger or assist law enforcement
Another way that HIPAA encourages the disclosure of health information is seen in the allowable disclosure to minimize an imminent threat to health or safety of an individual or of the public.


HIPAA permits covered entities to disclose health information to persons reasonably able to prevent or lessen the threat.

In addition, HIPAA permits covered entities to disclose health information to law enforcement authorities to identify or apprehend an individual in the following circumstances:

  • An individual makes a statement admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim.
  • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.


There are some key exceptions to this permissive disclosure for mental health counselors. State laws may further restrict the extent of the disclosure exceptions.


However, these are important exceptions that can prevent danger to members of the community.


Disclosures Required By Law State


Another permissive type of disclosure under HIPAA is any disclosure required by state law. A few common disclosure obligations under state law are:

  • Reporting cases of child abuse
  • Reporting cases of vulnerable adult abuse
  • Reporting to law enforcement if an individual has certain types of wounds (e.g. bullet wound).


The HIPAA “required by law” disclosure exception makes it essential for covered entities and business associates to review their state mandatory reporting laws.


Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.


Conclusion


HIPAA does not always mean “no.”

Of course, it is easy for healthcare market participants to believe this stereotype. The horror stories of large fines levied on covered entities and business associates who improperly disclose health information are so common.


However, there are many permissive (and some required) disclosures under HIPAA that covered entities and business associates must understand and implement in their business operations.

Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.

more...
No comment yet.
Scoop.it!

Don’t Forget the Paper: Records and Policies

Don’t Forget the Paper: Records and Policies | HIPAA Compliance for Medical Practices | Scoop.it

Another HIPAA breach settlement announcement and another lesson from the Department of Health and Human Services Office for Civil Rights (“OCR”). Cornell Prescription Pharmacy (“Cornell”) is a single location pharmacy located in Colorado that will pay OCR $125,000 to resolve allegations of a variety of HIPAA violations. When the facts of the circumstances are described, it will likely raise questions as to why the settlement was so low.


The issues at Cornell were revealed to OCR by a local new station. The news station found paper-based protected health information disposed of in unsecure dumpster generally accessible to the public. After receiving the report, OCR investigated Cornell. OCR’s investigation revealed that Cornell had no written policies in place to implement the HIPAA Privacy Rule, no training regarding Privacy Rule requirements was conducted, and protected health information was not reasonably safeguarded.


Despite all of these findings, as indicated above, Cornell only faces a $125,000 settlement amount in addition to the usual requirement to enter into a corrective action plan. It is interesting to note that on April 27, 2015 when the settlement was announced, the first Resolution Agreement posted showed a resolution payment of $767,520. No information has been provided to explain the reduction. One possible answer is that Cornell is a very small entity and may not have been able to afford the higher resolution amount. It would be beneficial to monitor for more information on this account.


As set forth in the settlement announcement, OCR wants every entity to know that it may be subject to HIPAA enforcement, including fines and penalties. A quote from OCR Director Jocelyn Samuels says it all: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other container that are accessible by . . .unauthorized persons.” It is incumbent upon all organizations to implement appropriate policies and procedures to satisfy HIPAA requirements.


One of the more stunning aspects of the Cornell settlement was the revelation that Cornell had no written policies or procedures to comply with the Privacy Rule. This is slightly different from other settlements where OCR found inadequate or non-existent security policies. Arguably, privacy policies are easier to implement because the Privacy Rule provides a pretty comprehensive and clearcut guide with regard to what policies and procedures need to be put into place. Additionally, there is not a need to do an equivalent of a risk analysis to determine what security policies to put into place.


While the statement about no policies being in place should be shocking, multiple surveys recently have found that a lack of knowledge about HIPAA is still fairly widespread. HIPAA in its original form has been around for almost 20 years at this point. Why is it that organizations still do not know what they need to do to comply? Is it unintentional lack of awareness or something more deliberate? No matter the reason, the government is clearly monitoring and looking for organizations that are not in compliance. The resolution amounts remain wildly unpredictable, but many statements have suggested that recent fines will pale in comparison to fines that will be levied in the future. It is better for organizations to get their houses in order at this point rather than having an audit uncover deficiencies. It will be a safe bet that any problems found in an audit will result in higher fines being assessed.


more...
No comment yet.
Scoop.it!

Unencrypted Devices Still a Breach Headache

Unencrypted Devices Still a Breach Headache | HIPAA Compliance for Medical Practices | Scoop.it

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit - the loss or theft of unencrypted computing devices - is still putting patient data at risk.

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services' "wall of shame," which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.


That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.


The incident occurred on Feb. 3 while ISMA's IT administrator was transporting the hard drives to an offsite storage location as part of ISMA's disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group's request to comment on the breach, citing that there are "ongoing civil and criminal investigations under way."


A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year's worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.


Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:


  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.


Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That's why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.


"It is unfortunate that [encryption] is considered an 'addressable' requirement under HIPAA, as many people don't realize that this does not mean optional," says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.


Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.


Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he's expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.


"Install encryption on laptops that handle PHI," he advises. "Don't store patient information on a smartphone or other mobile device."

Concerns about the cost and complexity of encryption are unfounded, Berger contends, because encryption has become more affordable and the process has been made easier.


"There have been arguments that encrypting backup media sent offsite is technically problematic," says privacy and security expert Kate Borten, founder of the consultancy The Marblehead Group. "While it's true that encryption can add overhead, this has become a weaker argument in recent years."


But Borten acknowledges that organizations must look beyond encryption when safeguarding patient information. "Encryption is not a silver bullet," she notes. "For example, if a user leaves a laptop open, the otherwise-encrypted hard drive is accessible. But for portable devices and non-paper media, there is no equivalent security measure."


Borten notes that the most common reason cited for a lack of device encryption is a lack of adequate support and resources for overall security initiatives. "While all an organization's laptops might be encrypted - the easy part - there are mobile devices running on multiple platforms and personally owned devices and media that are harder to control," she notes. "It takes management commitment as well as human and technical resources to identify all those devices and bring them under the control of IT."

Room for Improvement

The 2015 Healthcare Information Security Today survey of security and privacy leaders at 200 healthcare entities found that encryption is being applied by only 56 percent of organizations for mobile devices. The survey, conducted by Information Security Media Group in December 2014 and January 2015, found that when it comes to BYOD, about half of organizations require encryption of personally owned devices; nearly half prohibit the storage of PHI on these devices. Only 17 percent of organizations say they don't allow BYOD.


Complete results of the survey will be available soon, as well as a webinar that analyzes the findings.


"Personally owned devices are definitely the Achilles heel," Berger says. "Healthcare organizations have to address BYOD head-on. It is a complicated and thorny issue, but 'looking the other way' is not an acceptable approach. We recommend clear decisions regarding acceptable use, reflected in policy and backed up by enforcement," he says.


"We have also seen [breaches] happen when an organization makes the decision to encrypt but then has a long roll-out plan and the lost/stolen devices had yet to be encrypted," he adds.

Steps to Take

To help reduce the risk of breaches involving mobile computing devices, Berger says organizations should make sure they have a mobile device use policy that's "clear, comprehensive and well-understood. We suggest calling it out as a separate policy that must be signed by employees. Back up policy with ongoing security awareness training and strong enforcement."


In addition, OCR advises covered entities and business associates to make use of guidance it has released with its sister HHS agency, the Office of the National Coordinator for Health IT. OCR also offers free online training on mobile device security.


more...
No comment yet.
Scoop.it!

Reminders on HIPAA Enforcement: Breaking Down HIPAA Rules

Reminders on HIPAA Enforcement: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA enforcement is an important aspect of The HIPAA Privacy Rule, and also one that no covered entity actually wants to be a part of. However, it is essential that healthcare organizations of all sizes understand the implications of an audit from the Office for Civil Rights (OCR), and how they can best prepare.


This week, HealthITSecurity.com is breaking down the major aspects of OCR HIPAA enforcement, and what healthcare organizations and their business associates need to understand to guarantee that they keep patient data secure. Additionally, we’ll review some recent cases where the OCR fined organizations because of HIPAA violations.


What is the enforcement process?


OCR enforces HIPAA compliance by investigating any filed complaints and will conduct compliance reviews to determine if covered entities are in compliance. Additionally, OCR performs education and outreach to further underline the importance of HIPAA compliance. The Department of Justice (DOJ) also works with OCR in criminal HIPAA violation cases.


“If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it,”according to HHS’ website. “Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.”


Sometimes OCR determines that HIPAA Privacy or Security requirements were not violated. However, when violations are found, OCR will need to obtain voluntary compliance, corrective action, and/or a resolution agreement with the covered entity:


“If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.”


During the intake and review process, OCR considers several conditions. For example, the alleged action must have taken place after the dates the Rules took effect. In the case of the Privacy Rule, the alleged incident will need to have taken place after April 14, 2003, whereas compliance with the Security Rule was not required until April 20, 2005.


The complaint must also be filed against a covered entity, and a complaint must allege an activity that, if proven true, would violate the Privacy or Security Rule. Finally, complaints must be filed within 180 days of “when the person submitting the complaint knew or should have known about the alleged violation.”


Recent cases of OCR HIPAA fines


One of the more recent examples of HIPAA enforcement took place in Massachusetts, when the OCR fined St. Elizabeth’s Medical Center (SEMC) $218,400 after potential HIPAA violations stemming from 2012.


The original complaint alleged that SEMC employees had used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. OCR claimed that this was done without having analyzed the risks associated with the practice.

“OCR’s investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome,” OCR explained in its report. “Separately, on August 25, 2014, SEMC submitted notification to HHS OCR regarding a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive, affecting 595 individuals.”


OCR Director Jocelyn Samuels reiterated the importance of all employees ensuring that they maintain HIPAA compliance, regardless of the types of applications they use. Staff at all levels “must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner,” she stated.


In April of 2015, the OCR also agreed to a $125,000 settlement fine with Cornell Prescription Pharmacy (Cornell) after allegations that also took place in 2012. In that case, Cornell was accused of improperly disposing of PHI documents. Papers with information on approximately 1,600 individuals were found in an unlocked, open container on Cornell’s property.


“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” OCR Director Samuels said in a statement, referring to the fact that Cornell is a small, single-location pharmacy in Colorado. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”


However, not all OCR HIPAA settlements stay in the thousand dollar range. In 2014, OCR fined New York and Presbyterian Hospital (NYP) and Columbia University (CU) $4.8 million from a joint breach report that was filed in September 2010.


NYP and CU were found to have violated HIPAA by exposing 6,800 patients’ ePHI when an application developer for the organizations tried to deactivate a personally-owned computer server on the network that held NYP patient ePHI. Once the server was deactivated, ePHI became accessible on internet search engines.


“In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections,” OCR explained in its statement. “Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.”


Regardless of an organization’s size, HIPAA compliance is essential. Regular risk analysis and comprehensive employee training are critical to keeping covered entities up to date and patient data secure. By reviewing federal, state and local laws, healthcare organizations can work on taking the necessary steps to make changes and improve their data security measures.

more...
No comment yet.
Scoop.it!

Bill That Changes HIPAA Passes House

Bill That Changes HIPAA Passes House | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. House of Representatives on July 10 passed a bill aimed at accelerating the advancement of medical innovation that contains a controversial provision calling for significant changes to the HIPAAPrivacy Rule.


The House approved the 21st Century Cures bill by a vote of 344 to 77. Among the 309-page bill's many provisions is a proposal that the Secretary of Health and Human Services "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under HIPAA, PHI is allowed to be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed legislation is eventually signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if only covered entities or business associates, as defined under HIPAA, are involved in exchanging and using the data.


That provision - as well as many others in the bill - aim to help fuel more speedy research and development of promising medical treatments and devices.


"The act says ... if you're sharing [patient PHI] with a covered entity [or a BA], you don't necessarily need the individual's consent prior to sharing - and that's something our members have been receptive too," notes Leslie Krigstein, interim vice president of public policy at the College of Healthcare Information Management Executives, an organization that represents 1,600 CIOs and CISOs.


"The complexity of consent has been a barrier [to health information sharing] ... and the language [contained in the bill] will hopefully move the conversation forward," she says.


Some privacy advocates, however, have opposed the bill's HIPAA-altering provision.


Allowing the use of PHI by researchers without individuals' consent or knowledge only makes the privacy and security of that data less certain, says Deborah Peel, M.D., founder of Patient Privacy Rights, an advocacy group,.


"Researchers and all those that take our data magnify the risks of data breach, data theft, data sale and harms," she says. "Researchers are simply more weak links in the U.S. healthcare system which already has 100s of millions of weak links."

Changes Ahead?

If the legislation is signed into law in its current form, healthcare entities and business associateswould need to change their policies related to how they handle PHI.


"If the bill is enacted, it will not place additional responsibilities on covered entities and business associates. Rather, it will provide them with greater flexibility to use and disclose protected health information for research," says privacy attorney Adam Greene, partner at law firm Davis Wright Tremaine. "Covered entities and business associates who seek to take advantage of these changes would need to revise their policies and procedures accordingly." For instance, some covered entities also may need to revise their notices of privacy practices if their notices get into great detail on research, Greene notes.

Other Provisions

In addition to the privacy provisions, the bill also calls for penalizing vendors of electronic health records and other health IT systems that fail to meet standards for interoperable and secureinformation exchange.


The bill calls for HHS to develop methods to measure whether EHRs and other health information technology are interoperable, and authorizes HHS to penalize EHR vendors with decertification of their products if their software fails to meet interoperability requirements.


In addition, the bill also contains provisions for "patient empowerment," allowing individuals to have the right to "the entirety" of their health information, including data contained in an EHR, whether structured and unstructured. An example of unstructured data might include physician notes, for instance, although that is not specifically named in the legislation.


"Healthcare providers should not have the ability to deny a patient's request for access to the entirety of such health information," the bill says.


A House source tells Information Security Media Group that the Senate has been working on an "Innovation Agenda" for the past few months calling for policies similar to those contained in the 21st Century Cures bill. House leaders say it's their goal to have a bill sent to the president's desk by the end of the year, the source says.

more...
No comment yet.
Scoop.it!

Board members at healthcare organizations lack understanding of cybersecurity risks

Board members at healthcare organizations lack understanding of cybersecurity risks | HIPAA Compliance for Medical Practices | Scoop.it

Directors on corporate boards in all industries have trouble understanding the risks that cybersecurity presents, but none more so than those in healthcare.


The number of members on a board of directors in any industry who have a "high level" of understanding of the risks is low, at only 11 percent, according to a survey by the National Association of Corporate Directors and reports theWall Street Journal.


In healthcare, the number of board members who say they have "little knowledge" about the risks stands at 30 percent, according to WSJ.

This is a problem in an industry that is far behind others when it comes to protecting its consumers' private information.


Although professionals in healthcare say that cybersecurity has grown as a business priority at their organizations, a large number also admit that their facilities have seen a significant security incidents recently, according to a survey by HIMSS. Sixty-eight percent of the 297 individuals responding to the survey said there had been an attack on their facility recently.


The hacks are creating a need for higher level members at organizations who are equipped to tackle such growing threats, the article adds, which includes boards of directors paying more attention to the hiring of chief security information officers.


CISOs in healthcare have their work cut out for them. Healthcare information is some of the hardest to protect, harder than financial information, Mayo Clinic CISO Jim Nelms previously told the WSJ. He attributes much of the difficulty to the plethora of medical devices being used in hospital and to doctors sharing information.

more...
No comment yet.
Scoop.it!

Website Error Leads to Data Breach

Website Error Leads to Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

An error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals. The incident is a reminder to all organizations about the importance of sound systems development life cycle practices.


In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans' members. "As the unintended result of a computer code update Blue Shield made to the website on May 9," the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users' accounts. The problem was reported to Blue Shield's privacy office on May 18.


Blue Shield of California tells Information Security Media Group that the site affected was the company's Blue Shield Employer Portal. "This issue did not impact Blue Shield's public/member website," the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.


"The website was returned to service on May 19, 2015," according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.


Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. "None of your financial information was made available as a result of this incident," the notification letter says. "The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization."


The Blue Shield of California notification letter also notes that the company's investigation revealed that the breach "was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation."

Similar Incidents

The coding error at Blue Shield of California that led to the users being able to view other individuals' information isn't a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.


For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site.


Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS' Office for Civil Rights.


An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.


The corrective action plan required the physicians practice, among other measures, to conduct arisk assessment and implement appropriate policies and procedures.

Measures to Take

Security and privacy expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, says that to avoid website-related mistakes that can lead toprivacy breaches, it's important that entities implement appropriate controls as well as follow the right systems development steps.


"Organizations should have a sound systems development life cycle - SDLC - in place to assess all systems in a production environment, especially those that are externally facing," he says. "Components of a mature SDLC would include code reviews, user acceptance testing, change management, systems analysis, penetration testing, and application validation testing."


Healthcare entities and business associates need to strive for more than just HIPAA compliance to avoid similar mishaps, he notes.

"Organizations that are solely seeking HIPAA compliance - rather than a comprehensive information security program - will never have the assurance that website vulnerabilities have been mitigated through the implementation of appropriate controls," he says. "In other words, HIPAA does not explicitly require penetration testing, secure code reviews, change management, and patch management, to name a few. These concepts are fundamental to IT security, but absent from any OCR regulation, including HIPAA."

Earlier Blue Shield Breach

About a year ago, Blue Shield of California reported a data breach involving several spreadsheet reports that inadvertently contained the Social Security numbers of 18,000 physicians and other healthcare providers.


The spreadsheets submitted by the plan were released 10 times by the state's Department of Managed Health Care. In California, health plans electronically submit monthly to the state agency a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas - but not Social Security numbers. DMHC makes those rosters available to the public, upon request.

more...
No comment yet.
Scoop.it!

Data breach costs on the rise, according to annual Ponemon Institute study

Data breach costs on the rise, according to annual Ponemon Institute study | HIPAA Compliance for Medical Practices | Scoop.it

Given the number and severity of publicized data breaches over the past year, it should come as little surprise that the average cost of a data breach is on the rise. According to the “2015 Cost of Data Breach Study: Global Analysis,” which was conducted by the Ponemon Institute and sponsored by IBM, the average cost of a data breach increased from $3.52 million in last year’s study to $3.79 million in this year’s edition.


While the year-over-year jump may seem small, the rise actually represents a 23 percent increase in the total cost of a data breach since 2013. The research, which included responses from personnel at 350 companies spanning 11 different countries, also found that lost business as the result of a data breach potentially has the most severe financial consequences for organizations as these costs increased from an average of $1.33 million last year to $1.57 million in 2015. Lost business costs include; abnormal turnover of customers; increased customer acquisition activities; reputation losses; and diminished goodwill.      


Diana Kelley, executive security advisor for IBM Security, said one thing that really stood out to her was the root causes of data breaches examined in the study, the majority of which (47 percent) were found to be the result of malicious or criminal attacks. The study found that the average cost per record to resolve such an attack is $170, compared to system glitches which cost $142 per record to resolve and human error or negligence that cost $134 per record to correct.  

“That indicates something that we’ve seen in other studies that this is organized criminal activity for data breaches,” she said. “We’re moving past the random, somebody left their laptop in a car, and we’re really looking at very targeted attacks from organized criminals.”

Kevin Beaver, an IT security consultant with Atlanta-based Principle Logic LLC, said that data breaches continue to persist on such a massive scale because many companies mistakenly believe they can just buy a piece of security technology that will take care of all of their problems.


“It doesn't work that way,” he said “Even if you have the very best of security controls you still have to have ongoing oversight and vulnerability testing because things are going to fall through the cracks.”


Another common issue, according to Beaver, is that companies simply place too much trust in employees and vendors.



“It's always best to err on the side of caution and put the proper controls in place so everyone, and especially the business, are setup for success. Another big issue I see is all the organizations, especially in the healthcare industry, that believe their high-level audits and policies are sufficient for minimizing their risks. It's not. Unless and until you test for - and resolve - the growing amount of security vulnerabilities on your network, you're a sitting duck waiting to be made to look bad,” said Beaver. “This is especially true to social engineering (i.e. phishing) testing. It's unbelievable how many people are still gullible and give up their network credentials or other sensitive info without question.”


Although data breaches that involve the theft of credit or debit card numbers seem to carry a greater amount of weight with the media and public in general, Kelley said the data shows that things such as protected health Information (PHI) and other personal data are more coveted by hackers as they have a longer lifespan for resale. Kelley advises companies to identify what their “crown jewels” are from a data perspective and to conduct threat assessments and risk modeling around protecting those assets.


“I think organizations need to look at the big picture. We do see evidence of more sophisticated criminal, organized attacks. On the other hand, we can’t forget all of the good security hygiene and just try and focus on what’s the next big scary attack,” said Kelley. “We have to do a very robust, layered set of security throughout our organization to include security awareness and training and monitoring. You’re looking for anywhere in that stack where there could be an exposure or there could be a vulnerability. Companies need to not just think about the big attack, but really think about a robust security model because that is going to help prevent the smaller attacks, as well as the larger attacks.”


Perhaps one of the study’s silver linings is that the involvement of a company’s board-level managers was found to help reduce costs associated with data breaches by $5.5 per record. Insurance protection was also found to reduce cost by $4.4 per record. Despite the increased awareness and involvement by senior leadership, Kelley said companies cannot completely protect against the threats posed by hackers.


“It’s important to remember that awareness and ability to stop something aren’t necessarily always aligned. If we look in the real world, we’re all very aware and highly concerned about something like cancer, but preventing it is very, very difficult,” said Kelley. “We can have the C-suite be very aware of security, but still some companies are at different levels of maturity. Attackers, they are, again, organized and sophisticated, so the level of prevention and controls you need in place to stop the attacks is very high. The fact that we still have attacks going on doesn’t mean companies aren’t putting security controls into place.”   


However, Beaver adds that while some executives may say and do all of the right things in public when it comes to their data protection efforts, the reality is some of them are just paying lip service to the issue.



“It's all about policies and related security theater to appease those not savvy enough - or politically powerful enough - to look deeper or question things further,” said Beaver.  


Conversely, Beaver said that there are a lot of companies who are taking the right approach to cybersecurity, which involves recognition by senior management of the seriousness of the issue.


“I see many organizations doing security well,” he added. “The key characteristics of well-run security are: executive acknowledgement of the challenges, ongoing financial and political support for IT and security teams, periodic and consistent security testing, and the willingness to make changes where changes need to be made - even if it's not politically favorable.”


Another bright spot in the study was that it found a correlation between organizational preparedness and reduced financial impact of a data breach. Companies that employed some level of business continuity management (BCM) within their organization were able to reduce their costs by an average of $7.1 per compromised record.


“Companies that brought in an incident response team or had an incident response program in place were able to save $12.60 per record,” added Kelley. “The biggest takeaway is to get some kind of plan in place. Have business continuity, have an incident response plan in place and be continually detecting and monitoring activity on the network so that if a breach is occurring, you can either see the very beginning of it or you can see one in process and respond as quickly as possible to reduce the impact to the business.”

more...
No comment yet.
Scoop.it!

Even the Federal Government Can’t Hide: How a High-End Cyberattack Breached One of the Most “Protected” Systems

Even the Federal Government Can’t Hide: How a High-End Cyberattack Breached One of the Most “Protected” Systems | HIPAA Compliance for Medical Practices | Scoop.it

With data breaches being the quickly trending “flavor of the month” criminal activity, it’s no shock that on June 4, 2015 yet another system was hit. This time though, it may be one of the largest cyberattacks in U.S. history—compromising as many as 4 million current and former federal employees’ information. The U.S. Office of Personnel Management (OPM) handles security clearances and background checks and although many would assume that its security is top-notch, the facts on the ground reveal that every place taking in sensitive information—including the government—must update its privacy infrastructure.


In his press statement on Thursday, Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence echoed that sentiment and stated that “Americans may expect that federal computer networks are maintained with state of the art defenses [but] it’s clear a substantial improvement in our cyber-databases defenses is perilously overdue. This does not only apply to systems of this magnitude.


Any business that maintains data bases with private information must invest in the proper privacy infrastructure necessary to protect that information. Cyberattacks do not discriminate. From major retailers to well-respected state universities, data breaches run the gamut and from the looks of Thursday’s attack, they are getting more sophisticated. OPM is now working closely with the FBI and the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team to attempt to identify the extent of the harm on federal personnel. But not everyone has the luxury of the entire U.S. government as a “crisis manager” so preventive measures for businesses will make a difference.


At this time, one of the most troubling facts of cyberattacks is that the source is difficult to locate. Sen. Susan Collins, a member of the Senate Intelligence Committee, said the hack was “extremely sophisticated,” and “that points to a nation state” as the responsible party, likely China. No conclusive source has been discovered yet but the lesson here is clear—with private information being involved in almost every aspect of business, measures must be taken to protect it.

more...
No comment yet.
Scoop.it!

Beacon Health Is Latest Hacker Victim

Beacon Health Is Latest Hacker Victim | HIPAA Compliance for Medical Practices | Scoop.it

Yet another large hacker attack has been revealed in the healthcare sector. But unlike three recent cyber-attacks, which targeted health insurers, this latest breach, which affected nearly a quarter-million individuals, involved a healthcare provider organization.


South Bend, Ind.-based Beacon Health System recently began notifying 220,000 patients that their protected health information was exposed as a result of phishing attacks on some employees that started in November 2013, leading to hackers accessing "email boxes" that contained patient data.


The Beacon Health incident is a reminder that healthcare organizations should step up staff training about phishing threats as well as consider adopting multi-factor authentication, shifting to encrypted email and avoiding the use of email to share PHI.

"Email - or at least any confidential email - going outside the organization's local network should be encrypted. And increasingly, healthcare organizations are doing just that," says security and privacy expert Kate Borten.


Unfortunately, in cases where phishing attacks fool employees into giving up their email logon credentials, encryption is moot, she says. "Although encryption is an essential protection when PHI is sent over public networks, and stored somewhere other than within IT control, it is only one of many, many security controls. There's no silver bullet."

At the University of Vermont Medical Center, which has seen an uptick in phishing scams in recent months, the organization has taken a number of steps to bolster security, including implementing two-factor authentication "for anything facing the Web, because that can pretty much render phishing attacks that are designed to steal credentials useless," says CISO Heather Roszkowski.

The Latest Hacker Attack

On March 26, Beacon Health's forensic team discovered the unauthorized access to the employees' email accounts while investigating a cyber-attack. On May 1, the team determined that the affected email accounts contained PHI. The last unauthorized access to any employee email account was on Jan. 26, the health system says.


"While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes," Beacon Health says in a statement posted on its website. "The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information."


The provider organization says it has reported the incident to the U.S. Department of Health and Human Services, various state regulators, and the FBI.

Hospital Patients Affected

A Beacon Health spokeswoman tells Information Security Media Group that the majority of those affected by the breach were patients of Memorial Hospital of South Bend or Elkhart General Hospital, which combined have more than 1,000 beds. The two facilities merged in 2012 to form the health system. Individuals who became patients of Beacon Health after Jan. 26 were not affected by the breach, she says.


The breach investigation is being conducted by the organization's own forensics team, the spokeswoman says.

Affected individuals are being offered one year of identity and credit monitoring.


The news about similar hacker attacks earlier this year that targeted health insurers Anthem Inc. and Premera Blue Cross prompted Beacon's forensics investigation team to "closely review" the organization's systems after discovering it was the target of a cyber-attack, the Beacon spokeswoman says.


In the wake of the incident, the organization has been bolstering its security, including making employees better aware of "the sophisticated tactics that are used by attackers," she says. That includes instructing employees to change passwords and warning staff to be careful about the websites and email attachments they click on.

The Phishing Threat

Security experts say other healthcare entities are also vulnerable to phishing.


"The important takeaway is that criminals are using fake email messages - phishing - to trick recipients into clicking links taking them to fake websites where they are prompted to provide their computer account information," says Keith Fricke, principle consultant at consulting firm tw-Security. "Consequently, the fake website captures those credentials for intended unauthorized use. Or they are tricked into opening attachments of these fake emails and the attachment infects their computer with a virus that steals their login credentials."

As for having PHI in email, that's something that, while common, is not recommended, Fricke notes. "Generally speaking, most employees of healthcare organizations do not have PHI in email. In fact, many healthcare organizations do not provide an email account to all of their clinical staff; usually managers and directors of clinical departments have email," he says. "However, for those workers that have a company-issued email account, some may choose to send and receive PHI depending on business process and business need."

Recent Hacker Attacks

As of May 28, the Beacon Health incident was not yet posted on the HHS' Office for Civil Rights'"wall of shame" of health data breaches affecting 500 or more individuals.


OCR did not immediately respond to an ISMG request to comment on the recent string of hacker attacks in the healthcare sector.

Other recent hacker attacks, which targeted health insurers, include:


  • An attack on Anthem Inc. , which affected 78.8 million individuals, and is the largest breach listed on OCR's tally.
  • A cyber-assault on Premera Blue Cross announced on March 17, that resulted in a breach affecting 11 million individuals.
  • An "unauthorized intrusion" on a CareFirst BlueCross BlueShield database disclosed on May 20. The Baltimore-based insurer says the attack dated back to June 2014, but wasn't discovered until April 2015. The incident resulted in a breach affecting 1.1 million individuals.


But the recent attack on Beacon Health is yet another important reminder to healthcare provider organizations that it's not just insurers that are targets. Last year, a hacking assault on healthcare provider Community Health System affected 4.5 million individuals.

Smaller hacker attacks have also been disclosed recently by other healthcare providers, includingPartners HealthCare. And a number of other healthcare organizations in recent months have also reported breaches involving phishing attacks. That includes a breach affecting nearly 760 patients at St. Vincent Medical Group.


"Healthcare provider organizations are also big targets - [they have] more complex environments, and so have more vulnerabilities that the hackers can exploit," says security and privacy expert Rebecca Herold, CEO of The Privacy Professor. "Another contributing factor is insufficient funding for security within most healthcare organizations, resulting in insufficient safeguards for PHI in all locations where it can be stored and accessed."

Delayed Detection

A delay in detecting hacker attacks seems to be a common theme in the healthcare sector. Security experts say several factors contribute to the delayed detection.


"Attacks that compromise an organization's network and systems are harder to detect these days for a few reasons," says Fricke, the consultant. "Criminals wait longer periods of time before taking action once they successfully penetrate an organization's security defenses. In addition, the attack trend is to compromise the accounts of legitimate users rather than gaining unauthorized access to a system via a brute force attack."


When criminals access a system with an authorized account, it's more difficult to detect the intrusion, Fricke notes. "Network security devices and computer systems generate huge volumes of audit log events daily. Proactively searching for indicators of compromise in that volume of log information challenges all organizations today."

As organizations step up their security efforts in the wake of other healthcare breaches, it's likely more incidents will be discovered and revealed, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"The challenge that many healthcare entities face is that oftentimes, the better they do at information security, the more likely it is they find potential problems. Implementing new information security tools sometimes can detect problems that may be years old," he says. "But the alternative - keeping your head in the sand - can lead to far worst results for patients and the organization."


However, as more of these delayed-detection incidents are discovered, "regulators and plaintiffs may question why any particular security issue was not identified and corrected earlier," he warns.

Accordingly, organizations should consider if there were reasonable issues that led to any delays in identifying or correcting any security lapses and maintain any related documentation supporting the cause of any delays, he suggests.


"Hindsight is 20-20, and it is always easy for regulators to question why more wasn't done sooner, and it could be challenging for the organization if it is asked to justify why it spent resources on other projects," Greene says.

more...
No comment yet.
Scoop.it!

HIPAA guidance for small to mid-size medical practices

HIPAA guidance for small to mid-size medical practices | HIPAA Compliance for Medical Practices | Scoop.it

For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it wasn’t very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry. As long as they didn’t blatantly, repeatedly or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.


Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans.


The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice hasn’t reviewed and updated your HIPAA policy recently, then now’s the time.


The good news? Most of the time what catches the attention of the Office for Civil Rights (OCR) in the U.S. Department of Health & Human Services are things that should be common sense. Was the OCR trying to send a message by fining an independent Arizona cardiac practice $100,000 for a HIPAA violation in 2012? You bet. But the practice placed sensitive patient information, including names and medical procedures, on an online scheduling system that was accessible by anyone who was adept at guessing passwords.

It’s been 10 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.


Here are some other common-sense tips for keeping your practice on the right side of the law:


  • Train your staff. HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.
  • Establish written protocols for information access. Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs -- and that’s all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.
  • Use discretion in the reception area. Don’t use public sign-in sheets. Don’t make any mention of the reason for a patient’s appointment until you’re both out of earshot of the waiting room. Make sure computer screens aren’t visible to non-staff members in any public areas of the office.
  • Plan for breaches. What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? For example, maybe a staffer has some personal grudge against one of your patients (an ex-boyfriend, perhaps) and posts something embarrassing about the patient on Facebook. You should prepare a specific response for scenarios like these because they do happen.
  • Use computer passwords correctly. If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they’re finished. To be safe, set up those computers so a login is required after brief periods of inactivity, say two or three minutes. Even if you don’t have centralized computer stations (and most small practices don’t), you should require your employees to change their own passwords every few months.
  • Hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense won’t help you determine whether your computer network is properly encrypted. Get help.


The Privacy Rule notwithstanding, HIPAA continues to be mostly a common-sense law. What’s new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices. But since most private practices should have been following HIPAA plans for at least 10 years now, it’s likely they’ll need to do little more than review, update, and continue to implement their plan.

more...
No comment yet.
Scoop.it!

Cybersecurity in Healthcare – The Human Factor

Cybersecurity in Healthcare – The Human Factor | HIPAA Compliance for Medical Practices | Scoop.it

Following the Anthem breach, and more recent Premera breach, cybersecurity and protecting patient data is top of mind for every organization in the healthcare industry. Every cybersecurity solution out there will tell you they have the latest and greatest technology for detecting the bad guys and keeping them out. The truth is, you can have the best systems in the world, but how your staff interacts with the technology is just as important. For example, if a phishing email makes its way to a staff person’s inbox, all it takes is one employee to activate a malicious file on their desktop and the bad guys have access to your entire network.


Cyber-criminals are advancing right along with technology, so educating your staff is an absolute priority. However, it can sometimes be a challenge to get everyone on the same page. Here are some tips to ensure organizations are in the best position to protect against today’s evolving threat environment:

  • Bring all departments into the fold – Ensuring security isn’t just the realm of the IT department. All groups, on both the clinical and administration sides, need to have a stake in the protection of patient data. An internal security committee made up of representatives from each department can make sure that all groups, including board members and the C-suite, have buy-in. The group should also conduct formal risk assessments and identify any areas at risk for a data breach, then develop plans to educate and communicate protocols throughout the organization.
  • Spread the word on new procedures – To ensure cybersecurity measures are taken seriously across an organization, the message needs to be delivered from the top and repeated often. Organizations must provide employees with training sessions on a regular basis, frequent reminders to speak up about suspicious emails, prompts to change passwords regularly and encrypt communication with protected health information. This way it’s clear that the matter isn’t taken lightly.
  • Learn from recent cyber-criminal activity – Cyber-threats are a new territory for everyone. Use recent breaches and cyber-criminal activity to educate your staff and provide training. Chances are that when the media is covering a breach, people will be interested in learning how to protect themselves both at home and at work.


Unfortunately these cyber-criminals are advanced in their tactics, and there’s no end-all-be-all solution to guarantee they are kept out of your organization. But there are ways to make it harder for them to get in, and it starts with educating your team on security best practices, as well as how to recognize a potential threat.


more...
No comment yet.
Scoop.it!

Most companies take over six months to detect data breaches

Most companies take over six months to detect data breaches | HIPAA Compliance for Medical Practices | Scoop.it

Financial firms take an average of 98 days to detect a data breach and retailers can take up to 197 days, according to new research.

A new cybersecurity report conducted by the Ponemon Institute on behalf of Arbor Networks suggests it is not only cyberattack events which place sensitive data and corporate networks at risk. Instead, the time it takes for businesses to detect a data breach once it occurs gives threat actors plenty of time to conduct surveillance, steal data and spy upon victim companies -- pushing up the cost of cyberattacks.


According to a survey of 844 IT and IT security practitioners in the financial sector across the US and 14 countries within the EMEA region and 675 IT professionals in the same countries within the retail sector, both industries are struggling to cope with today's threat landscape.

Once a data breach occurs, it takes an average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail. Despite these long periods of time, known as "dwell" time, 58 percent of those surveyed who work in finance -- and 71 percent of those in retail -- said they are "not optimistic" about their firms' ability to improve these results in the coming year.


The research says that on average, 83 percent of financial companies suffer over 50 attacks per month, as do 44 percent of retail firms. The high rate of attacks is not surprising considering the valuable data stored by these industries -- ranging from trade secrets to sensitive customer data. If accessed, this data can be sold on the black market for high prices.


Among financial services firms, 71 percent of respondents view technology that monitor networks and traffic as the "most promising" method of stopping or minimizing advanced persistent threats (APTs). In total, 45 percent of those surveyed said they have implemented incident response procedures, and 43 percent have begun sharing data on APTs -- a facet often ignored in cybersecurity as companies can be unwilling to admit they have suffered a data breach.


Among retail firms, 64 percent said network-based technology is the best way to cope with APTs, 34 percent have implemented incident response procedures and 17 percent have established threat sharing with other companies or government bodies.


"The big takeaway from our research is that more investment is needed in both security operations staff and in security tools, which can help companies efficiently and accurately detect and respond to security incidents," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.


"The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable."


more...
No comment yet.
Scoop.it!

Data Breach Costs to Soar to $2.1 Trillion

Data Breach Costs to Soar to $2.1 Trillion | HIPAA Compliance for Medical Practices | Scoop.it

The rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019.

That’s according to Juniper Research, which found in a recent study that breach costs will increase to almost four times the estimated cost of breaches in 2015. And, the average cost of a data breach will exceed $150 million by 2020, as more business infrastructure gets connected.


The research, entitled ‘The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation’, has found that the majority of these breaches will come from existing IT and network infrastructure. While new threats targeting mobile devices and the Internet of Things (IoT) are being reported at an increasing rate, the number of infected devices is minimal in comparison to more traditional computing devices.

The report also highlights the increasing professionalism of cybercrime, with the emergence of cybercrime products (i.e. sale of malware creation software) over the past year, as well as the decline in casual activist hacks. Hacktivism has become more successful and less prolific—in future, Juniper expects fewer attacks overall, but more successful ones.


“Currently, we aren’t seeing much dangerous mobile or IoT malware because it’s not profitable,” noted report author James Moar. “The kind of threats we will see on these devices will be either ransomware, with consumers’ devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack. With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools.”


In terms of geography, nearly 60% of anticipated data breaches worldwide in 2015 will occur in North America, the firm said, but this proportion will decrease over time as other countries become both richer and more digitized.



more...
No comment yet.
Scoop.it!

Cybercrime price tag to reach $2 trillion

Cybercrime price tag to reach $2 trillion | HIPAA Compliance for Medical Practices | Scoop.it

If you haven't gotten serious about data cyberattacks at your organization, now's the time to do so. Because they're about to hit companies worldwide with a $2.1 trillion price tag.


At least that's according to new research published by Juniper Research, which took a closer look at the costs associated with cybercrime and what they'll end up costing companies on a global scale. And the numbers are staggering.


Going digital will increase the cost of data breaches to almost four times the cost estimated for this year, reaching $2.1 trillion (yes, that's trillion with a "t") in 2019. Breaking that down to the average cost of one of the breaches? Corporations can count on paying more than $150 million per breach by 2020.


The report, which focuses on both corporate and financial threats, underscored that the lion's share of these breaches will not come from targeting mobile devices. Rather, cybercriminals are still going after traditional IT and network infrastructure.


"Currently, we aren't seeing much dangerous mobile or IoT malware because it's not profitable," said James Moar, research analyst at Juniper Research and author of the report, in a press statement. "The kind of threats we will see on these devices will be either ransomware, with consumers' devices locked down until they pay the hackers to use their devices, or as part of botnets, where processing power is harnessed as part of a more lucrative hack. With the absence of a direct payout from IoT hacks, there is little motive for criminals to develop the required tools."


Juniper analysts also say some 60 percent of these global cyberattacks will target North American companies. 


more...
No comment yet.