HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Massive data breach could affect every federal agency

Massive data breach could affect every federal agency | HIPAA Compliance for Medical Practices | Scoop.it

China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time.

The Department of Homeland Security said in a statement that data from the Office of Personnel Management — the human resources department for the federal government — and the Interior Department had been compromised.

"The FBI is conducting an investigation to identify how and why this occurred," the statement Thursday said.

The hackers were believed to be based in China, said Sen. Susan Collins, a Maine Republican.

Collins, a member of the Senate Intelligence Committee, said the breach was "yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances."

A spokesman for the Chinese Embassy in Washington called such accusations "not responsible and counterproductive."

"Cyberattacks conducted across countries are hard to track and therefore the source of attacks is difficult to identify," spokesman Zhu Haiquan said Thursday night. He added that hacking can "only be addressed by international cooperation based on mutual trust and mutual respect."

A U.S. official, who declined to be named because he was not authorized to publicly discuss the data breach, said it could potentially affect every federal agency. One key question is whether intelligence agency employee information was stolen. Former government employees are affected as well.

The Office of Personnel Management conducts more than 90 percent of federal background investigations, according to its website.

The agency said it is offering credit monitoring and identity theft insurance for 18 months to individuals potentially affected. The National Treasury Employees Union, which represents workers in 31 federal agencies, said it is encouraging members to sign up for the monitoring as soon as possible.

In November, a former DHS contractor disclosed another cyberbreach that compromised the private files of more than 25,000 DHS workers and thousands of other federal employees.

Cybersecurity experts also noted that the OPM was targeted a year ago in a cyberattack that was suspected of originating in China. In that case, authorities reported no personal information was stolen.

Chinese groups have persistently attacked U.S. agencies and companies, including insurers and health-care providers, said Adam Meyers, vice president for intelligence at Irvine, California-based CrowdStrike, which has studied Chinese hacking groups extensively.

The Chinese groups may be looking for information that can be used to approach or compromise people who could provide useful intelligence, Meyers said. "If they know someone has a large financial debt, or a relative with a health condition, or any other avenues that make them susceptible to monetary targeting or coercion, that information would be useful."

One expert said hackers could use information from government personnel files for financial gain. In a recent case disclosed by the IRS, hackers appear to have obtained tax return information by posing as taxpayers, using personal information gleaned from previous commercial breaches, said Rick Holland, an information security analyst at Forrester Research.

"Given what OPM does around security clearances, and the level of detail they acquire when doing these investigations, both on the subjects of the investigations and their contacts and references, it would be a vast amount of information," Holland added.

DHS said its intrusion detection system, known as EINSTEIN, which screens federal Internet traffic to identify potential cyberthreats, identified the hack of OPM's systems and the Interior Department's data center, which is shared by other federal agencies.

It was unclear why the EINSTEIN system didn't detect the breach until after so many records had been copied and removed.

"DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion," the statement said.

Cybersecurity expert Morgan Wright of the Center for Digital Government, an advisory institute, said EINSTEIN "certainly appears to be a failure at this point. The government would be better off outsourcing their security to the private sector where's there at least some accountability."

Senate Intelligence Committee Chairman Richard Burr, R-N.C., said the government must overhaul its cybersecurity defenses. "Our response to these attacks can no longer simply be notifying people after their personal information has been stolen," he said. "We must start to prevent these breaches in the first place."

No comment yet.

No Company is Immune to a Data Breach - Fri., Dec. 26, 2014

No Company is Immune to a Data Breach - Fri., Dec. 26, 2014 | HIPAA Compliance for Medical Practices | Scoop.it

A company’s response to these attacks is critical.  Like any crisis, there’s no one-size-fits-all approach, and companies must rely on experienced, trusted advisers to help them weigh a variety of factors and formulate a tailored communications strategy that’s right for them.

Data breaches can take a multitude of forms. Hacking, malware and physical attacks are still the most common; incidents of cyber theft can vary, from hackers stealing customer or employee email addresses and passwords, to cybercriminals accessing company financials. Unfortunately, attacks can also originate within an organization and may or may not be intentional, in cases of privilege abuse or the use of unapproved hardware, which is often the result of weak internal policies. 

While employing the latest in data security technology remains a cornerstone for mitigating the risks associated with cyber-attacks, companies today must go above and beyond to protect themselves and their customers. Cyber criminals continue to outsmart even the most sophisticated security systems, and companies across all industries must arm themselves with contingency communications plans that can be put into play quickly in the event that a cyber-intruder strikes.

With so many variables to consider, it’s imperative that companies retain a tight circle of trusted, impartial advisers with experience handling the most complex cyber-crime situations. This circle may include data breach attorneys, data security consultants and crisis communications professionals. This team should have a framework in place that will enable an informed working group to move swiftly to assess the situation, contain the breach, limit the damage, and determine the most effective way to communicate with a company’s various stakeholders. 

When responding to a breach, a comprehensive communications strategy is of the utmost importance. If communications are mishandled, those blunders can potentially be even more disastrous than the breach itself, and can have a lasting impact on both the public’s perception and the company’s bottom line.

While timeliness of a response is considered a hallmark of a sound crisis communications strategy, in a data breach situation the magnitude and nature of the cyber-attack may not immediately be evident, and a proper investigation may take some time. Accuracy of the information available and timeliness of the communications response can be an extremely delicate balancing act. 

Upon learning of a breach, companies should immediately alert the appropriate authorities, while simultaneously investigating the breach and commencing the scenario planning process with their circle of advisers. 

Key questions that management should ask at this junture include: “How many people are potentially impacted?” “What type of information is lost?” “Is there evidence of misuse of information?” “Has the unauthorized access been contained?” “Was the information lost by our company or by a third party?”

As facts are determined, companies and their advisers should begin to prepare for various scenarios following the breach.  Anticipating key questions from all constituencies, including the media and general public, investors, regulators, and employees, will help drive the drafting of potential disclosures and communications documents that can later be finalized when the facts come to light. The scenario planning process should be fluid, with the key adviser team ready to move forward with a full communications plan on short order and poised to adjust response materials or strategies as needed. As part of the initial scenario planning process, a leak strategy addressing various scenarios should be prepared immediately, as the media may become aware of a breach and reveal it.

Disclosures and communications materials are dependent on many factors, including the impacted company and parties, the scope of the incident, the information stolen, and the industry climate, among numerous others.  Disclosures must be as accurate and specific as possible and legally permissible; subsequent corrections are often interpreted as signs that a company is not effectively managing the situation.

A breach could trigger a public filing requirement and may warrant a press release, depending on the magnitude of the breach and the level of impact. 

A company’s corporate website enables organizations to provide updates to its stakeholders regarding the breach and the investigation in real-time without issuing multiple press releases.

A social media strategy regarding the incident should be considered. 

Work closely with law enforcement officials and apprise them of any communication plans; legal disclosure requirements vary by state and an ongoing, active investigation may limit how much the company can share about the nature of the breach. 

A notification letter from the company’s management team can assure stakeholders that the incident is being taken seriously and the upper echelons of the company are directly involved in the management of the breach.

Consider setting up a call center via a third party to handle customer inquiries and ensure that call center staff are trained to manage appropriate responses. 

When financial information or other critical pieces of personal information are involved, companies should consider offering impacted customers credit monitoring services.

In today’s digital world, sophisticated and determined cyber criminals are capable of attacking a wide range of data systems and computer networks, and we must increase vigilance in both our professional and personal lives. Cyber-intrusions may have become commonplace, but it is the management of stakeholder communications in the aftermath of these insidious attacks that will shape a company’s reputation for the long term.

No comment yet.

Boston Children's Fined for Breach

Boston Children's Fined for Breach | HIPAA Compliance for Medical Practices | Scoop.it

The Massachusetts attorney general has fined Boston Children's Hospital $40,000 for a 2012 breach involving a stolen unencrypted laptop. The settlement, which includes a detailed corrective action plan, is the second such breach-related enforcement action against a hospital that Attorney General Martha Coakley has announced within the last month.

This latest settlement stems from a civil lawsuit Coakley filed under the Massachusetts Consumer Protection Act and the federal HIPAA law. Some security experts predict that the attorney general's actions, as well as three HIPAA settlements at the federal level this year, are a preview of ramped up privacy and security enforcement activity to come in 2015.

"The steady stream of 2014 announcements surrounding HIPAA enforcement settlements foreshadows a deluge as the [Department of Health and Human Services] proactive audits and state enforcement programs become fully operational," says Brian Evans, senior management consultant at IBM Security Services. HHS' Office for Civil Rights expects to resume random HIPAA compliance audits in 2014 (see: HIPAA Compliance: What's Next?).

The settlement with Children's is related to a breach that resulted when a hospital-issued unencrypted laptop was stolen from a physician while he was at a May 2012 conference in Buenos Aires. Before the laptop was stolen, the physician received an e-mail from a colleague containing the protected health information of 2,159 patients, including names, dates of birth, diagnoses, procedures, and dates of surgery. More than 1,700 patients were younger than age of 18, according to a statement from the attorney general.

"The physician took steps that he thought were adequate to remove the protected health information from the laptop. However, the information from the e-mail remained on the laptop and despite [the hospital's] written policies, encryption software was not installed prior to the incident," Coakley's statement says.

"Healthcare providers must ensure that the privacy and security of sensitive patient information is protected," the statement notes. The settlement "will put in place and enforce important technological and physical security measures at Boston Children's Hospital to help prevent a breach like this from happening again."

Corrective Actions

Under the terms of a consent judgment, the $40,000 sanction includes a $30,000 civil penalty and a payment of $10,000 to a fund administered by the attorney general's office for educationprograms concerning the protection of patient information.

In addition to the monetary fine, the settlement with Boston Children's Hospital also requires the medical center taking a number of actions to improve its data security. Those measures, which court documents indicate are already being taken by Children's, include:

  • Conducting a review of compliance with federal and state standards relating to the hospital's handling and disclosure of protected health information by means of portable devices;
  • Implementing of a program to encrypt all laptops accessing its network;
  • Reviewing and revising existing policies and procedures relating to portable devices to incorporate recommended improvements;
  • Communicating with its workforce regarding encryption and data protection of portable devices;
  • Revising existing training materials, and creating additional materials, on how to ensure the privacy and security of electronic PHI contained on portable devices.

"Boston Children's Hospital makes it a top priority to protect all patient and staff information with sophisticated security tools," a hospital spokeswoman tells Information Security Media Group. Since the 2012 incident that triggered the state's case against the hospital, Boston Children's has implemented a mandatory encryption policy for every computing device used to access hospital systems, whether the device is personally owned or hospital-issued, the spokeswoman says. "Every device that is issued by Boston Children's is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted. "

Meanwhile, in a statement to ISMG, a Massachusetts attorney general spokeswoman says, "Our office is committed to helping educate physicians, staff, and hospital leadership about their legal obligations to protect [patient] data. As hospitals increase their use of data to improve efficiencies and delivery of care, we must ensure that data always remains secure."

Other Massachusetts Cases

The Massachusetts attorney general's case against Children's followed a similar settlement announced in late November with Beth Israel Deaconess Medical Center in Boston. In that case, Coakley fined Beth Israel Deaconess $100,000 as a result of a 2012 breach also involving a stolen unencrypted laptop. Like the Children's settlement, the agreement with Beth Israel Deaconess also requires the medical center to perform a review and audit of security measures, and take corrective measures recommended in the review.

And back in July, the attorney general announced a $150,000 settlement with Women and Infants Hospital of Rhode Island in a 2012 breach involving lost back-up tapes that affected 14,000 patients.

Ramped Up Scrutiny?

Some privacy and security experts say recent enforcement activities by regulators indicate that healthcare entities and their business associates should prepare for intensified HIPAA scrutiny in the upcoming year.

"I predict that HIPAA enforcement will cause more healthcare organizations to experience investigations and fines [in 2015] than in any previous year," Evans says. "Looking back, 2014 will be known as the year when healthcare organizations took notice and realized the impact of being complacent regarding HIPAA Security compliance because it was a pivotal year for enforcement."

Earlier this month, as part of a HIPAA settlement, OCR slapped a $150,000 sanction on Anchorage Community Mental Health Services for failure to apply software patches. The failure to apply the patches contributed to a 2012 malware-related breach affecting more than 2,700 individuals, says OCR.

In addition to that settlement, in OCR announced a record $4.8 million settlement in May with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients.

OCR also reached an $800,000 settlement with Parkview Health System, a not-for-profit organization serving northeast Indiana and northwest Ohio, stemming from an incident in June 2009 involving the dumping of paper medical records of 5,000 to 8,000 patients.

The recent Anchorage resolution agreement "could signal that OCR is regaining its footing after the transition to a new leadership team and will be moving ahead more aggressively to reach settlement agreements in cases where the agency finds serious violations of the privacy and security rules," says David Holtzman, vice president of compliance at the consulting firm CynergisTek.

State Scrutiny

Some observers also predict that other state attorneys general could ramp up their civil suits tied to health data breaches, following Massachsuetts' lead.

"In 2009, the HITECH Act provided state attorneys general with authority to bring civil actions under HIPAA, and Massachusetts has now brought five out of the eight attorneys general actions that have followed," says privacy attorney Adam Greene of law firm Davis Wright Tremaine. The other AGs that have brought such state action are in Connecticut, Vermont, and Minnesota.

For 2015, Greene also says he expects to see OCR hit more organizations with penalties as part of HIPAA settlements after breaches. "There have been statements suggesting that OCR has a number of record-setting settlements in its pipeline, but we haven't seen those published yet. OCR likely will continue to resolve the vast majority of investigations through voluntary corrective action and closure, but we may see another five to 10 headline-grabbing settlements, possibly with record amounts."

No comment yet.

China suspected in huge data breach : News

China suspected in huge data breach : News | HIPAA Compliance for Medical Practices | Scoop.it

China responded Friday to allegations it was involved in a hacking attack on U.S. government computers by saying such claims are unproven and irresponsible, and that it wishes the United States would trust it more.

The administration of President Barack Obama has increasingly pressed China on the issue of cyberhacking, and on Thursday U.S. officials said China-based hackers are suspected of breaking into the computer networks of the U.S. government personnel office and stealing identifying information of at least 4 million federal workers. U.S. Sen. Susan Collins said the attack amounted to a foreign power seeking information on U.S. employees who have security clearances for access to sensitive information.

Beijing generally does not explicitly deny specific hacking accusations, but seeks to dismiss them as unproven and irresponsible, while invariably noting that China is itself the target of hacking attacks and calling for greater international cooperation in combating hacking.

Chinese Foreign Ministry spokesman Hong Lei said at a regular news briefing Friday that Beijing hopes the U.S. would be "less suspicious and stop making any unverified allegations, but show more trust and participate more in cooperation."

"We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source," Hong said. "It's irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation."

Cybersecurity analysts who study hacking attacks believed to originate in China have cited evidence suggesting they are state-sponsored rather than independent actions, including that they seem to be highly organized teams that focus on the same kinds of targets, sometimes for years, and tend to work regular hours excluding weekends.

The Virginia-based cybersecurity organization Mandiant concluded in a report in early 2013 that a massive hacking campaign on U.S. business could be traced to an office building in Shanghai run by the Chinese military.

China's military is believed to have made cyber warfare capabilities a priority more than a decade ago. One of the few public announcements of the capabilities came in a May 25, 2011, news conference by Defense Ministry spokesman Geng Yansheng, in which he spoke of developing China's "online" army.

No comment yet.

Old fashioned data breach: Independence Blue Cross paper records tossed in trash

Old fashioned data breach: Independence Blue Cross paper records tossed in trash | HIPAA Compliance for Medical Practices | Scoop.it

Independence Blue Cross on Friday disclosed a data breach affecting 12,500 of its more than 2.5 million members.

Unlike most high-profile cases of personal data loss, such as the one at Target stores last year affecting 70 million people, the IBC case did not involve computers.

The incident happened in October, when maintenance workers threw out four boxes of member records that were supposed to be moved from one floor to another at IBC's offices, the company said Friday in a legal notice.

The improperly discarded reports contained the names, addresses, member identification numbers, health care plans, and group numbers for members in Southeastern Pennsylvania and in New Jersey, where IBC operates AmeriHealth New Jersey.

IBC, which is based in Center City, said it had received no reports that the information was misused. As a precaution, however, IBC is offering one year of free credit monitoring to 8,800 members whose Social Security numbers were included in the reports, spokeswoman Liz Williams said in a statement. "To reduce the risk of another such incident, we no longer allow our maintenance team to dispose of full boxes in the trash," Williams said.

IBC's data loss followed July's theft of an unencrypted computer containing personal information on 3,780 patients from Temple University Health System during a break-in.

No comment yet.

Employee health information compromised in Sony Pictures hack

Employee health information compromised in Sony Pictures hack | HIPAA Compliance for Medical Practices | Scoop.it

A recent cyberattack on Sony Pictures has sent, not only personal emails and employee salary information out across the Web--but sensitive health information, as well.

Documents obtained by the hackers include health information on dozens of employees, their children or spouses, according to a report from Bloomberg.

Some of the information leaked includes a memo with treatment and diagnosis details about an employee's child with special needs, as well as a spreadsheet from a human resources folder containing birth dates, health conditions and medical costs for more than 30 Sony employees, according to the report.

This is just the latest in a string of attacks compromising patients' health information, including a hack that impacted more than 4.5 million patients at Community Health Systems.

The release of this kind of information may be some of the most damaging, Deborah Peel, director of Patient Privacy Rights, tells Bloomberg.

Hackers who go by Guardians of Peace, according to the report, have been releasing documents onto the Internet since late November. Sony's internal probe currently links the attack to hackers known as DarkSeoul.

While security experts predict increased cyberattacks on healthcare organizations in 2015, they foresee phishing and ransomware posing particular challenges, according to John Moore, founder and managing partner at Chilmark Research.

In addition, healthcare information is becoming a vulnerable and attractive target for cybercriminals, according to Experian's 2015 Data Breach Industry Forecast.

No comment yet.