HIPAA Compliance for Medical Practices
82.7K views | +35 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Will 2016 be Another Year of Healthcare Breaches?

Will 2016 be Another Year of Healthcare Breaches? | HIPAA Compliance for Medical Practices | Scoop.it

As I listened to a healthcare data security webinar from a leading security vendor, I had to ask: “Are we now experiencing a ‘New Normal’ of complacency with healthcare breaches?” The speaker’s reply: “The only time we hear from healthcare stakeholders isAFTER they have been compromised.”


This did not surprise me. I have seen this trend across the board throughout the healthcare industry. The growing number of cyberattacks and breaches are further evidence there is a ‘New Normal’ of security acceptance — a culture of ‘it-is-what-it-is.’ After eye-popping headlines reveal household names were compromised, one would think security controls would be on the forefront of every healthcare action list. Why then are we seeing more reports on healthcare breaches, year after year? 


This idea comes from the fact that, due to a lack of enforcement, acceptable penalties, and a culture of risk mitigation, more breaches are to be expected in the healthcare industry. Until stricter enforcements and penalties are implemented, a continuation of breaches will occur throughout the industry.


The Office of Civil Rights (OCR), the agency overseeing HIPAA for Health and Human Services, originally scheduled security audits for HIPAA to begin in October 2014. Unfortunately, very few audits have occurred due to the agency being woefully understaffed for their mandate covering the healthcare industry, which accounts for more than 17 percent of the U.S. economy.


Why Sweat a Breach?

Last September, newly appointed OCR deputy director of health information privacy, Deven McGraw, announced the launching of random HIPAA audits. In 2016, it is expected 200 to 300 covered entities will experience a HIPAA audit, with at least 24 on-site audits anticipated. However, this anticipated figure only accounts for less than one percent of all covered entities —not much of an incentive for a CIO/CISO to request additional resources dedicated to cybersecurity.


Organizations within the industry are approaching cybersecurity from a cost/benefit perspective, rather than how this potentially affects the individual patients. For payers who have been compromised, where will their larger customers go anyway? Is it really worth a customer’s effort to lift-and-shift 30,000, 60,000 or 100,000 employee health plans to another payer in the state? This issue is similar to the financial services industry’s protocol when an individual’s credit card has been compromised and then replaced, or when individual’s want to close down a bank account due to poor service: Does anyone really want to go through the frustration with an unknown company?


For some of the more well-known breaches, class-action lawsuits can take years to adjudicate. By then, an individual’s protected health information (PHI) and personally identifiable information (PII) has already been shared on the cybercriminal underground market. In the meantime, customers receive their free two-year’s worth of personal security monitoring and protection. Problem solved. Right?


The Cost of Doing Business?

When violations occur, the penalties can sting, but it’s just considered part of the cost of doing business. In March 2012, Triple-S of Puerto Rico and the U.S. Virgin Islands, an independent licensee of the Blue Cross Blue Shield Association, agreed to a $3.5 million HIPAA settlement with HHS. In 2012, Blue Cross Blue Shield of Tennessee paid a $1.5 million fine to turn around and have another HIPAA violation in January 2015..

As of December 2015, the total number of data breaches for the year was 690, exposing 120 million records. However, organizations are unlikely to be penalized unless they fail to prove they have steps in place to prevent attacks. If an organization does not have a plan to respond to a lost or stolen laptop, OCR will possibly discover areas for fines, but this can be a difficult process. Essentially, accruing a fine after a cyberattack or breach is relative.


A more recent $750,000 fine in September 2015 with Cancer Care group was settled, but the occurrence happened in August of 2012 — nearly three years later. A 2010 breach reported by New York-Presbyterian Hospital and Columbia University wasn’t settled until 2014 for $4.8 million. Lahey Hospital and Medical Center’s 2011 violation was only settled in November 2015 for $850,000. With settlements taking place several years after an event, settling may appear to be a legitimate risk assessment, further reinforcing the ‘New Normal’ of cybersecurity acceptance.


At one HIMSS conference, the speaker emphasized to a Florida hospital the need to enforce security controls. They replied with, “If we had to put in to place the expected security controls, we would be out of business.”


Simply put: The risks of a breach and a related fine do not outweigh the perceived costs of enhancing security controls. For now, cybersecurity professionals may want to keep their cell phones next to the nightstand.

Guillaume Ivaldi's curator insight, April 2, 2016 10:18 AM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Elisa's curator insight, April 2, 2016 5:47 PM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...

Did Doctor Violate HIPAA for Political Campaign?

Did Doctor Violate HIPAA for Political Campaign? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are reportedly investigating whether a physician in Richmond, Va., violatedHIPAA privacy regulations by using patient information to help her campaign for the state senate.

The Philadelphia office of the Department of Health and Human Services' Office for Civil Rights is investigating potential HIPAA violations by Siobhan Dunnavant, M.D., a Republican state senate candidate, after a complaint alleged the obstetrician-gynecologist used her patients' protected health information - including names and addresses - to solicit contributions, volunteers and votes, according to an NBC news report.

Conservative blogger Thomas White tells Information Security Media Group that he reported to HHS earlier this year that letters and emails about Dunnavant's candidacy were sent to her patients prior to the June primary race in the state's 12th district, which includes western Hanover County. White says he notified HHS after receiving a copy of a letter from a Dunnavant patient who was annoyed at receiving the campaign-related communications from her doctor.

"I would love for you to be involved," Dunnavant wrote to patients, also reassuring them that their care would not be impacted if she's elected, according to a copy of a campaign letter posted on the NBC website."You can connect and get information on my website. There you can sign up to get information, a bumper sticker or yard sign and volunteer," the posted letter states. Other campaign-related material included emails sent to patients that were signed by "Friends of Siobhan Dunnavant," NBC reports and White confirmed, citing reports from patients.

The physician is one of three candidates seeking the state senate seat in the Nov. 3 election.

Patient Confidentiality

A spokeswoman for Dunnavant's medical practice declined to confirm to Information Security Media Group whether OCR is investigating Dunnavant for alleged HIPAA privacyviolations. However, in a statement, the spokeswoman said, "We are aware of concerns regarding patient communication, and we are reviewing the issue with the highest rigor and diligence. Please be assured we hold confidentiality of patient information of paramount importance, and thank patients for entrusting us with their care."

A spokeswoman in OCR's Washington headquarters also declined to comment on the situation. "As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations, nor can we opine on this case," she says.

White, editor of varight.com, says he first received a copy of one of Dunnavant's campaign letters in May, and that he was the first to report on the issues raised by the letters. He tells ISMG he filed a complaint with the federal government after he confirmed that the use of patient information for campaign purposes was a potential violation of privacy laws.

Nearly four months later, an investigator in OCR's regional office in Philadelphia, which is responsible for Virginia, on Sept. 29 responded to White's complaint, indicating the doctor's actions would be examined. White says he also confirmed again in a call to OCR on Oct. 28 that the case is still under investigation.

"You allege that Dr. Dunnavant impermissibly used the protected health information of her patients. We have carefully reviewed your allegation and are initiating an investigation to determine if there has been a failure to comply with the requirements of the applicable regulation," OCR wrote to White, according to a copy of the OCR letter that appears on White's website.

HIPAA Regulations

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says Dunnavant's alleged use of patient information raises several HIPAA compliance concerns.

"HHS interprets HIPAA to cover demographic information held by a HIPAA-covered healthcare provider if it is in a context that indicates that the individuals are patients of the provider," he notes. "Healthcare providers must be careful when using patient contact information to mail anything to the patient - even if no specific diagnostic or payment information is used. If a patient's address is used to send marketing communications or other communications unrelated to treatment, payment, or healthcare operations without the patient's authorization, then this may be an impermissible use of protected health information under HIPAA."

If patient contact information is shared with someone else, such as a political campaign, that also could be a HIPAA violation, Greene adds. "The same information that can be found in a phone book - to the extent anyone uses phone books - may be restricted in the hands of healthcare providers."

Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes that the HIPAA Privacy Rule has "a blanket prohibition" on a HIPAA covered entity disclosing the protected health information of their patients without first seeking authorization of the individual - except where specifically permitted or required by the rule.

"There is no provision in the privacy rule where a healthcare provider who is a HIPAA covered entity can disclose patient information to a political campaign," he points out.

Because of those restrictions, federal regulators will carefully scrutinize the case, Holtzman predicts. "It is likely that OCR will look closely at the doctor's correspondence for its communication about her candidacy for political office, how to contact the campaign or obtain campaign products as well as the statement that the letter was paid for and authorized by the campaign organization."

An OCR investigation into the alleged violations of the HIPAA Privacy Rule could result in HHS imposing a civil monetary penalty, Holtzman notes. "There are criminal penalties under the HIPAA statute for 'knowingly obtaining or disclosing identifiable health information in violation of the HIPAA statute,'" he adds.

Potential Penalties

Offenses committed with the intent to view, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm are punishable by a fine of up to $250,000 and imprisonment for up to 10 years, Holtzman notes.

"The Department of Justice is responsible for investigating and prosecuting criminal violations of the HIPAA statute," he says. "And changes in the HITECH Act clarified that a covered entity can face both civil penalties for violations of the privacy rule and criminal prosecution for the same incident involving the prohibited disclosure of patient health information."

The U.S. Department of Justice did not respond to ISMG's request for comment on whether it's planning to investigate the Dunnavant case.

No comment yet.

Hospital Slammed With $218,000 HIPAA Fine

Hospital Slammed With $218,000 HIPAA Fine | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators have slapped a Boston area hospital with a $218,000 HIPAA penalty after an investigation following two security incidents. One involved staff members using an Internet site to share documents containing patient data without first assessing risks. The other involved the theft of a worker's personally owned unencrypted laptop and storage device.

The Department of Health and Human Services' Office for Civil Rights says it has entered a resolution agreement with St. Elizabeth's Medical Center that also includes a "robust" corrective action plan to correct deficiencies in the hospital's HIPAA compliance program.

The Brighton, Mass.-based medical center is part of Steward Health Care System.

Privacy and security experts say the OCR settlement offers a number of valuable lessons, including the importance of the workforce knowing how to report security issues internally, as well as the need to have strong policies and procedures for safeguarding PHI in the cloud.

Complaint Filed

On Nov. 16, 2012, OCR received a complaint alleging noncompliance with the HIPAA by medical center workforce members. "Specifically, the complaint alleged that workforce members used an Internet-based document sharing application to store documents containing electronic protected health information of at least 498 individuals without having analyzed the risks associated with such a practice," the OCR statement says.

OCR's subsequent investigation determined that the medical center "failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome."

"Organizations must pay particular attention to HIPAA's requirements when using internet-based document sharing applications," says Jocelyn Samuels, OCR director in the statement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."

Separately, on Aug. 25, 2014, St. Elizabeth's Medical Center submitted notification to OCR regarding a breach involving unencrypted ePHI stored on a former hospital workforce member's personal laptop and USB flash drive, affecting 595 individuals. The OCR "wall of shame" website of health data breaches impacting 500 or more individuals says the incident involved a theft.

Corrective Action Plan

In addition to the financial penalty - which OCR says takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed - the agreement includes a corrective action plan "to cure gaps in the organization's HIPAA compliance program raised by both the complaint and the breach."

The plan calls for the medical center to:

  • Conduct a "self-assessment" of workforce members' familiarity and compliance with the hospital's policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.

Lessons Learned

Other healthcare organizations and their business associates need to heed some lessons from OCR's latest HIPAA enforcement action, two compliance experts say.

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "The settlement indicates that OCR first learned of alleged noncompliance through complaints by the covered entity's workforce members. Entities should consider whether their employees know how to report HIPAA issues internally to the privacy and security officers and ensure that any concerns are adequately addressed. Otherwise, the employees' next stop may be complaining to the government."

The settlement also highlights the importance of having a cloud computing strategy, Greene points out. That strategy, he says, should include "policies, training and potential technical safeguards to keep PHI off of unauthorized online file-sharing services."

The enforcement action spotlights the continuing challenge of preventing unencrypted PHI from ending up on personal devices, where it may become the subject of a breach, he notes.

The case also sheds light on how OCR evaluates compliance issues, he says. "The settlement highlights that OCR will look at multiple HIPAA incidents together, as it is not clear that OCR would have entered into a settlement agreement if there had only been the incident involving online file sharing software, but took action after an unrelated second incident involving PHI ending up on personal devices."

Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement "serves as an important reminder that a covered entity or a business associate must make sure that the organization's risk assessment takes into account any relationship where PHI has been disclosed to a contractor or vendor so as to ensure that appropriate safeguards to protect the data are in place."

The alleged violations involving the document sharing vendor, he says, "involve failure to have a BA agreement in place prior to disclosing PHI to the vendor, as well as failing to have appropriate security management processes in place to evaluate when a BA agreement is needed when bringing on a new contractor that will handle PHI."

St. Elizabeth's Medical Center did not immediately respond to an Information Security Media Group request for comment.

Previous Settlements

The settlement with the Boston-area medical center is the second HIPAA resolution agreement signed by OCR so far this year. In April, the agency OK'd an agreement with Cornell Prescription Pharmacyfor an incident related to unsecure disposal of paper records containing PHI. In that agreement, Cornell was fined $125,000 and also adopted a corrective action plan to correct deficiencies in its HIPAA compliance program.

The settlement with St. Elizabeth is OCR's 25th HIPAA enforcement action involving a financial penalty and/or resolution agreement that OCR has taken since 2008.

But privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says OCR isn't doing enough to crack down on organizations involved in HIPAA privacy breaches.

"Assessing penalties that low - St. Elizabeth will pay $218,400 - guarantees that virtually no organizations will fix their destructive practices," she says. "Industry views low fines as simply a cost of doing business. They'll take their chances and see if they're caught."

The largest HIPAA financial penalty to date issued by OCR was a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University for incidents tied to the same 2010 breach that affected about 6,800 patients. The incidents involved unsecured patient data on a network.

No comment yet.

Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions

Premera Blue Cross Data Breach Results in Several Lawsuits, Class Actions | HIPAA Compliance for Medical Practices | Scoop.it

Premera is the third largest health insurer in Washington State, and was hit with a cyber attack initiated on May 5 of last year. The Premera attack exposed the personal information of as many as 11 million current and former clients of Premera across the US. While Premera noted on January 29 of this year - the day the data breach was discovered - that according to best information none of the personal data had been used surreptitiously, the fact remains that the data mined by cyber attackers is exactly the kind of information useful for perpetrating identity theft.

To that end, it has been reported that the cyber attackers targeted sensitive personal information such as names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, phone numbers, member identification numbers, bank account information, and claims and clinical information.

As for why the attack was not discovered for some eight months, Premera has said little. However, the breadth of the attack - affecting some 11 million people - and the delay in discovering the breach (initiated May 5, 2014 and revealed January 29, 2015) will likely provide much fodder for Premera cyber attack lawsuits.

According to the Puget Sound Business Journal, the New York Times had suggested the Premera cyber attack may have been perpetrated by the same China-based hackers who are suspected of breaching the federal Office of Personal Management (OPM) last month. However, the VP for communications at Premera, Eric Earling, notes there is no certainty the attack originated in China.

“We don’t have definitive evidence on the source of the attack and have not commented on that,” he said. “It continues to be under investigation by the FBI [Federal Bureau of Investigation] and we would leave the speculation to others.”

That said, it has been reported that the US government has traced all of these attacks to China.

Recent data breach attacks, including the Vivacity data breach and Connexion data breach, are reflective of a shift in targets, according to cyber attack experts. The attacks to the data systems of the federal OPM notwithstanding, it seems apparent that hackers are increasingly shifting their targets to health insurers in part due to the breadth of information available from the health records of clients.

The goal of cyber attackers in recent months, according to claims appearing in the New York Times, is to amass a huge trove of data on Americans.

Given such a headline as “Premera Blue Cross Reports Data Breach of 11 Million Accounts,” it appears they have a good start. While it might be a “win” for the hackers involved acquiring such data surreptitiously and illegally, it remains a huge loss in both privacy and peace of mind for millions of Americans who entrust their personal information to insurance providers, who, in turn, require such information in order to provide service. Consumers and clients also have historically assumed that such providers have taken steps to ensure their personal information is secure.

When it isn’t - and it takes eight months for a cyber attack to be identified - consumers have little recourse than to launch a Premera cyber attack lawsuit in order to achieve compensation for the breach, and as a hedge for the possibility of ample frustration down the road were the breach to evolve in a full-blown identity theft.

To that end, five class-action data breach lawsuits have been filed in US District Court for the District of Seattle. According to reports, two of the five lawsuits allege that Premera was warned in an April 2014 draft audit by the OPM that its IT systems “were vulnerable to attack because of inadequate severity precautions,” according to the text of the lawsuits.

Tennielle Cossey et al. vs. Premera asserts that the audit in question, “identified… vulnerabilities related to Premera’s failure to implement critical security patches and software updates, and warned that ‘failure to promptly install important updates increases the risk that vulnerabilities will not be.’

“If the [OPM] audit were not enough, the events of 2014 alone should have placed Premera on notice of the need to improve its cyber security systems.”

Moving forward, Premera Blue Cross data breach lawsuits are being consolidated into multidistrict litigation, given the number of Americans affected and their various locations across the country. An initial case management conference has been scheduled for August 7.

No comment yet.

Data breach costs on the rise, according to annual Ponemon Institute study

Data breach costs on the rise, according to annual Ponemon Institute study | HIPAA Compliance for Medical Practices | Scoop.it

Given the number and severity of publicized data breaches over the past year, it should come as little surprise that the average cost of a data breach is on the rise. According to the “2015 Cost of Data Breach Study: Global Analysis,” which was conducted by the Ponemon Institute and sponsored by IBM, the average cost of a data breach increased from $3.52 million in last year’s study to $3.79 million in this year’s edition.

While the year-over-year jump may seem small, the rise actually represents a 23 percent increase in the total cost of a data breach since 2013. The research, which included responses from personnel at 350 companies spanning 11 different countries, also found that lost business as the result of a data breach potentially has the most severe financial consequences for organizations as these costs increased from an average of $1.33 million last year to $1.57 million in 2015. Lost business costs include; abnormal turnover of customers; increased customer acquisition activities; reputation losses; and diminished goodwill.      

Diana Kelley, executive security advisor for IBM Security, said one thing that really stood out to her was the root causes of data breaches examined in the study, the majority of which (47 percent) were found to be the result of malicious or criminal attacks. The study found that the average cost per record to resolve such an attack is $170, compared to system glitches which cost $142 per record to resolve and human error or negligence that cost $134 per record to correct.  

“That indicates something that we’ve seen in other studies that this is organized criminal activity for data breaches,” she said. “We’re moving past the random, somebody left their laptop in a car, and we’re really looking at very targeted attacks from organized criminals.”

Kevin Beaver, an IT security consultant with Atlanta-based Principle Logic LLC, said that data breaches continue to persist on such a massive scale because many companies mistakenly believe they can just buy a piece of security technology that will take care of all of their problems.

“It doesn't work that way,” he said “Even if you have the very best of security controls you still have to have ongoing oversight and vulnerability testing because things are going to fall through the cracks.”

Another common issue, according to Beaver, is that companies simply place too much trust in employees and vendors.

“It's always best to err on the side of caution and put the proper controls in place so everyone, and especially the business, are setup for success. Another big issue I see is all the organizations, especially in the healthcare industry, that believe their high-level audits and policies are sufficient for minimizing their risks. It's not. Unless and until you test for - and resolve - the growing amount of security vulnerabilities on your network, you're a sitting duck waiting to be made to look bad,” said Beaver. “This is especially true to social engineering (i.e. phishing) testing. It's unbelievable how many people are still gullible and give up their network credentials or other sensitive info without question.”

Although data breaches that involve the theft of credit or debit card numbers seem to carry a greater amount of weight with the media and public in general, Kelley said the data shows that things such as protected health Information (PHI) and other personal data are more coveted by hackers as they have a longer lifespan for resale. Kelley advises companies to identify what their “crown jewels” are from a data perspective and to conduct threat assessments and risk modeling around protecting those assets.

“I think organizations need to look at the big picture. We do see evidence of more sophisticated criminal, organized attacks. On the other hand, we can’t forget all of the good security hygiene and just try and focus on what’s the next big scary attack,” said Kelley. “We have to do a very robust, layered set of security throughout our organization to include security awareness and training and monitoring. You’re looking for anywhere in that stack where there could be an exposure or there could be a vulnerability. Companies need to not just think about the big attack, but really think about a robust security model because that is going to help prevent the smaller attacks, as well as the larger attacks.”

Perhaps one of the study’s silver linings is that the involvement of a company’s board-level managers was found to help reduce costs associated with data breaches by $5.5 per record. Insurance protection was also found to reduce cost by $4.4 per record. Despite the increased awareness and involvement by senior leadership, Kelley said companies cannot completely protect against the threats posed by hackers.

“It’s important to remember that awareness and ability to stop something aren’t necessarily always aligned. If we look in the real world, we’re all very aware and highly concerned about something like cancer, but preventing it is very, very difficult,” said Kelley. “We can have the C-suite be very aware of security, but still some companies are at different levels of maturity. Attackers, they are, again, organized and sophisticated, so the level of prevention and controls you need in place to stop the attacks is very high. The fact that we still have attacks going on doesn’t mean companies aren’t putting security controls into place.”   

However, Beaver adds that while some executives may say and do all of the right things in public when it comes to their data protection efforts, the reality is some of them are just paying lip service to the issue.

“It's all about policies and related security theater to appease those not savvy enough - or politically powerful enough - to look deeper or question things further,” said Beaver.  

Conversely, Beaver said that there are a lot of companies who are taking the right approach to cybersecurity, which involves recognition by senior management of the seriousness of the issue.

“I see many organizations doing security well,” he added. “The key characteristics of well-run security are: executive acknowledgement of the challenges, ongoing financial and political support for IT and security teams, periodic and consistent security testing, and the willingness to make changes where changes need to be made - even if it's not politically favorable.”

Another bright spot in the study was that it found a correlation between organizational preparedness and reduced financial impact of a data breach. Companies that employed some level of business continuity management (BCM) within their organization were able to reduce their costs by an average of $7.1 per compromised record.

“Companies that brought in an incident response team or had an incident response program in place were able to save $12.60 per record,” added Kelley. “The biggest takeaway is to get some kind of plan in place. Have business continuity, have an incident response plan in place and be continually detecting and monitoring activity on the network so that if a breach is occurring, you can either see the very beginning of it or you can see one in process and respond as quickly as possible to reduce the impact to the business.”

No comment yet.

Massive data breach could affect every federal agency

Massive data breach could affect every federal agency | HIPAA Compliance for Medical Practices | Scoop.it

China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time.

The Department of Homeland Security said in a statement that data from the Office of Personnel Management — the human resources department for the federal government — and the Interior Department had been compromised.

"The FBI is conducting an investigation to identify how and why this occurred," the statement Thursday said.

The hackers were believed to be based in China, said Sen. Susan Collins, a Maine Republican.

Collins, a member of the Senate Intelligence Committee, said the breach was "yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances."

A spokesman for the Chinese Embassy in Washington called such accusations "not responsible and counterproductive."

"Cyberattacks conducted across countries are hard to track and therefore the source of attacks is difficult to identify," spokesman Zhu Haiquan said Thursday night. He added that hacking can "only be addressed by international cooperation based on mutual trust and mutual respect."

A U.S. official, who declined to be named because he was not authorized to publicly discuss the data breach, said it could potentially affect every federal agency. One key question is whether intelligence agency employee information was stolen. Former government employees are affected as well.

The Office of Personnel Management conducts more than 90 percent of federal background investigations, according to its website.

The agency said it is offering credit monitoring and identity theft insurance for 18 months to individuals potentially affected. The National Treasury Employees Union, which represents workers in 31 federal agencies, said it is encouraging members to sign up for the monitoring as soon as possible.

In November, a former DHS contractor disclosed another cyberbreach that compromised the private files of more than 25,000 DHS workers and thousands of other federal employees.

Cybersecurity experts also noted that the OPM was targeted a year ago in a cyberattack that was suspected of originating in China. In that case, authorities reported no personal information was stolen.

Chinese groups have persistently attacked U.S. agencies and companies, including insurers and health-care providers, said Adam Meyers, vice president for intelligence at Irvine, California-based CrowdStrike, which has studied Chinese hacking groups extensively.

The Chinese groups may be looking for information that can be used to approach or compromise people who could provide useful intelligence, Meyers said. "If they know someone has a large financial debt, or a relative with a health condition, or any other avenues that make them susceptible to monetary targeting or coercion, that information would be useful."

One expert said hackers could use information from government personnel files for financial gain. In a recent case disclosed by the IRS, hackers appear to have obtained tax return information by posing as taxpayers, using personal information gleaned from previous commercial breaches, said Rick Holland, an information security analyst at Forrester Research.

"Given what OPM does around security clearances, and the level of detail they acquire when doing these investigations, both on the subjects of the investigations and their contacts and references, it would be a vast amount of information," Holland added.

DHS said its intrusion detection system, known as EINSTEIN, which screens federal Internet traffic to identify potential cyberthreats, identified the hack of OPM's systems and the Interior Department's data center, which is shared by other federal agencies.

It was unclear why the EINSTEIN system didn't detect the breach until after so many records had been copied and removed.

"DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion," the statement said.

Cybersecurity expert Morgan Wright of the Center for Digital Government, an advisory institute, said EINSTEIN "certainly appears to be a failure at this point. The government would be better off outsourcing their security to the private sector where's there at least some accountability."

Senate Intelligence Committee Chairman Richard Burr, R-N.C., said the government must overhaul its cybersecurity defenses. "Our response to these attacks can no longer simply be notifying people after their personal information has been stolen," he said. "We must start to prevent these breaches in the first place."

No comment yet.

Doctors Going the Distance (In Education)

Doctors Going the Distance (In Education) | HIPAA Compliance for Medical Practices | Scoop.it

We need more doctors.

Between older care providers retiring, and the general population shift that is the aging of the Baby Boomers, we are running into a massive demographic of more, older patients, living longer and managing more chronic conditions. This puts incredible pressure not just on the remaining doctors and nurses to make up the gap, but strains the capacity of schools to recruit, train, and produce competent medical professionals.

So how can schools do more to reach students and empower them to enter the healthcare field?

The increasing popularity of online programs (particularly at the Masters level, among working professionals looking for a boost to their career advancement) has called forth a litany of studies and commentaries questioning everything from their technology to their academics,compared to traditional, on-campus programs. More productive would be questioning the structure and measuring the outcomes of degree programs in general, rather than judging the value of a new delivery mechanism against an alternative more rooted in tradition than science.

In terms of sheer practicality, though, a distance education—yes, even for doctors and surgeons—makes a certain amount of sense. One of the hottest topics in the medical community right now is Electronic Health Records (EHRs) and the ongoing struggle to fully implement and realize the utility of such technology.

Rolling out in October of 2015, comes the sidecar for the EHR vehicle: ICD-10, the international medical coding language that the U.S. has long postponed adopting. While the digital nature of modern records platforms at least makes ICD-10 viable, it still represents a sharp learning curve for current care providers.

Then there is the intriguing promise of pharmacogenetics, whereby medication is developed, tested, and prescribed, all on the basis of a patient’s individual genetic profile. Combined with an EHR and a personal genetic profile, a patient could be observed, screened, diagnosed, referred to a pharmacist, and able to order and receive a prescription, all without leaving home. Taking into consideration the growing need for medication therapy management—driven by the Baby Boomers living longer with more conditions under care—the value of such a high-tech system is clear.

This draws on what is perhaps the most lucrative (in terms of health outcomes and large-scale care delivery) set of possibilities enabled by the shift to digital: telemedicine. From consultations to check-ups, telehealth in the digital age no longer necessitates sacrificing face-to-face interaction; streaming video chat means patients and doctors can still look one another in the eye, albeit through the aid of cameras.

Proponents of the technology take it further, declaiming that world-class surgeons will no longer be anchored to a single facility—human-guided robotic surgery (telesurgery) will bring expertise to even the most remote locations.

If industry leaders anticipate so much being done remotely, why then are others squeamish about delivering an education online? It would seem that the medical skillset of the future requires greater comfort and competence in dealing with virtual settings, online interaction, and digital record-keeping.

The problem many have is not with online med school in particular so much as online degree programs in general. How can a virtual setting possibly hope to compete with the unique, collaborative, community-oriented environment of the college campus—whatever the area of study?

Forward-thinking professors like Sharon Stoerger at Rutgers have pioneered at least one possible answer to this question. Adopting the online immersive social platform known as Second Life, Stoerger and her like-minded peers have constructed virtual classrooms with accompanying courses, and successfully guided several cohorts (of students as well as instructors) through the experience.

For the aspects of learning that simply require hands-on practice, of course, there are limits to the promise of such virtual environments. Then again, synthetic patient models, known as Human Patient Simulators (HPS), are already proving their merits as an efficient, effective way to let students gain practical experience in a controlled environment. While Ohio Universityinstructors have pioneered the use of HPS in the school’s nursing programs, advancing technology continues to push the functional limits of such systems.

In order to realize the potential of modern delivery of patient care, we first need to realize the potential of modern instructional delivery. The technology is already showing that the real limits of online learning are not practical considerations; they are attitudes and assumptions about what learning ought to look like.

No comment yet.

Data breach at White Plains Hospital involving emergency room patients

Data breach at White Plains Hospital involving emergency room patients | HIPAA Compliance for Medical Practices | Scoop.it

A security breach has been disclosed at a hospital in Westchester County.

Personal information about hundreds of emergency room patients over a two year period was leaked to someone or some entity that shouldn't have it.

So what if you're one of those patients? And who gave away the information?

White Plains Hospital is the latest target of a data breach.

An employee working for a billing company called Medical Management LLC. allegedly copied personal information including names, dates of birth, and social security numbers then gave it away to a third party.

MML handles the billing and coding for White Plains Hospital's emergency room.

"It should be held securely. Its information you should not give to certain people. I don't like giving my information out at all to anybody," said Jeffry Jones, a former patient.

The employee was fired and other hospitals in the state are affected.

Now patients at White Plains Hospital are waiting to find out if they're personal information was compromised.

"We're going to have to catch the company that's doing it. Wipe them out. The hospital is great. They're making them look bad. It's not right for them to mess up our lives," said Diana Bennett, a patient.

The breach was from February 2013 to March 2015.

Now the hospital is offering identity theft protection services for anyone who may have been impacted.

Credit protection expert Adam Levine has this advice for the 1,100 people affected.

"...." Levine said.

Anyone who may have fallen victim will be notified by mail.

Those affected by the breach are also being offered identity threat protection services at no cost.

There was no indication that any medical history or treatment information was disclosed.

Victims are being advised to place a fraud alert or a security freeze on their accounts through a national credit bureau and to review all bills and account statements.

No comment yet.

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.

Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.

ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.

The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”

One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.

“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”

Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.

“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”

That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.

However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.

“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”

No comment yet.

Doximity launching app for the Apple Watch

Doximity launching app for the Apple Watch | HIPAA Compliance for Medical Practices | Scoop.it

Doximity announced today that they are launching an app for the Apple Watch, which hits the shelves later this month.

Many physicians will be familiar with Doximity, now that more than half of us have become registered users. Designed as a social network for physicians, Doximity includes a number of features that physicians will find useful for a lot more than just staying in touch with colleagues. In the recent rush of registrations on Doximity related to their partnership with US News and World Report, we wrote a quick guide on those key features. Included was secure HIPAA compliant messaging as well as an e-fax number and a journal feed.

Doximity’s Apple Watch app will bring some of these key features to your wrist. In particular, you’ll be able to read messages sent to you and dictate messages to other – without taking out your phone or pager, jumping on a computer, or spending endless minutes on hold trying to reach a colleague. You can also get notifications when you have a new fax come in – you can automatically view the fax on your iPhone using the Handoff functionality.

This hits on one the key functionalities we put on our wish list of apps for the Apple Watch – HIPAA compliant messaging. There are some limitations here worth noting. In particular, Doximity is limited to physicians so this won’t help with communication among a multi-disciplinary healthcare team, such as in a hospital or clinic. I wouldn’t be able to let a nurse know about a new medication or a social worker about an at-risk patient. Other platforms, like TigerText, will hopefully step in to bring that functionality to wearables like Apple Watch. That being said, the ability to send messages more easily to colleagues both inside and outside my own institution can be incredibly helpful.

We’re excited to see big players in the digital health space like Doximity embracing the Apple Watch. One natural question that frequently comes up is “what about Android devices?” Well, as Doximity points out, 85% of their mobile traffic is from iPhones & iPads. Its well recognized that physicians have largely embraced Apple devices and so medical app developers are going to go there first. So while many solid options have been available for Android, we expect the Apple Watch to be a catalyst in the development of new tools for clinicians.

Doximity’s app is just the start.

No comment yet.

Hattiesburg Clinic issues statement regarding HIPAA breach

A viewer reached out to WDAM with concerns of a possible security breach at Hattiesburg Clinic. The clinic responded to WDAM after we inquired about the breach.

The statement is as followed: 

"In January 2015, Hattiesburg Clinic became aware of unauthorized access to medical records by an optometry provider who left clinic employment. The investigation revealed that he obtained patient demographic information. It was determined that he used the information to mail letters in order to inform patients of his new employer. All information obtained by the provider has been retrieved and Hattiesburg Clinic has not received any indication that the information accessed was for reasons other than sending the letters. Patients affected by the breach were notified and the matter has been addressed as the law requires. We are not aware of any damages caused.

Hattiesburg Clinic is committed to protecting your personal information and we want to assure you that we have policies in place to protect your privacy."

This incident spurs from a letter sent from Scott Paladichuk, OD to patients. According to the letter, Paladichuk was reaching out to patients to introduce himself as a new doctor to the community. 

On March 20, The Hattiesburg Clinic notified its patients that there was unauthorized access to medical records by Paladichuk. 

The Hattiesburg Clinic letter states that it is possible while Paladichuk was copying demographic information for his letter, that he may have also viewed medical information. 

The letter says that the clinic has not received any indication that the information accessed by Paladichuk was used for anything other than sending announcement letters. 

Paladichuk is no longer in possession of any medical information and also no longer works for Hattiesburg Clinic. 

Hattiesburg Clinic issued an apology to patients, and urged that all necessary steps were taken to rectify the situation, including formally notifying the U.S. Department of Health and Human Services.

No comment yet.

EHR Compliance And HIPAA Compliance Help Your Healthcare IT Clients Understand The Difference

EHR Compliance And HIPAA Compliance Help Your Healthcare IT Clients Understand The Difference | HIPAA Compliance for Medical Practices | Scoop.it

Your clients likely have concerns around the Health Insurance Portability and Accountability Act (HIPAA) that extend beyond the reach of your influence. Unfortunately, many may be thinking those concerns are being covered by the HIPAA compliant EHR (electronic health records) solutions you offer.

Healthcare IT News explores that topic in an article by Security Metrics security analyst, Tod Ferran. The piece is written as an advisory to healthcare entities tackling HIPAA compliance and EHR implementations, and is good insight for solutions providers looking to address the deepest needs of their clients.

“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them — it’s just not true.”

Advice To Maintain Security

Ferran makes sure to advise organizations to prioritize security, warning them about the new HIPAA Security Rule that requires they protect their system against 75 specific security controls.

He urges them to “assess their security programs as a whole” and make sure that procedures, policies, and security measures are best configured to protect patient information and shield them against potentially costly regulatory penalties. At the same time though, he acknowledges that organizations frequently do not prioritize addressing risks to electronic patient data, and stresses the importance of an approach that goes beyond “simply checking a box.”

Selling The Importance Of Risk Management

Ferran frames approaching risk management in an organization around two timelines, the reality of the present and the optimal future.

“No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.”

He puts the responsibility of understanding the features of their medical devices and IT assets directly on their shoulders — a weight solutions providers could easily help them bear. Some of the areas they will need help with include:

  • intrusion prevention
  • anti-malware
  • identity management
  • integrating data loss prevention tools

Attaining True Compliance

Ferran also includes a basic roadmap for attaining HIPAA compliance, and suggests that organizations implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities. Other specific actions he suggests include:

  • designating a HIPAA compliance officer or team member
  • conducting annual HIPAA security risk analyses
  • checking organizational policies and procedures against HIPAA requirements
  • encrypting patient information using a key accessible only by authorized individuals
  • implementing workstation security

For solutions providers who do communicate regularly with their clients, this would be an article many would likely find useful, and a good way to start a conversation about current and future solutions they’re considering.

No comment yet.

Premera data breach affected Oregon's LifeWise members

The cyberattack at Premera Blue Cross in Washington state also affected 60,000 current and former members of LifeWise Health Plan of Oregon.

The two companies are affiliated and share a common IT system for claims, said Eric Earling, vice president of corporate communications at Premera.

The attack began last May and affected data going back to 2002.

"It was a sophisticated cyber attack," Earling said. "They got access, but there's no evidence they removed information from the system."

Altogether, the cyberattack may have exposed medical data and financial information of 11 million customers. It is the largest breach reported to date involving patient medical information, Dave Kennedy, an expert in health care security, told the New York Times.

Medical records can be sold on underground criminal exchanges and can be used to engage in insurance fraud, the Times reported.

It's not the first large breach uncovered this year. On Jan. 29, insurer Anthem disclosed a cyberattack involving records of 79 million customers in Blue Cross Blue Shield plans across the U.S. That attack was unrelated to the one at Premera, Earling said.

He referred Oregon customers to Lifewiseupdate.com for information on the attack and to access two years of free credit monitoring and identity protection services to anyone affected by the incident.

A message on the site reads in part: "Our investigation determined that the attackers may have gained unauthorized access to applicants and members' information, which could include member name, date of birth, address, telephone number, email address, Social Security number, member identification number, bank account information, and claims information, including clinical information.

"Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected."

The FBI is investigating the attack.

No comment yet.

Make Sure Business Associates Don’t Violate HIPAA

Make Sure Business Associates Don’t Violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

A violation of HIPAA by a practice’s business associate underscores the importance for conducting adequate due diligence, having business associate agreements (BAAs) in place, and ensuring that the level of encryption is adequate.

The U.S. Federal Trade Commission (FTC) recently released a statement indicating that a business associate, Henry Schein Practice Solutions, Inc. (“Schein”), a dental practice software company, will pay the government $250,000 for false advertising associated with what was relayed to the public and what was actually used in its products in relation to the level of encryption. While the fine is not considered large by any means, the implications for medical professionals, business associates, and subcontractors alike, are significant. 

The ramifications to the company, in relation to the issuance of the administrative complaint and the consent agreement are:

• Pay a $250,000 fine;

• Prohibition on “misleading customers about the extent to which its products use industry-standard encryption or how its products are used to ensure regulatory compliance”;

• Prohibition on claims that patient data was protected; and

• Schein needs notify all of its clients who purchased during the period when the material misstatements were made; and

• That the consent agreement will be published in the Federal Register.

Of equal or greater significance is the “NOTE” on the FTC’s press release, which states:

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions for twenty years. Each violation of such an order may result in a civil penalty of up to $16,000.

The takeaways for providers and business associates alike are significant. All government agencies are taking a hard look at material misrepresentations related to HIPAA compliance. The potential implications are significant and underscore the importance of not cutting corners in relation to risk assessments and compliance.

No comment yet.

The Cloud is Good, But Know Where Data Go

The Cloud is Good, But Know Where Data Go | HIPAA Compliance for Medical Practices | Scoop.it
A recent settlement announcement from the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) highlights the need to evaluate web-based applications and storage solutions. Web-based or cloud solutions are viable options and tools for healthcare entities to utilize, but those tools need to evaluated for compliance with HIPAA security requirements.

Saint Elizabeth’s Medical Center (“SEMC”), located outside of Boston, MA, learned this lesson the hard way. On November 16, 2012, certain workforce members at SEMC reported suspected non-compliance with HIPAA to OCR. The report focused upon use of an internet-based document sharing and storage application. The specific site is not identified in the OCR Resolution Agreement, but Dropbox is an example of an online storage site that does not meet HIPAA security requirements. OCR notified SEMC of the results of its investigation on February 14, 2013. Fast forward a year and SEMC then reported a breach regarding a workforce member’s unsecured laptop and USB storage device. The combination of events led OCR to conclude that SEMC failed to implement sufficient security measures required by HIPAA and SEMC did not timely identify or mitigate harmful effects from identified deficiencies.

As a result of the two reported incidents, SEMC is now paying $218,400 to OCR in settlement funds. The settlement continues to trend of not being able to accurately guess the amount of a fine that will be levied. As stated in the announcement, OCR “takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed.” This statement potentially gives some insight, which can be interpreted to mean that entities with bigger pockets will be hit with larger fines because such entities can absorb larger fines.

The other consideration raised by the SEMC settlement is what to do about cloud based storage and sharing solutions. Should all such tools be locked away from use healthcare organizations? This is not necessarily the answer because some tools do follow HIPAA security requirements. For example, some cloud storage services were built specifically for healthcare, and as such are more cognizant of applicable regulatory requirements. More general sites, such as Box, noted HIPAA requirements and claim to meet required standards. As such, it is possible for organizations to utilize cloud based options.

However, it is not necessarily the choices of an organization as a whole that are troublesome. In SEMC’s case, it is not clear whether the workforce members acted under SEMC’s direction or utilized the cloud sites without SEMC’s direct knowledge. The unsupervised actions of workforce members are what can cause an organization a lot of concern. Organization’s need to train and educate workforce members, but cannot always control their actions. Despite the inability to constantly track what a workforce member is doing, certain steps could be taken to alleviate concerns. One measure would be to block access to websites that could lead to a potential breach or other non-compliance. Such a measure may not make all workforce members happy, but an organization should assess its risks and take appropriate measures. Additionally, an organization can suggest sites that are compliant be used.

Regardless of the approach taken, organizations need to be cognizant of the risks posed by cloud based storage, especially on the individual level. OCR’s settlement with SEMC is only the most recent action to highlight the concern. As has been stated before, once OCR releases a settlement addressing an issue, subsequent organizations with the same issue can expect greater focus on the identified issue and less leniency when it comes to a violation.
No comment yet.

Florida Hospital faces two data breach lawsuits

Florida Hospital faces two data breach lawsuits | HIPAA Compliance for Medical Practices | Scoop.it

Florida Hospital is facing two possible class action lawsuits regarding two separate data breaches of patient information over the past four years.

The hospital is battling both suits, and has recently submitted motions to toss them both out.

The first data breach, revealed in August 2011, involved Florida Hospital employees Dale Munroe and Katrina Munroe combing through thousands of patient records and selling data to lawyers and chiropractors. Both employees were fired and charged criminally.

The second breach, discovered in May 2014, involved two employees printing portions of medical records for at least 9,000 patients for over two years. Those employees were also fired but not named in the lawsuits. That breach was allegedly discovered by state investigators of a criminal case.

The first lawsuit is handled by a Chicago-based law firm Edelson, and local attorney Edmund Normand. The named plaintiffs in that case are Richard Faircloth, who was a patient at Florida Hospital's Apopka campus, and Consuelo Armesto, a former patient at Florida Hospital's Altamonte Campus. A new hearing is coming up soon regarding Florida Hospital’s motion to dismiss the Faircloth case.

Attorney John Yanchunis of Orlando law firm Morgan & Morgan is handling a case tied to the May 2014 breach. The named plaintiffs in that case are Heather and Sebastian Peralta of Altamonte, and their daughter Janson Peralta.

The Peralta case, filed more recently, cites the previous case as evidence that the hospital has known about data breaches for a while now.

“Hospital are good about delivering medical services. Other kinds of things, like this, they are not so good at, because it’s not their business,” Yanchunis said. “But that must change now, and there’s a movement now to install systems to better detect access to information.”

Florida Hospital and its attorneys did not immediately respond to phone calls and emails about the lawsuits, which are both pending in Orange County Circuit Court.

But the hospital has argued that the lawsuits are missing an important fact: the plaintiffs haven’t suffered any identity theft, at least not yet.

Both lawsuits rely on allegations that the patients involved had “expected and paid for" data security at the hospital.

But Florida Hospital’s attorneys argue that no Florida court has recognized a fiduciary duty between a hospital and a patient. The hospital also argues that the plaintiffs can’t enforce federal HIPAA laws through private civil action, that they can’t sue based on “increased risk of identity theft.”

The hospital also argues that their employees were willfully violating the policies regarding HIPAA compliance and patient data security.

Data stolen from medical records is a common method used by identity thieves, especially for filing fake tax returns seeking bogus tax refunds.

There’s an additional wrinkle in the Peralta case. Yanchunis noted that the Peralta’s daughter isn’t even eligible for credit protection services yet, but that her data could be used in an identity theft years from now.

According to the court record, the Munroes were paid $10,000 by local chiropractor Sergei Kusyakov to pull out information on victims of motor vehicle accidents – some of whom then received calls from Kusyakov’s office with offers of chiropractic care. The Munroes and Kusyakov all pleaded guilty to the crimes.

No comment yet.

Website Error Leads to Data Breach

Website Error Leads to Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

An error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals. The incident is a reminder to all organizations about the importance of sound systems development life cycle practices.

In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans' members. "As the unintended result of a computer code update Blue Shield made to the website on May 9," the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users' accounts. The problem was reported to Blue Shield's privacy office on May 18.

Blue Shield of California tells Information Security Media Group that the site affected was the company's Blue Shield Employer Portal. "This issue did not impact Blue Shield's public/member website," the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.

"The website was returned to service on May 19, 2015," according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.

Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. "None of your financial information was made available as a result of this incident," the notification letter says. "The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization."

The Blue Shield of California notification letter also notes that the company's investigation revealed that the breach "was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation."

Similar Incidents

The coding error at Blue Shield of California that led to the users being able to view other individuals' information isn't a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.

For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site.

Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS' Office for Civil Rights.

An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.

The corrective action plan required the physicians practice, among other measures, to conduct arisk assessment and implement appropriate policies and procedures.

Measures to Take

Security and privacy expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, says that to avoid website-related mistakes that can lead toprivacy breaches, it's important that entities implement appropriate controls as well as follow the right systems development steps.

"Organizations should have a sound systems development life cycle - SDLC - in place to assess all systems in a production environment, especially those that are externally facing," he says. "Components of a mature SDLC would include code reviews, user acceptance testing, change management, systems analysis, penetration testing, and application validation testing."

Healthcare entities and business associates need to strive for more than just HIPAA compliance to avoid similar mishaps, he notes.

"Organizations that are solely seeking HIPAA compliance - rather than a comprehensive information security program - will never have the assurance that website vulnerabilities have been mitigated through the implementation of appropriate controls," he says. "In other words, HIPAA does not explicitly require penetration testing, secure code reviews, change management, and patch management, to name a few. These concepts are fundamental to IT security, but absent from any OCR regulation, including HIPAA."

Earlier Blue Shield Breach

About a year ago, Blue Shield of California reported a data breach involving several spreadsheet reports that inadvertently contained the Social Security numbers of 18,000 physicians and other healthcare providers.

The spreadsheets submitted by the plan were released 10 times by the state's Department of Managed Health Care. In California, health plans electronically submit monthly to the state agency a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas - but not Social Security numbers. DMHC makes those rosters available to the public, upon request.

No comment yet.

Even the Federal Government Can’t Hide: How a High-End Cyberattack Breached One of the Most “Protected” Systems

Even the Federal Government Can’t Hide: How a High-End Cyberattack Breached One of the Most “Protected” Systems | HIPAA Compliance for Medical Practices | Scoop.it

With data breaches being the quickly trending “flavor of the month” criminal activity, it’s no shock that on June 4, 2015 yet another system was hit. This time though, it may be one of the largest cyberattacks in U.S. history—compromising as many as 4 million current and former federal employees’ information. The U.S. Office of Personnel Management (OPM) handles security clearances and background checks and although many would assume that its security is top-notch, the facts on the ground reveal that every place taking in sensitive information—including the government—must update its privacy infrastructure.

In his press statement on Thursday, Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence echoed that sentiment and stated that “Americans may expect that federal computer networks are maintained with state of the art defenses [but] it’s clear a substantial improvement in our cyber-databases defenses is perilously overdue. This does not only apply to systems of this magnitude.

Any business that maintains data bases with private information must invest in the proper privacy infrastructure necessary to protect that information. Cyberattacks do not discriminate. From major retailers to well-respected state universities, data breaches run the gamut and from the looks of Thursday’s attack, they are getting more sophisticated. OPM is now working closely with the FBI and the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team to attempt to identify the extent of the harm on federal personnel. But not everyone has the luxury of the entire U.S. government as a “crisis manager” so preventive measures for businesses will make a difference.

At this time, one of the most troubling facts of cyberattacks is that the source is difficult to locate. Sen. Susan Collins, a member of the Senate Intelligence Committee, said the hack was “extremely sophisticated,” and “that points to a nation state” as the responsible party, likely China. No conclusive source has been discovered yet but the lesson here is clear—with private information being involved in almost every aspect of business, measures must be taken to protect it.

No comment yet.

China suspected in huge data breach : News

China suspected in huge data breach : News | HIPAA Compliance for Medical Practices | Scoop.it

China responded Friday to allegations it was involved in a hacking attack on U.S. government computers by saying such claims are unproven and irresponsible, and that it wishes the United States would trust it more.

The administration of President Barack Obama has increasingly pressed China on the issue of cyberhacking, and on Thursday U.S. officials said China-based hackers are suspected of breaking into the computer networks of the U.S. government personnel office and stealing identifying information of at least 4 million federal workers. U.S. Sen. Susan Collins said the attack amounted to a foreign power seeking information on U.S. employees who have security clearances for access to sensitive information.

Beijing generally does not explicitly deny specific hacking accusations, but seeks to dismiss them as unproven and irresponsible, while invariably noting that China is itself the target of hacking attacks and calling for greater international cooperation in combating hacking.

Chinese Foreign Ministry spokesman Hong Lei said at a regular news briefing Friday that Beijing hopes the U.S. would be "less suspicious and stop making any unverified allegations, but show more trust and participate more in cooperation."

"We know that hacker attacks are conducted anonymously, across nations, and that it is hard to track the source," Hong said. "It's irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation."

Cybersecurity analysts who study hacking attacks believed to originate in China have cited evidence suggesting they are state-sponsored rather than independent actions, including that they seem to be highly organized teams that focus on the same kinds of targets, sometimes for years, and tend to work regular hours excluding weekends.

The Virginia-based cybersecurity organization Mandiant concluded in a report in early 2013 that a massive hacking campaign on U.S. business could be traced to an office building in Shanghai run by the Chinese military.

China's military is believed to have made cyber warfare capabilities a priority more than a decade ago. One of the few public announcements of the capabilities came in a May 25, 2011, news conference by Defense Ministry spokesman Geng Yansheng, in which he spoke of developing China's "online" army.

No comment yet.

Coast Guard called to task for insufficient health data privacy

Coast Guard called to task for insufficient health data privacy | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Coast Guard has made progress in developing a culture of privacy, but still faces challenges because it lacks a strong organizational approach to resolving health privacy issues, according to a reportfrom the Department of Homeland Security's Office of Inspector General (OIG).

The report is based on an audit to determine whether the Coast Guard complies with privacy regulations, including the Health Insurance Portability and Accountability Act.

The report cites five areas of concern:

  1. Coast Guard privacy and HIPAA officials do not formally communicate to improve privacy oversight and incident reporting, which limits USCG's ability to assess and mitigate the risks of future privacy or HIPAA breaches. The OIG urges a formal mechanism be set up to ensure that communication takes place.
  2. USCG does not have consistent instructions for managing and securing health records. The report calls for consistent instructions for managing health record retention and disposal.
  3. The Cost Guard's clinics have not completed contingency planning to safeguard privacy data from loss in case of disaster. The report shows photos of rooms full of paper records in tubs and others of water damage to a ceiling. OIG says the Coast Guard should make a plan of action and milestones to ensure it is safeguarding privacy data in the event of emergency or disaster.
  4. Clinics lack processes to periodically review physical security, placing privacy data at unnecessary risk. The OIG calls for an action plan and periodic review of physical safeguards to mitigate risks to protected health information at clinics.
  5. USCG has not assessed the merchant mariner credentialing program and processes to identify and reduce risk to merchant mariners' privacy data managed throughout its geographically dispersed program operations. The report says there needs to be a plan to improve controls to better protect this data.

The Coast Guard agreed with all recommendations made by the OIG. It is the only branch of the Department of Homeland Security that has an EHR system for its work force, FierceEMR previously reported. It adopted an Epic system in 2012. 

DHS has a system for immigrant detainees, but not its own employees. The system fully implemented earlier this year at U.S. Immigration and Customs Enforcement is considered one of the largest and "most robust" EHR systems in the federal government, according to an ICE announcement. It's sure to be eclipsed in size, though, by the $11 billion contract to be let later this year to modernize the Department of Defense system.

No comment yet.

Illinois joins other states that are not waiting for federal data breach legislation

Illinois joins other states that are not waiting for federal data breach legislation | HIPAA Compliance for Medical Practices | Scoop.it

Illinois is joining several other states in passing legislation that would dramatically increase the potential liability for marketers in the event of a data breach.  The Illinois Senate voted 35-13 to approve a bill (SB1833) drafted by the Illinois Attorney General that would add "consumer marketing information" to the definition of personal information under the state's data breach law. It would require notification if there is a breach of "information related to a consumer's online browsing history, online search history, or purchasing history."  Illinois Bill SB1833 now moves to the Illinois House of Representatives, where it will likely have substantial support.

At first blush this certainly sounds appealing considering all the data breaches that have occurred in recent times; however, for those that market products on the internet, the inconsistent laws across the country are truly a field of potential liability landmines.

Several industry groups, including the ANA (Association of National Advertisers) are working together to lobby for federal data breach legislation that would pre-empt the patchwork of 47 inconsistent state data breach laws that currently exist.  Only Alabama, New Mexico, and South Dakota currently do not have security breach laws on the books. The ANA calls the Illinois bill the "poster child" example of why federal legislation is necessary as state legislatures rush to curb media-infused consumer fears over data breaches that the ANA purports result in unreasonable laws with the potential for significant liability to companies.

Everyone certainly agrees that consumers should be notified if there is a breach of personal information that creates a risk of identity theft or some other financial harm to consumers. However, the state laws typically contain no clear specific trigger for breach notification. The vast preponderance of consumer marketing information does not present a risk of identity theft or financial harm to consumers.

This unprecedented expansion of the scope of the current data breach law could cost Illinois companies millions of dollars each year to protect non-sensitive information that poses no material risk of identity theft or financial harm to residents. In addition, consumers could eventually succumb to "notice fatigue" if they receive notices about breaches that involve no serious risk of harm to them.

No comment yet.

Why We Should Kill the Social Security Number

Why We Should Kill the Social Security Number | HIPAA Compliance for Medical Practices | Scoop.it

While tax season is still producing eye twitches around the nation, it’s time to face the music about tax-related identity theft. Experts project the 2014 tax year will be a bad one. The Anthem breach alone exposed 80 million Social Security numbers, and then was quickly followed by the Premera breach that exposed yet another 11 million Americans’ SSNs. The question now: Why are we still using Social Security numbers to identify taxpayers?

From April 2011 through the fourth quarter of 2014, the IRS stopped 19 million suspicious tax returns and protected more than $63 billion in fraudulent refunds. Still, $5.8 billion in tax refunds were paid out to fraudsters. That is the equivalent of Chad’s national GDP, and it’s expected to get worse. How much worse? In 2012, the Treasury Inspector General for Tax Administration projected that fraudsters would net $26 billion into 2017.

While e-filing and a lackluster IRS fraud screening process are the openings that thieves exploited, and continue to exploit, the IRS has improved its thief-nabbing game. It now catches a lot more fraud before the fact. This is so much the case that many fraudsters migrated to state taxes this most recent filing season because they stood a better chance of slipping fraudulent returns through undetected. Intuit even had to temporarily shut down e-filing in several states earlier this year for this reason. While the above issues are both real and really difficult to solve, the IRS would have fewer tax fraud problems if it kicked its addiction to Social Security numbers and found a new way for taxpayers to identify themselves.

Naysayers will point to the need for better data practices. Tax-related fraud wouldn’t be a problem either if our data were more secure. Certainly this is true. But given the non-stop parade of mega-breaches, it also seems reasonable to say that ship has sailed. No one’s data is safe.

Identity thieves are so successful when it comes to stealing tax refunds (and all stripe of unclaimed cash and credit) because stolen Social Security numbers are so plentiful. Whether they are purchased on the dark web where the quarry of many a data breach is sold to all-comers or they are phished by clever email scamsdoesn’t really matter.

In a widely publicized 2009 study, researchers from Carnegie Mellon had an astonishingly high success rate in figuring out the first five digits for Social Security numbers, especially ones assigned after 1988, when they applied an algorithm to names from the Death Master File. (The Social Security Administration changed the way they assigned SSNs in 2011.) In smaller states where patterns were easier to discern the success rate was astonishing -- 90 percent in Vermont. Why? Because SSNs were not designed to be secure identifiers.

No comment yet.

Data Breaches Are Serious Exposures for Fitness Businesses

Data Breaches Are Serious Exposures for Fitness Businesses | HIPAA Compliance for Medical Practices | Scoop.it

Technology is a huge advantage for the fitness industry today, but it also has brought with it serious exposures as well. A data breach can destroy a fitness business by damaging its reputation and relationship with its members, clients and employees. Small and mid-sized business owners need to be aware that they are just as vulnerable to data breaches and hacking as large businesses. The personal information of members, clients and employees can be lost, stolen or destroyed by computer hackers, thieves and even dishonest employees. Sensitive data can be improperly exposed through accidental or inadvertent release.

With recent publicity about large data breaches of prominent organizations, concerns about cyber liability have grown to a point in which most state legislatures have passed laws requiring business owners to notify affected persons. In most states, a business must be able to notify all parties whose personal information may have been released or exposed, communicate the scope of the potential data breach to them, and provide access to credit monitoring assistance and identity restoration to them. In addition, the business owners may face legal defense and settlement costs if claims are brought against them because of the breach.

The first step to addressing the exposure is to understand what a data breach is. To do so, it is necessary to define the "personal information" that would compose a data breach. Personal information that can uniquely identify an individual is called Personal Identifying Information (PII) and includes an individual's first name or first initial and last name, in combination with any one of the following data:

  • Social Security number;
  • driver's license number;
  • bank account number;
  • credit or debit card number with personal identification number such as an access code, security codes or password that would permit access to an individual's account;
  • home address or email address; and
  • medical or health information.

A data breach makes PII available to unauthorized individuals inside or outside of the organization.

All fitness businesses collect PII on members and employees, as well as many prospects and guests. Please note that Health Insurance Portability and Accountability Act (HIPAA) compliance relates to an organization's need to comply with the privacy rules set out by the Health Insurance Portability and Accountability Act. This is not usually triggered unless a business receives direct insurance reimbursement for services. All fitness facilities have liability for data breach, but only those receiving insurance reimbursement will have the requirement to meet HIPPA guidelines for privacy as well.

The data breaches making media headlines right now are systems-related and have to do with computer hackers gaining unauthorized access to PII data electronically. It is important to remember that physical data breaches still occur as well and include misplaced backup files, paper files being lost or misplaced or a stolen laptop. Both types of data breach can result in an expensive variety of damages for a fitness business including:

  • interruption of ongoing operations;
  • destruction of hardware and software;
  • release of sensitive business information; or 
  • the exposure of the PII of members, clients, employees, vendors or partners.

Beyond the legal requirements imposed by state laws and the costs associated with meeting them, how a business owner responds to a data breach can mean the difference between preserving members verses losing them. When confronted with a data breach, many business owners make short-sighted or panicked mistakes that can significantly increase their cost of responding and put their reputation at risk as well. It is imperative to develop a data breach action plan before an incident occurs that will assist the business to address the situation one step at a time if it does occur. Unfortunately, in our present technology-driven environment, it is not a matter of "if" a data breach will occur but "when" for many fitness businesses.

A thorough data breach action plan should start with preventive measures including training staff to properly handle PII data and maintaining appropriate protection software on all systems that store the data. Methods of containment to limit the scope of the data breach should be outlined in the data breach action plan. It will then address effective means of response, including immediate communication to those individuals affected and provide appropriate solutions for them, as well as restoring the safety of the systems going forward. The goal of the plan is to not only restore the systems so that data is once again safe, but to restore the reputation of the business by effectively addressing the well-being of the individuals affected. A well-communicated, timely and compassionate response will go a long way toward retaining the membership's confidence.

11 Paths's curator insight, April 8, 2015 4:31 AM

another great story


We Still Have No Idea How to Make Companies Take Data Breaches Seriously

We Still Have No Idea How to Make Companies Take Data Breaches Seriously | HIPAA Compliance for Medical Practices | Scoop.it

If we can learn anything from the $10 million settlement Target reached last month to resolve the class-action suit brought against it by customers who were victims of the retailer’s 2013 data breach, it’s that we still haven’t learned anything about how to improve security from breach after breach after breach. Even worse, we’re not really trying—we’re too busy attempting to calculate and shift around the costs and arguing about whether they’re too low.

Those costs matter, but the numbers in the settlement are pretty meaningless when it comes to understanding the losses incurred by the Target breach. Given the scale of the attack—roughly 40 million payment card numbers were stolen—and the media attention it received, it’s not hard to understand why some reacted to the settlement sum as a “shockingly” small amount. But Target incurred a total of $252 million in expenses related to the breach, according to its latest SEC filing. The bulk of losses associated with payment card breaches are not necessarily borne by the people whose credit cards are compromised—the ones who stand to benefit from this settlement. Often those costs land on the banks and credit card companies that have to cover the losses and replace the stolen cards. Those parties are not included in last month’s settlement, but a group of them was permitted to move forward with a suit against Target late last year.

Even the SEC filings offer an incomplete picture of the costs of data breaches. In an analysis of the Target, Sony, and Home Depot breaches published in March, Benjamin Dean at the Columbia School of International and Public Affairs found that after tax deductions and insurance reimbursement, the cost of the breach was $105 million, equivalent to roughly 0.1 percent of Target’s 2014 sales. The costs were even lower for Home Depot ($28 million, or 0.01 percent of 2014 sales) and Sony (between $15 million and $35 million, or 0.9 to 2 percent of Sony’s projected 2014 sales and revenue), according to Dean’s calculations.

“This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed,” Dean writes. Of course, it’s also possible to interpret these numbers (if you choose to take them at face value) as telling a more cheerful story, in which large-scale data breaches are not actually catastrophic, and the theft of 40 million credit card numbers does not automatically translate into mountains of costly fraudulent activity. (After all, the theft of credit card numbers by itself is not harmful unless they can be used to steal money, and Target says the breach has been linked to “low levels of fraud.”)

But arguments about whether we overreact or underreact to data breaches and overspend or underspend on information security miss the larger point: that we still don’t know how to defend against these incidents. We’re so busy worrying over who pays how much to whom for these breaches that we fail to actually dig into why the breaches happen and what measures might have prevented them.

Instead we fixate on these very malleable cost numbers because we worry that they’re indicative of how little we—and in turn the companies that store our data—care about computer security. But improving data security isn’t just a matter of caring (or spending) more. We also need to know what defenses work. Sure, it would be great to see companies investing more in security—but only if the things they invest in actually work. Spending more money does not automatically equate to stronger security. So for all the attention it’s garnered, the $10 million figure is far less interesting and important than the section of the Target settlement that deals with specific new lines of defense for the retailer.

Under the “non-monetary relief” section of the settlement, Target agrees to implement four new security measures and maintain them for at least five years. These include appointing a chief information security officer, maintaining a written information security program, maintaining a process to monitor for information security events and to respond to such events determined to present a threat, and providing security training to Target employees.

The individual items on the list are hardly groundbreaking—and of course, activities like hiring a CISO or writing a security program or instituting a training curriculum can fall anywhere on the spectrum from hugely effective to utterly worthless, depending on implementation. But the articulation of such a list in a data breach settlement is notable all the same. It’s a step, albeit a small one, toward trying to make some concrete judgments about what constitutes due diligence when it comes to information security. We need to be able to distinguish between the negligent, who never bothered to secure their data, and the unlucky, who took security seriously but were targeted by talented and dedicated adversaries.

The risk with any such list is that other companies will take it as license to implement those measures and nothing more. For the most part, though, the security practices Target has agreed to are sufficiently open-ended to allow for considerable ambiguity around what it would mean to do the bare minimum and still meet them. That ambiguity may make it harder for companies to hide behind that list should they do a lousy job implementing the practices. But it will also make it harder for the companies to figure out how to implement them well. It’s also unclear where this list comes from or whether it’s supported by any evidence. Do companies with CISOs and written plans have better security? Does employee training have any impact?

Dean suggests that governments intervene to change the incentives companies face, but first they might want to help answer those and other questions about the effectiveness of different security controls, using both their own internal records of security incidents and their ability to encourage (or compel) data sharing from private entities. Helping defenders figure out what to spend their money on is just as important as encouraging them to spend more money. But this means changing the way we think about fixing data breaches, and not relying on court cases and settlement fees to straighten them out. We’re so focused on data-breach economics and cost calculations that we hardly think about the deeper security issues underlying the design and impact of defensive technologies. After all, it’s difficult to incentivize good security when we don’t even know what that looks like.

No comment yet.

Security Audit of Premera Found Issues

Security Audit of Premera Found Issues | HIPAA Compliance for Medical Practices | Scoop.it

About a month before hackers apparently launched a cyber-attack on Premera Blue Cross, a federal watchdog agency gave the health insurer 10 recommendations for how it should address various security weaknesses discovered during systems audit.

Among the weaknesses found by the Office of Personnel Management's Office of Inspector General's audit were issues related to patch management, insecure server configurations and weakness related to password history configuration settings.

An OPM OIG spokeswoman tells Information Security Media Group: "We do not know how the [Premera] breach occurred, so we cannot comment on whether the weaknesses we found in our audit contributed."

The onsite portion of the audit was conducted during January and February of 2014, with additional offsite audit work performed by OIG before and after the on-site visit. The draft report that OIG issued to Premera on April 18, 2014, was based on Premera's security controls as of March 2014, according to a final version of the report that OIG issued publicly in November 2014.

In a statement earlier this week, Premera, based in Mountlake Terrace, Wash., said that on Jan. 29, it discovered that cyber-attackers had gained unauthorized access to its systems, exposing information on 11 million individuals. An investigation by forensic experts hired by Premera shows that the initial attack occurred on May 5, 2014, the insurer says. That's less than a month after OIG issued its draft audit report.

OIG Findings

Among OIG's recommendations in its draft audit report was that "Premera implement procedures and controls to ensure that production servers are updated with appropriate patches, service packs, and hotfixes on a timely basis."

The health plan responded June 30, 2014: "Premera agrees to implement procedures and controls for appropriate deployment of service packs and hotfixes by Dec. 31, 2014. However, Premera respectfully disagrees with the section of the recommendation related to patches as it believes deployment of critical security patches is in compliance with the documented patch management policy provided to the OPM audit staff."

In its reply to Premera's comments, OIG wrote, "The results of the vulnerability scans performed during the fieldwork phase of this audit indicated that Premera was not in compliance with its policy for deploying patches within a specific timeframe based on criticality. As part of the audit resolution process, we recommend that Premera provide OPM with evidence that it has adequately implemented this recommendation."

It's difficult to determine whether the recommendations OIG made to Premera, if immediately implemented, would have made a difference in thwarting the cyberattack, some security experts say. In any case, "failure to patch and unsecure configurations are vulnerabilities we've known about for decades," says privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group.

"Regardless of whether they contributed to this latest attack, every organization - large and small - should pay attention to such common issues," she says. "Make it a priority to keep up with patches. Run vulnerability scans and respond to them by correcting security problems. Make sure your tech and infosec staff understand these security risks, and train them if not."

Routine Audit

Eric Earling, a Premera spokesman, tells Information Security Media Group that the review by OPM OIG was a "routine audit" that was conducted because the health insurer offers health plans for federal employees. Regarding the various OIG recommendations, he says, "Premera implemented the steps it said it would take."

The audit's findings about Premera's security, and the cyber-attack on the company, are unrelated, "separate" issues, Earling contends, adding that the report also noted that OIG had not found any HIPAA security compliance issues.

In its final Nov. 28, 2014, audit report, OIG wrote, "Premera has implemented a series of IT security policies and procedures to adequately address the requirements of the HIPAA Security Rule. Nothing came to our attention to indicate that Premera is not in compliance with the various requirements of HIPAA regulations."

Some security experts say the attack on Premera may have begun months earlier than May 2014, as the insurer reports. For instance, ThreatConnect, a threat intelligence product and services vendor, says it has found evidence that an attack on the health insurer's infrastructure may have started as early as December 2013, or at least a month before OPM OIG began its onsite audit.

In response to those assertions, the OPM OIG spokeswoman says: "We would not have detected the breach if it had started while we were on site. Our audit objective is to evaluate an organization's it security controls and processes, not to monitor network activity at the time of the audit."

Healthcare Vulnerabilities

As to how hackers were able to access Premera's systems, "it's hard to know," says Robert Hansen, vice president of WhiteHat Labs, part of security testing firm WhiteHat Security. "It's not even clear to me that it was a Web-based vulnerability. It could have, for example, been malware sent via an email or drive-by download, but statistically speaking it was probably SQL Injection or Command Injection if it involved customer records."

The Healthcare Information Trust Alliance, an information sharing organization, says it had published for its members multiple reports about suspicious activity related to Premera about a month before the company announced the breach.

In addition HITRUST, in conjunction with ThreatStream, a provider of threat intelligence technology, "continues to work with intelligence sources related to the suspicious domain 'prennera.com,' which is linked to Deep Panda's phishing attack method also leveraged in the recent Anthem breach," HITRUST says. "Early speculation is this [Premera] breach is also tied to threat actor Deep Panda, and the initial incident may date back as far as May 2014."

Deep Panda is the code name assigned by adversary-tracking firm CrowdStrike to a group of hackers - operating from China - which it refers to as "one of the most advanced Chinese nation-state cyber intrusion groups." The group is also known as KungFu Kittens, SportsFans, PinkPanther and "Shell_Crew," according to information security firm RSA.

Precautions Taken

Earling tells ISMG that the hackers did not exfiltrate the data that was exposed. And while the data was encrypted, "the way the data was accessed rendered the encryption moot," he adds, declining to elaborate.

Commenting on whether the Premera attack could be related to the hack against health insurer Anthem Inc., which resulted in a breach impacting 78.8 million individuals, Earling says the two incidents are "two different cyber-attacks, two different issues." He declined to comment on speculation by some security experts that China is involved in either attack.

Earling also wouldn't comment on the possible motives for hackers to access Premera's systems but not exfiltrate data. "It's impossible to say why we were targeted."

Premera waited about six weeks to announce the breach after discovering the attack based on the advice of law enforcement officials involved in the investigation, including the FBI, he says. That's because the insurer first took steps to "cleanse and secure its IT system" before revealing it was aware of the intrusion. "If the breach is announced before that, cyber-attackers [if still in the systems] get more malicious, putting more data at risk," he says of the advice the investigators gave Premera.

The 11 million individuals affected by the breach "across the country" are being notified now, he says.

No comment yet.