HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA and Ransomware: What You Need to Know

HIPAA and Ransomware: What You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA and ransomware, there are some key responsibilities that health care professionals have when handling an incident. Following the regulation is essential to keeping your behavioral health practice out of the headlines and mitigating the risk to patients’ sensitive health data.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release new regulation specifically in regards to HIPAA and ransomware. However, in 2016 after a string of ransomware attacks impacted hospitals and health services across North America, guidance was released about how to handle a ransomware incident should one impact your practice.

What is Ransomware?

Ransomware is a type of malware that infects your computer or network. The malicious software automatically encrypts your data, and then the hackers responsible demand a ransom in exchange for access.

Sometimes, the ransomware will even give health care providers a countdown: pay the ransom within the time allotted, or face permanently losing access to this electronic protected health information (ePHI). ePHI is any health care data that can be used to identify a patient that is stored in electronic format, such as electronic health records systems (EHRs).

How to Handle HIPAA and Ransomware

In the event of a ransomware incident, the first thing you should do is report the incident to local law authority. HHS guidance on the matter even goes so far as to include contacting the FBI, though this is only fully necessary for larger organizations such as hospital systems.

If you have reason to believe that ePHI has been accessed by the hackers, then you must also report the breach to OCR. If your organization already has an effective HIPAA compliance solution in place, then you should have full documentation in place that can prove to OCR investigators that you’ve done everything possible to prevent breaches.

Having a HIPAA compliance program in place can’t prevent a ransomware attack from occurring, but it’s your best defense against heavy federal fines in the event that a breach does occur. HIPAA fines have already reached $17.1 million in 2017 alone, which is set to outpace 2016’s record breaking $23.5 million.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Healthcare Hacker Attacks: The Impact

Healthcare Hacker Attacks: The Impact | HIPAA Compliance for Medical Practices | Scoop.it

he recent string of major hacker attacks in the healthcare sector, including the cyber-attack on UCLA Health, calls attention to the urgent need for organizations to step up their security programs.

Security experts say healthcare organizations need to carefully reassess their risks and then take appropriate security measures, which, in many cases, will include implementing multifactor authentication; improving breach monitoring and detection; and ramping up staff security education, among other steps.

The sophistication of cyber-attackers is making defending against threats in the healthcare sector more challenging, says John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston.

"Five years ago, external attacks on healthcare were most often from single actors or curious students. Today they are from organized crime, state-sponsored cyberterrorism and hacktivism," he says.

Healthcare is becoming a bigger target for hackers and other cybercriminals for three main reasons, Halamka contends. "One, healthcare has traditionally under-invested in IT compared to other industries, leaving it more vulnerable. Two, healthcare tends to aggregate a large amount of personally identified information in one place, making it easy to breach a large number of records in a single attack. Three, medical identity theft - fraudulently receiving healthcare services - can be more profitable than financial identity theft."

Insufficient Efforts

Even some well-meaning healthcare organizations are also realizing that the diligent efforts they've been putting into information security aren't enough, notes privacy and security attorney Kirk Nahra, a partner at the law firm Wiley Rein.

"Many healthcare industry organizations thought they had pretty good information security. But these attacks have been eye-opening to many companies, that 'we really need to beef up' in terms of protection against these external risks," he says.

Christopher Paidhrin, who recently became information security manager for the city of Portland, Ore., after 15 years as an information security leader at West Coast healthcare provider PeaceHealth, offers a similar assessment. "If CISOs are not now assessing their cybersecurity posture - and exposure - they soon will," he says.

"The scope of vulnerabilities is increasing, and the 'defensive' security program model is failing to meet the challenge of the threats," he says. "Surveys over the past few years indicate that more than 90 percent of organizations sampled have already been hacked. That is a startling number that requires a national emergency-level response."

The attacks on the healthcare sector will only worsen, Paidhrin predicts. "Cybercriminals are motivated by money, easy money. Healthcare offers one of the greatest return on investment efforts with the lowest level of detection and risk. Medical information is data rich, and durable. Credit card data lasts for a month or two, before a bank disables an account. Health information is much more durable, with much of it unchangeable for the life of the affected individual."

UCLA Health Breach

In the latest headline-grabbing hack attack in the healthcare sector, UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been impacted by a cyber-attack that is thought to have begun last September and is "believed to be the work of criminal hackers." UCLA Health says it is working with FBI investigators and has also hired private computer forensic experts to further secure information on network servers.

"In today's information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack," the organization said. "UCLA Health identifies and blocks millions of known hacker attempts each year."

As for who was responsible for the UCLA Health breach, and how the hackers gained access to the systems, "the cyber-attack on UCLA Health is still under investigation, we are unable to discuss particulars or provide further information regarding the attack," a spokesman for UCLA Health tells Information Security Media Group.

With the exception of UCLA Health, most of the largest hacker attacks so far this year targeted insurers, including Anthem Inc., which was hit by a breach affecting nearly 80 million inidividuals; Premera Blue Cross and CareFirst Blue Cross Blue Shield.

Will Spending More Help?

Some observers say all the recent headlines about hacker attacks could make it easier for CISOs and CIOs to win support from senior leaders for funding to ramp up information security efforts. But will increased spending make a difference?

"The argument for funding will be easier, because the frequency and size of healthcare sector attacks provide CISOs with mounting evidence to justify increased funding, but it will not guarantee action," Paidhrin says. "Funding generally occurs when the 'what, specifically, can be done?' question can be answered with a price tag less than the perceived cost of assuming the risk. ...Healthcare is struggling, as are all other sectors, to find affordable and effective technologies, skilled cybersecurity personnel and process maturity."

But technology investments won't necessarily stop hackers who rely on social engineering to scam users into providing their network credentials through phishing attacks. "Although spending increases on healthcare IT and cybersecurity will help, the most effective risk mitigator is education," Halamka says. "We are as vulnerable is our most gullible authorized user."

Paidhrin sees a "disturbing trend" toward advanced persistent threats and social engineering, which both largely bypass network perimeter defenses. "APTs are stealthy, very effective at exploiting under-the-radar vulnerabilities that do not trigger the alert thresholds of many security systems," he notes. "Social engineering, basically tricking an authorized user to assist an attacker into an action that exploits a vulnerability, is much simpler than a frontal assault on a network. Why break a lock when you can ask for the keys, and get them?"

Wake-Up Call

The most significant impact the recent hacker attacks will have on the healthcare sector is "information security will need to be considered as an integral part of the security and operations processes of healthcare organizations," says Mitch Parker, CISO of Temple University Health System. "They will need to become more proactive and consider risk as equally as utility."

The hacker attacks should serve as a wake-up call for some organizations that have skimped on their information security risk management practices. "Organizations are supposed to re-assess their information security programs, processes, and technologies on a regular basis to continually improve," Parker says. "That is the purpose of risk management. Incidents such as these should be used to evaluate your organization's current practices and make changes or improvements beneficial to your organization."

Paidhrin says many organizations need to take four "not-so-easy steps" to bolster their security. Those include:

  • Two-factor authentication. "Weak passwords, seldom if ever changed, are the bane of information security. Requiring a token, something other than a username and password - both things you know - is the cheapest big step up the security ladder," he says.
  • Data segmentation. "Valuable, sensitive information needs to be segmented from general user access, not all accessible from one network or one level of user account."
  • Proactive monitoring for unauthorized use. "When 90 percent or more of organizations are potentially compromised, real-time detection of threat actors is essential."
  • Rapid response. "The meme of today is 'It's not if, but when we will be breached.' If an organization cannot respond to an attack and penetration, with effective countermeasures, all of the other information security measures, funding, planning and effort will be undone."

Organizations in all sectors, not just healthcare, need to up their game, says Nahra, the attorney. "It's a real challenge. The healthcare sector isn't alone in terms of facing weaknesses and threats."

No comment yet.

The Cloud is Good, But Know Where Data Go

The Cloud is Good, But Know Where Data Go | HIPAA Compliance for Medical Practices | Scoop.it
A recent settlement announcement from the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) highlights the need to evaluate web-based applications and storage solutions. Web-based or cloud solutions are viable options and tools for healthcare entities to utilize, but those tools need to evaluated for compliance with HIPAA security requirements.

Saint Elizabeth’s Medical Center (“SEMC”), located outside of Boston, MA, learned this lesson the hard way. On November 16, 2012, certain workforce members at SEMC reported suspected non-compliance with HIPAA to OCR. The report focused upon use of an internet-based document sharing and storage application. The specific site is not identified in the OCR Resolution Agreement, but Dropbox is an example of an online storage site that does not meet HIPAA security requirements. OCR notified SEMC of the results of its investigation on February 14, 2013. Fast forward a year and SEMC then reported a breach regarding a workforce member’s unsecured laptop and USB storage device. The combination of events led OCR to conclude that SEMC failed to implement sufficient security measures required by HIPAA and SEMC did not timely identify or mitigate harmful effects from identified deficiencies.

As a result of the two reported incidents, SEMC is now paying $218,400 to OCR in settlement funds. The settlement continues to trend of not being able to accurately guess the amount of a fine that will be levied. As stated in the announcement, OCR “takes into consideration the circumstances of the complaint and breach, the size of the entity, and the type of PHI disclosed.” This statement potentially gives some insight, which can be interpreted to mean that entities with bigger pockets will be hit with larger fines because such entities can absorb larger fines.

The other consideration raised by the SEMC settlement is what to do about cloud based storage and sharing solutions. Should all such tools be locked away from use healthcare organizations? This is not necessarily the answer because some tools do follow HIPAA security requirements. For example, some cloud storage services were built specifically for healthcare, and as such are more cognizant of applicable regulatory requirements. More general sites, such as Box, noted HIPAA requirements and claim to meet required standards. As such, it is possible for organizations to utilize cloud based options.

However, it is not necessarily the choices of an organization as a whole that are troublesome. In SEMC’s case, it is not clear whether the workforce members acted under SEMC’s direction or utilized the cloud sites without SEMC’s direct knowledge. The unsupervised actions of workforce members are what can cause an organization a lot of concern. Organization’s need to train and educate workforce members, but cannot always control their actions. Despite the inability to constantly track what a workforce member is doing, certain steps could be taken to alleviate concerns. One measure would be to block access to websites that could lead to a potential breach or other non-compliance. Such a measure may not make all workforce members happy, but an organization should assess its risks and take appropriate measures. Additionally, an organization can suggest sites that are compliant be used.

Regardless of the approach taken, organizations need to be cognizant of the risks posed by cloud based storage, especially on the individual level. OCR’s settlement with SEMC is only the most recent action to highlight the concern. As has been stated before, once OCR releases a settlement addressing an issue, subsequent organizations with the same issue can expect greater focus on the identified issue and less leniency when it comes to a violation.
No comment yet.

Before a Medical Data Breach, Begin Your Response Plan

Before a Medical Data Breach, Begin Your Response Plan | HIPAA Compliance for Medical Practices | Scoop.it

In the last 18 months, there have been three massive data breaches involving the healthcare industry, scores of smaller breaches, and a growing trend of insider threats posed by employees who have sold protected health information (PHI) for their own personal gain. Unlike stolen credit card numbers that can be deactivated, the personal identifying information needed to commit identity-theft type crimes, such as name, address, Social Security number, and date of birth, cannot be changed easily, if at all. Because of the permanent nature of the information that they contain, health records are approximately 10 times more valuable than stolen credit card numbers on Internet black markets where they can be bought and sold in bulk.

Now more than ever, because of new threats posed by such cybercriminals, any organization that collects, uses, discloses, or stores PHI is a potential breach victim. Covered Entities and their Business Associates subject to HIPAA who suffer a data breach must act quickly and correctly in assessing the situation. They must thoroughly investigate and mitigate risks caused by the breach, attempt recovery of the lost information, and provide required notifications to affected individuals and others. Throughout this process, organizations experiencing a breach should strive to demonstrate publicly that the data loss is being handled responsibly and appropriately.

Defining a "Breach"

HIPAA defines a breach as the acquisition, access, use, or disclosure of PHI in a manner inconsistent with the Privacy Rule that compromises its security or privacy.  In most cases, a breach is presumed to have occurred unless it can be demonstrated that there is a "low probability" that the PHI has been compromised. When performing this initial inquiry, an organization must consider:

1. The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;

2. The unauthorized person who used the PHI or to whom the disclosure was made;

3. Whether the PHI was actually acquired or viewed; and

4. The extent to which the risk to the PHI has been mitigated.

Plan Ahead for Breach Notification

Leonardo M. Tamburello
Every Covered Entity and Business Associate that handles PHI should develop its own unique breach response plan, built upon its most recent Security Risk Assessment (SRA), itself a fundamental step in the development of a comprehensive HIPAA security program. This security program should include a complete inventory of all devices containing sensitive data and policies and procedures requiring the immediate reporting of any lost, stolen, or compromised devices or media.

Using the most critical vulnerabilities identified in the SRA as a blueprint, the "worst case" scenario should be used to develop a detailed response plan. This discussion and handling of the "crisis" in a benign environment should be memorialized and refined into a formal breach response plan that identifies clear lines of communication and responsibility, including what gets done, who does it, and when they are supposed to do it.  

Merely having a breach response plan on paper is not enough. Individuals who are expected to implement the plan must understand and be equipped to execute their responsibilities.  

Whether through a medical practice's in-house counsel or an outside law firm, there are important reasons to integrate counsel into a breach response plan. Privacy counsel with breach response experience can bring valuable insight and steadying presence to an unfamiliar and sometimes chaotic situation. In the event of a follow-up investigation by HHS' Office for Civil Rights (OCR) (which is mandated in breaches affecting 500 or more individuals) or civil litigation, an organization's deliberative processes and internal communications and/or actions involving their counsel regarding breach response may be kept confidential through these doctrines. Without the involvement of counsel, the entirety of an organization's actions and communications would be potentially discoverable in the now familiar class-action lawsuits that inevitably follow data breaches.

Activating the Breach Response Plan

If it is determined that a breach has occurred, an organization should immediately take all possible steps to minimize or limit the impact of the breach while documenting its efforts to do so. Mitigation often occurs parallel with an investigation, and its own document trail, into the cause of the breach. In some cases, such as when a device is physically lost or stolen, mitigation may be impossible unless there is a way to remotely wipe the data contained on it. If the breach involves media or paper that can be tracked or retrieved, every effort should be made to recover it.  Law enforcement should be contacted if criminal activity such as theft or intrusion is suspected.  

Like other aspects of breach response, a medical practice's internal investigation into a breach should be thoroughly documented. The Privacy Officer, in consultation with privacy counsel for the organization, should collect and preserve evidence in accordance with established policies and procedures. This information may include interviews, e-mails, chat logs, voicemails, cellular calling records, computer logs, and any other information regarding the data loss.

If the breach involves cyber intrusion, the Privacy Officer will likely require the assistance of IT vendors or others such as specially-trained law enforcement divisions. Expert forensic assistance from these individuals can be invaluable when investigating a possible breach or determining the scope of known breach.

Formal Notification to Individuals, HHS, and Others

Once a breach has been internally confirmed, HIPAA requires official notification to all affected individuals and the OCR. If the breach involves 500 or more individuals, media organizations in the area where the affected individuals live must also be notified. Most times, these notifications must occur within 60 days of when the breach actually was, or should have been, discovered.

This does not necessarily mean that the breach will remain private until further disclosure. In many instances, breaches become public knowledge long before formal notification is made. To prevent such situations from spiraling out of control, it is imperative that an organization's breach response team be prepared to make public limited information in which there is a high degree of confidence, while stressing that the investigation is ongoing and this information may evolve. Scrambling to figure out a breach response strategy while trying to investigate and mitigate the possible harm can easily lend to inaccurate and/or harmful information being disseminated. Responding with silence will only intensify the scrutiny in such situations. A breach response plan will help a practice follow a "script" through an otherwise unfamiliar and potentially high-stakes crisis.

Poor breach notifications can take many shapes. Some fail to acknowledge the seriousness of the situation. Others provide incomplete or incorrect information. Another poor "response strategy" is complete silence or other tone-deaf actions which demonstrate organizational discord or a misunderstanding of the severity of the situation. Any of these missteps can be severely damaging, not only from a reputational point of view, but also during later phases if there is a formal investigation by OCR.  

After the required notifications have been made, the organization should update its current risk management plan to reflect lessons learned and vulnerabilities addressed as a result of the breach.


Most cyber intrusions are not brutish acts of virtual "smash and grab" thuggery, but well-planned and strategic, with the hallmarks of stealth and patience. As data collection and information sharing among healthcare providers and their affiliates grows in the future, the threats to the security and integrity of this information will continue to increase.

Failing to prepare for a breach is the same as preparing to fail at responding to one. As electronic health information continues to multiply along with data sharing among multiple providers and affiliates, preparing for this threat must become an organizational priority for everyone.

No comment yet.

Hospital with repeat security failures hit with $218K HIPAA fine

Hospital with repeat security failures hit with $218K HIPAA fine | HIPAA Compliance for Medical Practices | Scoop.it

Does your hospital permit employees to use a file-sharing app to store patients' protected health information? Better think again. A Massachusetts hospital is paying up and reevaluating its privacy and security policies after a file-sharing complaint and following a HIPAA breach. 

St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations. The settlement resulted from a 2012 complaint filed by hospital employees, stating that the medical center was using a Web-based document-sharing application to store data containing protected health information. Without adequately analyzing the security risks of this application, it put the PHI of nearly 500 patients at risk.

"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said Jocelyn Samuels, OCR director, in a July 10 statement announcing the settlement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."

It wasn't just the complaint that got St. Elizabeth's in hot water, however. A HIPAA breach reported by the medical center in 2014 also called attention to the lack of adequate security policies. The hospital notified OCR in August of last year of a breach involving unsecured PHI stored on the personal laptop and USB drive of a former hospital employee. The breach ultimately impacted 595 patients, according to a July 10 OCR bulletin.

As part of the settlement, St. Elizabeth's will also be required to "cure the gaps in the organization's HIPAA compliance program," OCR officials wrote in the bulletin. More specifically, this includes conducting a self-assessment of its employees' awareness and compliance with hospital privacy and security policies. Part of this assessment will involve "unannounced visits" to various hospital departments to assess policy implementations. Officials will also interview a total of 15 "randomly selected" employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.

Then there's the policies and training piece part of the settlement. With this, St. Elizabeth's based on the assessment, will submit revised policies and training to HHS for approval.

In addition to the filed complaint and the 2014 breach, the medical center also reported an earlier HIPAA breach in 2012when paper records containing billing data, credit card numbers and security codes of nearly 7,000 patients were not properly shredded by the hospital. Some of the files containing the data were reportedly found blowing in a field nearby.

To date, OCR has levied nearly $26.4 million from covered entities and business associates found to have violated HIPAA privacy, security and breach notification rules.

The largest settlement to date was the whopping $4.8 million fine paid by New York Presbyterian Hospital and Columbia University Medical Center after a single physician accidentally deactivated an entire computer server, resulting in ePHI being posted on Internet search engines. 

Gerard Dab's curator insight, July 16, 2015 8:05 PM

Security! Security! Security!

#medicoolhc #medicoollifeprotector


Florida Hospital faces two data breach lawsuits

Florida Hospital faces two data breach lawsuits | HIPAA Compliance for Medical Practices | Scoop.it

Florida Hospital is facing two possible class action lawsuits regarding two separate data breaches of patient information over the past four years.

The hospital is battling both suits, and has recently submitted motions to toss them both out.

The first data breach, revealed in August 2011, involved Florida Hospital employees Dale Munroe and Katrina Munroe combing through thousands of patient records and selling data to lawyers and chiropractors. Both employees were fired and charged criminally.

The second breach, discovered in May 2014, involved two employees printing portions of medical records for at least 9,000 patients for over two years. Those employees were also fired but not named in the lawsuits. That breach was allegedly discovered by state investigators of a criminal case.

The first lawsuit is handled by a Chicago-based law firm Edelson, and local attorney Edmund Normand. The named plaintiffs in that case are Richard Faircloth, who was a patient at Florida Hospital's Apopka campus, and Consuelo Armesto, a former patient at Florida Hospital's Altamonte Campus. A new hearing is coming up soon regarding Florida Hospital’s motion to dismiss the Faircloth case.

Attorney John Yanchunis of Orlando law firm Morgan & Morgan is handling a case tied to the May 2014 breach. The named plaintiffs in that case are Heather and Sebastian Peralta of Altamonte, and their daughter Janson Peralta.

The Peralta case, filed more recently, cites the previous case as evidence that the hospital has known about data breaches for a while now.

“Hospital are good about delivering medical services. Other kinds of things, like this, they are not so good at, because it’s not their business,” Yanchunis said. “But that must change now, and there’s a movement now to install systems to better detect access to information.”

Florida Hospital and its attorneys did not immediately respond to phone calls and emails about the lawsuits, which are both pending in Orange County Circuit Court.

But the hospital has argued that the lawsuits are missing an important fact: the plaintiffs haven’t suffered any identity theft, at least not yet.

Both lawsuits rely on allegations that the patients involved had “expected and paid for" data security at the hospital.

But Florida Hospital’s attorneys argue that no Florida court has recognized a fiduciary duty between a hospital and a patient. The hospital also argues that the plaintiffs can’t enforce federal HIPAA laws through private civil action, that they can’t sue based on “increased risk of identity theft.”

The hospital also argues that their employees were willfully violating the policies regarding HIPAA compliance and patient data security.

Data stolen from medical records is a common method used by identity thieves, especially for filing fake tax returns seeking bogus tax refunds.

There’s an additional wrinkle in the Peralta case. Yanchunis noted that the Peralta’s daughter isn’t even eligible for credit protection services yet, but that her data could be used in an identity theft years from now.

According to the court record, the Munroes were paid $10,000 by local chiropractor Sergei Kusyakov to pull out information on victims of motor vehicle accidents – some of whom then received calls from Kusyakov’s office with offers of chiropractic care. The Munroes and Kusyakov all pleaded guilty to the crimes.

No comment yet.

Orlando Health reports data breach for 3,200 patients

Orlando Health reports data breach for 3,200 patients | HIPAA Compliance for Medical Practices | Scoop.it

Orlando Health said Thursday about 3,200 patients’ records were accessed illegally by one of its employees, who was fired during an investigation.

The hospital system said it discovered the data breach on May 27. A news release on Thursday, July 2, said it began notifying patients “today”, which would be more than 30 days after the breach.

According to the release, there was no evidence that the data was copied or used illegally, but Orlando Health reported the incident in accordance with its data breach policies.

Under Florida law, notice to victims of a data breach is required within 30 days, unless the custodian of records has determined that nobody suffered identity theft or any other financial harm.

The records included certain patients at Winnie Palmer Hospital for Women & Babies, Dr. P. Phillips Hospital and a limited number of patients treated at Orlando Regional Medical Center from January 2014 to May 2015.

Theft of patient information at health-related companies is one of the primary ways that tax refund fraud has been occurring in Florida, according to federal authorities. Thieves can use the information to submit a fake tax return in your name, claiming refunds that could prevent or delay a legitimate refund.

In the Orlando Health incident, stolen data may have included names, dates of birth, addresses, medications, medical tests and results, the last four digits of social security numbers, and other clinical information. The former employee may have also accessed insurance information in approximately 100 of those patient records.

Steve Stallard, corporate director for compliance and information security said in a statement that Orlando Health “deeply regrets any concern or inconvenience this may cause our patients or their family members.”

The organization is providing affected patients with call center and other support, the news release said.

Orlando Health has reported other data breaches, such as a March 2014 incident where over 500 child patient records were misplaced.

No comment yet.

HIPAA Criminal Violations on the Rise

HIPAA Criminal Violations on the Rise | HIPAA Compliance for Medical Practices | Scoop.it

Stories appear almost everyday about medical records being improperly accessed, hacked or otherwise being stolen. The number of stories about such thefts is almost matched by the number of stories about the high value placed upon medical records by identity thieves and others. This confluence of events highlights the pressure being faced by the healthcare industry to protect the privacy and security of medical records in all forms.

While stories about hacking and other outside attacks garner the most attention, the biggest threat to a healthcare organization’s records is most likely an insider. The threat from an insider can take the form of snooping (accessing and viewing records out of curiosity) to more criminal motives such as wanting to sell medical information. Examples of criminally motivated insiders, unfortunately, are increasing.

One recent example occurred at Montefiore Medical Center in New York where an assistant clerk allegedly stole patient names, Social Security numbers, and birth dates from thousands of patients. The hospital employee then sold the information for as little as $3 per record. The individuals who acquired the information used it to allegedly go on a shopping spree across New York for over $50,000.

Another recent example comes out of Providence Alaska Medical Center in Anchorage, AK. In Anchorage, a financial worker at a hospital provided information about a patient to a friend. Unfortunately, that friend he had injured for which he was under criminal investigation. The friend wanted to know if either of the patients had reported him to the police. Clearly, the access by the financial worker was improper.

While it could previously be said that instances of criminal convictions or indictments were rare, the examples do appear to be coming with increasing frequency. What should organizations do? Is this conduct actually preventable? As is true with HIPAA compliance generally, the key is to educate and train members of an organization’s workforce. If someone is unaware of HIPAA requirements, it is hard to comply.

However, it can also be extremely difficult to prevent criminal conduct altogether. If an individual has an improper motive, that individual will likely find a way to do what they want to do. From this perspective, organizations cannot prevent the conduct, but should consider what measures can be taken to mitigate the impact of improper access or taking of information. It would be a good idea to monitor and audit access or use of information to be able to catch when information could be going out or otherwise accessed when not appropriate. Overall, the issue becomes one of how well does an organization monitor its systems and take action when a suspected issue presents itself.

No comment yet.

The most dangerous data breach ever known

The most dangerous data breach ever known | HIPAA Compliance for Medical Practices | Scoop.it

From time to time I have the depressing task to write about yet another data loss event that caused the personal details of millions of people to fall into the hands of criminals. Usually this is credit card data, along with names and email addresses. Sometimes physical addresses are included, and occasionally even more sensitive data like Social Security numbers goes along for the ride. Usually this data was collected by a large retailer that had no qualms about storing the sensitive information, but clearly neglected to properly secure it.

Stolen data is primarily used for credit card fraud, though if there's enough information available, identity theft is a definite possibility. Millions of affected people have been forced to get new credit cards, check their statements for fraudulent charges, and rework any automated payment arrangements and whatnot. It's a big pain in the ass, and frankly, it has happened far too often, especially when once should be considered more than enough.

Heartland, Target, TJX, Anthem ... we've seen some massive data breaches over the years. But none can hold a candle to the breach the U.S. government announced last week. Not even close. On a scale of one to 10, with one being the loss of credit card numbers and names, this data loss event would conservatively be a 15.

Most people aren't aware of exactly what type of information the federal government collects on its employees, especially those with security clearances. We all have some idea that government employees have relatively strict reporting requirements for financial information, and we know that federal workers with higher clearances undergo thorough background checks and must submit to interviews of both themselves and their family and friends. This is done to flag potential problems and to prevent outside agents from having undue influence over people who may have access to sensitive information and materials.

Put simply, if you have a security clearance, the government would like to know if you have a drug problem or if you are in serious debt, because a foreign interest may try to use that situation as leverage to coerce you into revealing sensitive information. In the interest of national security, these safeguards make sense.

But the true nature and scope of the information required by the government and subsequently collected by the government on an employee is massive. Take a look at Standard Form 86. This is a 127-page form that usually takes a week or more to complete and requires the entry of the applicant's Social Security number on each page. The data included on this form is not just enough for identity theft, but enough to allow a person to literally become another person. Each Standard Form 86 fully documents the life of the subject. The only thing missing is the name of your first crush, though that might be in there somewhere too.

Some 18 million people had this level of personal data -- and more, including data collected by observers -- lost to foreign agents last week. If the government collected this data to know if an employee was vulnerable to undue outside influence, then it just succeeded in closing that loop itself, having now released it into the wild. All of those vulnerabilities are now known and available for exploit to whomever stole the data, or to whomever they wish to sell that data. This is very, very bad.

I should also mention that many of those whose personal information was swept up in this data loss event were never even government employees in the first place. They may have filled out the forms and submitted applications, but they were never hired or they declined the job. This includes prospective TSA agents right on up through CIA employees -- the higher the position, the higher the clearance, the more sensitive the data that was collected and lost. Information on these peoples' infidelities, sexual fetishes, mental illnesses, criminal activities, debts, and other highly personal information is now in the hands of cyber-attackers. This is damage that cannot be undone or mitigated. We can change credit card numbers and refund fraudulent charges, but we can't change any of the personal data and intimate details of these people's lives. That's a permanent loss.

One could argue that however disastrous this data loss event is, the government had a requirement to store this data. It needed to collect and maintain this data, even if it failed to secure it. That said, this is the same government that is collecting a massive amount of data on all of us, whether we're prospective federal employees or not, via Internet and phone surveillance. If the federal government is lax enough to lose immeasurably sensitive information on its employees, how secure is the data that it has decided it needs to collect on everyone in the world?

Many people believe that the U.S. government shouldn't be collecting and storing this data in the first place, and that there's no need to maintain that data collection. This event underscores the fact that maintaining this data is not just privacy invasion on a massive scale, but it's actually dangerous. What happens when the next data loss event contains highly sensitive data on hundreds of millions of people? We can't put that cat back in the box no matter how we might try. You might think that the best way to guard against that possibility is to stop collecting that data in the first place.

No comment yet.

Four Things MSPs Should Know About HIPAA Compliance and the Cloud

Four Things MSPs Should Know About HIPAA Compliance and the Cloud | HIPAA Compliance for Medical Practices | Scoop.it

While managed service providers (MSPs) are certainly well-versed in the areas of cloud-based file sharing and data storage, it pays to be just as familiar with some of the areas of interest of your clients. As MSPs see more healthcare companies migrating their services to the cloud – whether due to a relaxation of restrictions or a decision to evolve – the need for familiarity in this potentially lucrative market is as important as ever.

When the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, data security and privacy on the internet were not exactly the big concerns of the day. Then again, the MSP business model we know and love today didn’t even exist.

Fast forward about 20 years – and through a couple of generations of computing platforms – and HIPAA compliance has become a hot topic as health care organizations, at long last, begin to crawl out from under mountains of paper and into the digital world.

The 2013 HIPAA Omnibus Rule is the modification to HIPAA that defines the rules governing data security for “covered entities” (healthcare providers, mostly) and their “business associates,” i.e. you, their MSP.

As the rule states, “These modifications [to the original HIPAA law] make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.” Here are the four most important things you need to know to comply with HIPAA regulations:

1. Business Associate Agreements

Law now requires that when you’re doing business with a “covered entity” (CE), you must execute agreements – called Business Associate Agreements (BAAs) – that define the permitted uses and disclosures of “protected health information” (PHI) by the business associate. Don’t start doing business with a healthcare client or other “covered entity” without a Business Associate Agreement in place. The same goes for subcontractors. You’ll want to make sure that anybody touching PHI is covered in the BAA.

2. Providing cloud storage makes you liable for HIPAA privacy

According to the HIPAA Omnibus rule, anything you store in the cloud – even on behalf of a client – that contains protected health information must be compliant with HIPAA privacy protections.  This applies whether you ever view that data or not. If you retain, maintain, or transmit protected health information for a client, then you are bound by their business associate agreement.

3. Less access = lower liability risk

According to an FAQ published by the Center for Democracy and Technology, if you don’t have the capability to access your client’s data and adhere to HHS (Department of Health and Human Services) standards with respect to encryption, you should have little liability risk as a business associate. The FAQ also states that, “if the covered entity controls the decryption keys and the CSP has no ability to access the plain text of the data, it would not be reasonable to expect the CSP to comply with the provisions... that require a BA to ‘make available’ PHI for certain purposes.”

4. Breach thresholds have been lowered

Prior to the enactment of the Omnibus rule, a security breach only had to be reported to the HHS if it posed “significant risk of reputational, financial or other harm” to individuals. Now, all breaches of unsecured PHI – information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons – must be reported. However, if the BAA established between you and your healthcare client includes a multi-factor risk assessment that determines low probability of data compromise, the breach may not need to be reported. It’s probably worthwhile to check out your your legal obligations for notification.

No comment yet.

10 ways to prevent a data breach and protect your small business

10 ways to prevent a data breach and protect your small business | HIPAA Compliance for Medical Practices | Scoop.it

Today, virtually all businesses collect personal information about customers, employees and others. This information is valuable to hackers – evidenced by the increasing frequency and severity of data breaches across the globe.

Big businesses are not the only ones who are vulnerable. Small and medium-sized businesses with fewer data security resources are often targets for cybercriminals. In fact, research we’ve conducted with the Ponemon Institute shows that more than half have experienced a data breach and nearly three out of four report they can’t restore all their data.

The good news is that businesses can take steps to protect themselves from destructive cyber intrusions. To preempt hacking activity, you must think like a hacker. Here are a few tips to get you started.

1. Think beyond passwords. Never reuse them and don’t trust any website to store them securely. To increase the level of security, set up a two-factor authentication for all your online business accounts. This authentication relies on something only you should know (your password) and authenticates something only you should have (typically your phone) to verify your identity.

2. Stop transmission of data that is not encrypted. Mandate encryption of all data. This includes data at “rest” and “in motion.” Consider encrypting email within your company if personal information is transmitted. Avoid using WiFi networks, as they may permit interception of data.

3. Outsource payment processing. Avoid handling credit card data on your own. Reputable vendors, whether it’s for point-of-sale or web payments, have dedicated security staff that can protect data better than you can.

4. Separate social media activity from financial activity. Use a dedicated device for online banking and other financial activities, and a different device for email and social media. Otherwise, just visiting one infected social site could compromise your banking machine and sensitive business accounts.

5. “Clean house” and update procedures. Evaluate your assets and valuable data to identify where your organization is most at risk. It’s important to reduce the volume of information you keep on hand (only keep what you need!) and properly destroy all paper documents, CDs/DVDs and disks before disposal. Consider assessing your business’s email infrastructure, browser vulnerability, and ID system. Do not use Social Insurance Numbers as employee ID numbers or client account numbers. You should also question the security posture of your business lines, vendors, suppliers or partners.

6. Secure your browser. Watering holes – malicious code installed on trusted websites – are a common method of attack against businesses. How do you know which websites to trust? Focus on keeping up-to-date with the latest version of your browser. Then, test your browser’s configuration for weakness.

7. Secure your computers and operating system. Implement password protection and “time out” functions (requires re-login after period of inactivity) for all business computers. Require strong passwords that must be changed on a regular basis. Also be sure to update all operating systems, which have major security improvements baked in. It’s far easier to break into older operating systems like Windows XP or OS X 10.6.

8. Secure your internet router. Make sure someone can’t intercept all the data sent through it. Consider configuring your wireless network so the Service Set Identifier (SSID) – the name the wireless network broadcasts to identify itself – is hidden.

9. Safeguard and back up your data. Lock physical records containing private information in a secure location and create backups. These should be encrypted and off-site in case there’s a fire or burglary.

10. Educate and train employees. Establish a written policy about data security, and communicate it to all employees. Educate them about what types of information are sensitive or confidential and what their responsibilities are to protect that data. In addition, restrict employee usage of computers for only business purposes. Do not permit use of file sharing peer-to-peer websites or software applications and block access to inappropriate websites.

It’s important to remember that no business is “too small” for a hacker–all businesses are vulnerable. The sooner you can get ahead of potential hacking activity, using the above steps, the sooner you’ll be prepared to thwart, mitigate and manage a data breach.

No comment yet.

How can hospitals protect their medical equipment from malware?

How can hospitals protect their medical equipment from malware? | HIPAA Compliance for Medical Practices | Scoop.it

The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation where:

The devices have known vulnerabilities that can be easily exploited by bad actors

Administrators are not likely to notice malware running on the device as long as nominal operation is maintained

The end goal of bad actors infecting a medical device is to use it as an entry and pivot point in the network. Valuable patient records are not likely to be present on the medical devices, but those devices often have some level of network connection to the systems that do contain patient records.

What exactly is a bad actor likely to do after getting a foot-hold on the network? Move laterally to find patient records that can be used for:

  • Identify theft
  • Blackmail
  • Steal research data for financial gain
  • Deploy ransomware like Cryptolocker, effectively crippling the facility unless a bribe is paid
  • Trigger widespread system malfunctions as an act of terrorism
  • Carry out a 'hit' on a specific patient

The first three items are strictly motivated by financial gain, and this has been the extent of observed attacks to date. The fourth item seems possible but unlikely, either due to morals or the relatively higher value of attacking other targets like power plants or defense facilities. The fifth item hasn't been detected yet, but that doesn't exclude the possibility that it has happened. Carrying out a silent assassination with malware would be very hard to trace back to the attacker, and could even be sold as a service (similar to DDoS as a service).

The scenario for number 5 sounds like something out of a Tom Clancy novel, but it is completely plausible. The attacker (or entity paying for the attack) would only need to know the target, have knowledge of an upcoming procedure, and know where the procedure was to take place. One caveat is that identifying which device(s) would be used with that patient, and when, could be difficult but not impossible to know.#

Real-world vulnerability examples
Billy Rios, a security researcher, recently went public with a vulnerability that affects drug pumps and could potentially be exploited to administer a fatal dose of medication to a patient. Rios notified the DHS and FDA up to 400 days ago about the vulnerability and saw no response, so he went public to put pressure on the manufacturer to fix the issue. Faced with the reality that some medical equipment manufacturers do not invest in securing their devices from exploitation, the onus of security therefore falls on the users of such equipment.

This discovery shows a real-world example of how a cyber attack could affect a medical device and potentially endanger lives. There is no question that this type of threat needs to be taken seriously. The real question is, how can hospitals effectively protect devices such as these?

It's clear that installing antivirus software on medical equipment is impractical and basically impossible. Furthermore, healthcare IT are relatively helpless to patch the software and firmware running on these devices. So considering those vulnerabilities, and the difficulty in remotely scanning these devices, the best solution is simply to prevent malware from ever getting to these devices. Thankfully this challenge has already been solved in ICS and SCADA environments.

In a recently profiled attack on hospitals, one of the infection vectors was thought to be a technician visiting a compromised website on a PC with direct access to a picture archive and communication (PACS) system. The report details that the malware was detected but not before infecting the PACS system. Due to the nature of the system it could not be scanned for malware, let alone cleaned. It was then used as a pivot point to find a system with medical records that could be exfiltrated back to the attacker.

Medical facilities share vulnerabilities with SCADA and ICS, so why shouldn't they also share protection mechanisms? Critical infrastructure providers, especially power plants, often make use of air-gapped networks as a very effective defense mechanism. Taking the above story as an example, the PC with a web browser and internet access should not have also had access to PACS. This simple step would have stopped the infection from doing any damage at all. If, for example, the technician needed to download something from the internet and transfer it to PACS then it would have to be transferred onto the air-gapped network.

How sanitization of the operating room compares to preventing cyber infections
Hospitals and their staff are very accustomed to preventing the spread of biological infections and they must now apply similar levels of prevention to preventing the spread of cyber infections. Defending against cyber infections, by comparison, is much easier. The medical industry isn't alone in fighting this threat – they don't have to invent new techniques for preventing infection, they simply need to adapt the proven strategies employed by other industries.

Simply employing an air gap doesn't guarantee security. The point of the air gap is to create a point through which data movement is carefully controlled. Additional measures must be employed to ensure that pathogens are not allowed access. In medicine these measures consist of removing foreign material with soap and water, and disinfecting with various antimicrobial agents. It's not practical to scan doctors and nurses for bacteria, so every surface is assumed to be contaminated until sufficiently cleaned and disinfected. The control point in a data flow is comparatively easier to maintain, as there are techniques for quickly finding infections on media moving through the air gap. For extra protection, any files deemed 'clean' can still be disinfected to completely eradicate the possibility of a threat doing undetected.

No comment yet.

4 HIPAA compliance areas your BAs must check

4 HIPAA compliance areas your BAs must check | HIPAA Compliance for Medical Practices | Scoop.it

It finally looks like the feds are starting up the next phase of HIPAA audits — but there’s still time to ensure your business associates (BAs) are staying compliant. 

In preparation of the next round of audits, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has begun sending out pre-audit surveys to randomly selected providers, according to healthcare attorneys from the law firm McDermot, Will and Emory.

Originally, the surveys were meant to go out during the summer of 2014, but technical improvements and leadership transitions put the audits on hold until now.

Moving toward Phase 2

The OCR has sent surveys asking for organization and contact information from a pool of 550 to 800 covered entities. Based on the answers it receives, the agency will pick 350 for further auditing, including 250 healthcare providers.

The Phase 2 audits will primarily focus on covered entities’ and their BAs’ compliance with HIPAA Privacy, Security and Breach Notification standards regarding patients’ protected health information (PHI).

Since most of the audits will be conducted electronically, hospital leaders will have to ensure all submitted documents accurately reflect their compliance program since they’ll have minimal contact with the auditors.

4 vendor pitfalls

It’s not clear yet to what extent the OCR will evaluate BAs in the coming audits due to the prolonged delay. However, there are plenty of other good reasons hospital leaders need to pay attention to their vendors’ and partners’ approaches to HIPAA compliance and security.


Mainly because a lot of BAs aren’t 100% sure what HIPAA compliance entails, and often jeopardize patients’ PHI, according to Chris Bowen, founder and chief privacy and security officer at a cloud storage firm, in a recent HealthcareITNews article.

A large number of data breaches begin with a third party, so it’s important hospital leaders keep their BAs accountable by ensuring they regularly address these five areas:

  • Risk Assessments. As the article notes, research has shown about a third of IT vendors have failed to conduct regular risk analysis on their physical, administrative and technical safeguards. Ask your vendors to prove they have a risk analysis policy in place, and are routinely conducting these kinds of evaluations.
  • System activity monitoring. Many breaches go unnoticed for months, which is why it’s crucial your BAs have continuous logging, keep those logs protected and regularly monitor systems for strange activity.
  • Managing software patches. Even the feds can struggle with this one, as seen in a recent HHS auditon the branches within the department. Keeping up with security software patches as soon as they’re released is an important part of provider and BA security. Decisions about patching security should also be documented.
  • Staff training. Bowen recommends vendors include training for secure development practices and software development lifecycles, in addition to the typical General Security Awareness training that HIPAA requires.
No comment yet.

4 things to know before next data breach

4 things to know before next data breach | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches are all over the news right now. Here's what you want to know.

Businesses of all kinds have been struck ranging from CVS and Costco — which last week had to take down site features amid investigations into whether consumer data was taken — to local entities like OhioHealth, which this week announced information on some patients was on a flash drive that went missing.

No one is above risk, cyber security professionals say, but what can be done to keep you out of hot water? I asked Dayton-area experts for their advice.

1. Make sure employees have rules

Employees need to know not to open suspicious e-mails and fall for scams via telephone, said Jon Gauder, president of Volo Technologies. Security policies in place often help keep employees from letting information fall into the wrong hands.

Lindsay Johnson, an attorney with Freund, Freeze & Arnold specializing in cyber security, said as employees use personal devices for more work purposes, they open up the company to risk. But it's easy to avoid.

"If you let employees have emails on their iPads and laptops, someones can get a hold of that and extrapolate data," Johnson said. "That data has to be encrypted and that can be done with minimal effort."

2. Keep your tech up to date

To protect internal assets, you want to have routers and firewalls put in place and configured to prevent intrusion attacks, Gauder said.

“Sometimes it’s a matter of having the right equipment in place, antivirus and updated security patches,” Gauder said. “There’s no 100 percent foolproof way, but sometimes it’s more responsive than preventative, but your programs have to be up to date.”

Network security audits help companies test security measures. For a Web site: if you don’t need to have data on the website, don’t store payment information on the site, Gauder said. You want to make sure you host the website with a trusted host that is respected and have a good security policy in place.

A lot of people use open source software to develop Web sites. That code is available to hackers but also means a patch to prevent piracy is going to come quicker.

"Open source software often have quick patches because more companies work off of them," Gauder said. "But people who have access to source code can still find things. Response time can be faster than proprietary software. Make sure software is up to date."

Because of that, he recommended monthly or quarterly updates to software.

3. Know who you need to tell

Reporting requirements can vary by industry, In a regulatory industry like banking and finance, reporting requirements are handled by federal law, Johnson said. For general businesses with no reporting requirements, the first thing is to make sure you know the extent of the breach and what was accessed.

Businesses are hesitant to report to legal authorities, but “it gives you credibility that you reported something to authorities right away, and they can take the efforts the need.”

Experts in law enforcement encourage businesses to report details, but businesses can be hesitant to do so. But if the safeguards are in place, you can save face to clients by having them know you reported the details right away.

Companies have had mixed reactions to breaches. Retailers like P.F. Chang's and Michael's gave the public specifics about potential data breaches, while others did not.

Johnson said it's ultimately a PR decision whether or not to make a breach public. But not doing so can risk your reputation. You should report to your clients right away and let them know the details.

"The more detail you give illustrates you are organized," Johnson said. "You’re able to identify quickly what happened, who was affected, how entry was achieved etc. If you don’t have a plan in place it will take you three times as long"

4. The law will want to know how you responded

If a lawsuit happens, it's going scrutinize what you knew about the breach and how you sought to prevent it.

The most high profile breaches, including Home Depot, have led to costly lawsuits, Johnson said. What makes a data breach potentially harmful — is if you've tried to stop it.

"In the event there was a breach, and a lawsuit, what we have seen is the courts are saying ‘you did not act commercially reasonable. You did not consider the information you let employees have on these devices.'" Johnson said. "You have to assume a data breach will happen. How they use emails, how they send data over email is an encrypted."

If the courts become involved, the big question will be what you know and when, if you acted reasonably.

When companies get sued, litigators make the case that they knew a data breach was a possibility and ignored it, and didn’t have policies and procedures to minimize attacks.

Cyber security insurance is becoming an industry standard. Companies are writing cyber security policies, Johnson said, adding it could soon be considered a standard of care.

No comment yet.

Three Steps to Preventing Data Breaches in Your Practice

Three Steps to Preventing Data Breaches in Your Practice | HIPAA Compliance for Medical Practices | Scoop.it

Every few weeks, there’s a headline about a healthcare organization that’s been victimized by a hacker or a disgruntled employee. What is your practice doing to protect its data against theft? It can be a balancing act for physician practices that want to provide access to patient information in the EHR and elsewhere, while preventing data breaches. Here are a few steps that can help practices avoid those unfortunate headlines:

Know where your data is

First, you have to know where your data is, said Jim Kelton, managing principal at Costa Mesa, Calif,-based Altius Information Technologies. If you don’t know where your data is transmitted or where it’s stored, you can’t provide the layers of protection that are needed.

 "You have to know where [your data is] transmitted and where it’s stored," he said. Part of this exercise includes determining the practice’s EHR and other clinical information systems—and whether that software is hosted on the cloud. It can also be as mundane as making sure that printed e-mails from patients aren’t sitting around the office.

"There are 18 forms of protected health information, even an e-mail address can identify someone and needs to be protected,” he said.

Know what assets provide access to your data

Once this is done, you need to determine the assets that provide access to the practice’s data. This could be in the doctor’s office, within computer systems, on a server, or in the EHR and other clinical applications themselves. There are often multiple threats to consider, said Kelton. For example, the threat with a laptop is it’s portable and it’s vulnerable because it contains protected patient information.

Having a BYODT – or Bring Your Own Device and Technology – policy is very important, he said. This requires surveying your staff and doing an inventory of the types of technology you’re using to run the practice. It’s during this step that you should determine whether your employees are using smart phones and tablets, cloud storage, flash drives, or external hard drives. It’s also important to keep in mind any data sharing with external contractors doing software development for the practice. "For smaller practices that outsource a lot of services, they need to make sure their business agreements [with vendors and consultants] are solid,” said Kelton.

Identify threats to those assets and build in controls

Those threats could be physical, such as someone entering the practice and stealing a laptop. They could also mean your practice is the intended victim of hackers or viruses, which can infiltrate the EHR and other clinical systems. Some practices even need to be prepared for the actions of a disgruntled employee who sends your client list to their future employer, an action that puts your practice at risk, Kelton said.

Password protection for laptops is a pretty simple solution that works. Also to consider is encrypting the laptop’s hard drive. This action will mean that the hacker won’t be able to access protected patient data on the EHR and other information about your practice, Kelton said

HIPAA requires that each practice identify a security official to develop and implement security policies, implement procedures, and oversee and protect protected health information. According to Kelton, putting together a plan in advance is the most cost-effective way to ensure that data breaches don’t occur.

No comment yet.

UCLA Health Cyber-Attack Affects Millions

UCLA Health Cyber-Attack Affects Millions | HIPAA Compliance for Medical Practices | Scoop.it

The FBI is investigating the latest in a string of major cyber-attacks in the healthcare sector. UCLA Health confirms that information on 4.5 million individuals may have been exposed when hackers breached its network in an attack that appears to have begun last September.

UCLA Health says in a July 17 statement that it appears that "criminal hackers" accessed parts of the organization's computer network that contain personal and medical information. "UCLA Health has no evidence at this time that the cyber-attacker actually accessed or acquired any individual's personal or medical information," the statement notes.

UCLA Health includes four hospitals on two campuses - Ronald Reagan UCLA Medical Center; UCLA Medical Center, Santa Monica; Mattel Children's Hospital UCLA; and Resnick Neuropsychiatric Hospital at UCLA - and more than 150 primary and specialty offices throughout Southern California.

Other Cyber-Attacks

The attack on UCLA Health is the latest of several massive hacker assaults on healthcare sector organizations in recent months. Most of the largest attacks so far this year have been on health insurers. Those include attacks against: Anthem Inc., which resulted in a breach impacting more than 79 million individuals; Premera Blue Cross, which affected about 11 million; and CareFirst Blue Cross Blue Shield, which impacted 1.1 million.

The largest recent hacker attack against a provider organization was last August, when Community Health Systems reported a breach affecting 4.5 million individuals. "Forensic investigators have said that an advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to Community Health System's 8-K filing to the U.S. Securities and Exchange Commission last year.

FBI Investigating

UCLA Health is working with investigators from the FBI, and has hired private computer forensic experts to further secure information on network servers, its statement says.

"We take this attack on our systems extremely seriously," says James Atkinson, the interim associate vice chancellor and president of the UCLA Hospital System. "We have taken significant steps to further protect data and strengthen our network against another cyber-attack."

UCLA Health says it detected suspicious activity in its network in October 2014, and began an investigation with assistance from the FBI. At that time, it did not appear that the attackers had gained access to the parts of the network that contain personal and medical information. "As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information.

Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter."

The organization says there is no evidence yet that the hackers actually accessed or acquired individuals' personal or medical information. But because the organization cannot conclusively rule out the possibility that the attackers may have accessed the information, UCLA Health is offering all potentially affected individuals 12 months of free identity theft recovery and restoration services as well as additional healthcare identity protection tools.

In addition, individuals whose Social Security number or Medicare identification number was stored on the affected parts of the network will receive 12 months of free credit monitoring.

Healthcare as a Target

Privacy and security attorney Kirk Nahra of the law firm Wiley Rein says this latest breach affecting UCLA Health is just another sign "that clearly, the healthcare sector is under cyber-attack."

"People can no longer say, 'this won't happen to me.' It will happen to you," he says. Organizations not only need to beef up their security controls, but they also need to be on the lookout for fraud that involves stolen IDs, he says. "If UCLA Health's patients' records are stolen, then other healthcare providers down the street should be watching out" for fraudsters using the compromised data to obtain medical services or to commit other fraud, he warns.

Privacy and security attorney Ron Raether of the law firm Faruki Ireland & Cox P.L.L. says healthcare organizations are following financial institutions, data aggregators and retailers in becoming prime targets for hackers in search of valuable data that can be used to commit fraud.

"Hackers look for the most data for the least effort. Hospitals have a lot of information both current and historical without any real limits," he says. "The character of the data is of high value - not just treatment and the usual identifiers but also payment information and family history and other data which could be used in security questions."

Hospitals need to learn from lessons of other business sectors and invest in sound data governance practices, he adds.

No comment yet.

Potential HIPAA Violations Found in LA County DPH Audit

Potential HIPAA Violations Found in LA County DPH Audit | HIPAA Compliance for Medical Practices | Scoop.it

An IT security audit at the L.A. County Department of Health (DPH) revealed potential HIPAA violations, and that there are several areas of improvement for DPH.

There need to be better system access controls, IT equipment control, and computer encryption, according to a report by the County of Los Angeles Department of Auditor-Controller. The review included testing system access to five systems DPH identified as mission critical, including systems containing sensitive health information. Physical security over IT equipment was also reviewed, along with computer encryption, antivirus software, equipment disposition, and IT security awareness training.

“DPH needs to restrict unneeded access to sensitive/confidential information in their systems, and determine whether unneeded access resulted in a HIPAA/HITECH violation,” the report stated.

In terms of inappropriate systems access, the Auditor-Controller explained that DPH did not remove systems access for 13 users after they were terminated from DPH employment. One of those employee accounts was used for three years after they were terminated to view PHI and to order laboratory tests for approximately 100 DPH clients, according to the report.

DPH’s attached response indicated they determined that a current employee used the terminated employee’s account in performing her job duties. The current employee failed to obtain her own system account, which violated County policy. However, she wa authorized to view PHI and no reportable HIPAA/HITECH violation occurred. DPH indicates it has reminded IT managers to promptly remove terminated employee access. DPH is also developing a procedure to notify managers of personnel changes so they can immediately updates systems access.

Device encryption is another area that needs improvement, according to the audit report. DPH needs to ensure that portable computers are encrypted because it is a Board Policy requirement. However, DPH did not have encryption documentation for 18 percent of its 1,773 portable computers. DPH also did not have enough detailed documentation, the report found, as the remaining items’ tag or serial numbers could not be matched to any of the computers in inventory.

“DPH’s response indicates they will recall all portable computers to validate and document that each device is encrypted,” the audit stated. “DPH also worked with the Chief Information Office to acquire software that will allow them to monitor the encryption status of all portable and desktop computers.”

One aspect of the audit that was especially disturbing is that DPH reportedly is lacking in its computer incident response. Specifically, the report stated that DPH managers/staff failed to report 131 missing or stolen IT equipment items to the Department’s Information Security Office (DISO) between 2011 and 2013.

Not only is this another Board Policy requirement, the oversight did not allow DISO to assess the impact of any of the data or software loss. Furthermore, DISO  could not make required notifications to the Chief Information Office, the Auditor-Controller HIPAA Privacy Officer or the Auditor-Controller Office of County Investigations.

DPH’s response indicates they have reminded all employees to immediately report missing or stolen IT resources to their supervisor. DPH management also told us that subsequent to our review, they investigated and accounted for 100 (76%) of the 131 missing IT equipment items. Of the 31 that remain unaccounted for, DPH indicated that three could have contained PHI, but DPH indicated they believe the risk of a breach is low.

Following this audit, and a less than ideal audit at the L.A. County Probation Department, Supervisor Mark Ridley-Thomas requested that county staff report back on how feasible it would be to conduct annual IT and security review audits on all county departments. The Board of Supervisors unanimously approved the request, according to The Los Angeles Daily News.

“We want to foster accountability and transparency in the county, that’s the move we’re making,” Ridley-Thomas told the news source. “Our security, quality, safeguards and monitoring efforts need to keep up. We need to improve what we’re doing ... We need to step up our game.”

No comment yet.

State AGs clash with Congress over data breach laws

State AGs clash with Congress over data breach laws | HIPAA Compliance for Medical Practices | Scoop.it

Attorneys general from all 47 states with data breach notification laws are urging Congress not to preempt local rules with a federal standard.

“Any additional protections afforded consumers by a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft,” they wrote in a letter sent to congressional leaders on Tuesday.

Lawmakers have been weighing a number of measures that would create nationwide guidelines for notifying customers in the wake of a hack that exposes sensitive information. Industry groups have argued that complying with the patchwork set of rules in each state is burdensome and costly.

The rapidly rising number of breaches at retailers, banks and government agencies has only raised pressure on Congress to pass legislation.

While the concept of a federal standard has bipartisan appeal, the two parties have split over whether to totally preempt state laws.

Democrats fear a nationwide rubric that preempts state law could weaken standards in states that have moved aggressively on data breach laws. Republicans fear that an overly strict federal standard could empower overzealous government regulators.

Lawmakers also disagree on what type of breaches should trigger a notification.

The differing views have spawned a cavalcade of bills on Capitol Hill, many of which would preempt state laws.

“Given the almost constant stream of data security breaches, state attorneys general must be able to continue our robust enforcement of data breach laws,” said Virginia Attorney General William Sorrell, who oversees a law that requires companies to notify officials within 14 days of discovering a breach, in a statement. “A federal law is desirable, but only if it maintains the strong consumer protection provisions in place in many states.”

Many state attorneys general, including Sorrell, favor a Senate data breach offering from Sen. Patrick Leahy (D-Vt.) and co-sponsored by five other Democrats.

Notably the bill does not preempt state laws that are stricter than the standard delineated in Leahy’s bill.

It also provides a broad definition of what type of information would constitute a notification-worthy breach. It includes photos and videos in addition to more traditional sensitive data such as Social Security numbers or financial account information.

But most important for states is retaining their ability to set their own standards.

“States should also be assured continued flexibility to adapt their state laws to respond to changes in technology and data collection,” the letter said. “As we have seen over the past decade, states are better equipped to quickly adjust to the challenges presented by a data-driven economy.”

No comment yet.

Data Breaches on Record Pace for 2015

Data Breaches on Record Pace for 2015 | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches in 2015 are on pace to break records both in the number of breaches and records exposed, the San Diego-based Identity Theft Resource Center said.

In 2014, the number of U.S. data breaches tracked by ITRC hit a record high of 783, with 85,611,528 confirmed records exposed.

So far this year, as of June 30, the number of breaches captured on the ITRC report totaled 400 data incidents, one more than on June 30, 2014. Additionally, 117,576,693 records had been confirmed to be at risk.

That is significant given the finding of IBM Cost of Data Breach Study conducted by Ponemon Institute, which reported the cost incurred for each lost or stolen record containing sensitive averaged $154.

ITRC reported a significant jump of about 85% in the number of breaches in the banking sector over the same period last year. The biggest credit union breach so far this year took place at the $308 million Winston-Salem, N.C.-based Piedmont Advantage Credit Union, which notified its entire 46,000 membership in early March that one of its laptops containing personal information, including Social Security numbers, was missing.

Affected institutions are encouraged to participate in public comment on the assessment tool.

Year-to-date, the five industry sectors broken down by ITRC based on the percentage of breaches were business with 40.3%,

medical/healthcare at 34.8%, banking/credit/financial representing 10%, educational with 7.8% and government/military reporting 7.3%.

Based on the number of confirmed records, the medical/healthcare sector reported 100,926,229 records breached, government/military reported 15,391,057, educational had 724,318, banking/credit/financial reported 408,377 and business had 126,712.

The ITRC 2015 Breach Report was compiled using data breachesconfirmed by various media sources and/or notification lists from state governmental agencies.

Some breaches were not included in the report because they do not yet have reported statistics or remain unconfirmed, the firm said. 

No comment yet.

Neighbor Law: Getting Around HIPAA | Crozet Gazette

Neighbor Law: Getting Around HIPAA | Crozet Gazette | HIPAA Compliance for Medical Practices | Scoop.it

Nurses and medical administrators are not equipped to make legal decisions, nor would they want to, but they’re put in awkward positions by a federal law known as “HIPAA.” And who is shut out?  Family, friends, neighbors and, by the way, reporters.

The ugly acronym stands for Health Information Portability and Accountability Act. In theory it confines an individual’s identifiable health information to health care providers. (To better effect, the law also makes it possible for an employee to transfer health insurance to a new job.)

The Act covers all types of health care agencies, from the ambulance to the pharmacy, from the hospital to the agency-employed nurse’s aide at home. It also allows information to be shared for research, for law enforcement functions, and other necessary exceptions. Hospitals may release information to the public when, in the hospital’s judgment, that would protect public health.  Otherwise, the release of personally identifiable medical information by any of these “covered entities” could result in fines, and in extreme and rare instances, involving fraud and criminal intent, jail time. HIPAA is 563 pages long, filled with exceptions and nuances that aren’t well understood; thus, medical employees generally perceive that the prudent reaction is to say nothing, even when disclosure would be permitted or would be the compassionate thing to do.

When any one inquires about the patient by name, HIPAA allows the health care facility to confirm (but not reveal) the name of a patient, which ward the patient is on, and the patient’s status or generalized condition (“fair”, “good”, etc.) so long as specific medical information is not revealed. The facility may do this if the patient has been given the chance to object first. When there is an emergency—or the patient is otherwise unable to give consent—the health care facility can release the information if the patient has named individuals or if the facility’s staff believes disclosure is in the individual’s best interest. This makes it very difficult, sometimes distressingly difficult, for family members (or reporters) to find injured people and know what happened.

And furthermore, the two Charlottesville hospitals have chosen to release less than what HIPAA allows. U.Va. and Martha Jefferson release only the patient’s condition if you have the patient’s name. A Martha Jefferson spokesperson says their concern is for the patient’s privacy, but in fact, it is legitimate to ask whether “privacy” is all that is at stake.

Some injuries concern the whole community. When a firefighter goes to the emergency room with smoke inhalation, it is a matter of public concern on many different levels, most important to his/her colleagues, witnesses, neighbors, friends, and reporters. Injury to a public servant, especially a first responder, should not be treated as a secret. Everyone cares.

Some injuries concern family who are far from the patient. If Grandma calls the hospital from New Zealand to find out what happened to her firefighter grandson who is in intensive care, U.Va. and Martha Jefferson will tell her only his generalized condition category, nothing else. Neither of our local hospitals will tell her that Grandson is in intensive care. Grandma has to fly here, be named on a list, or get her information from Mom, assuming she can get in touch. The hospitals will say, “Oh, she’ll learn soon enough,” eventually, sometime after a few hours of agonized waiting.

If Grandson is one of hundreds injured in a flood, the HIPAA rules say that information can be released without getting the individual’s consent in order for family members to find each other.  However, according to a 2007 Troutman Sanders analysis done for Virginia Hospital and Healthcare Association, “The good news is that, during an emergency or disaster, there are numerous regular exceptions to HIPAA that will permit hospitals to share protected heath information with other providers, public health authorities and certain other designated parties.  The bad news is that, even during a disaster, the majority of HIPAA requirements will remain in effect so hospitals must plan as if they will be responsible for fulfilling all HIPAA obligations even in the midst of a disaster.”

There are other ways around this. You, as patient, can be sure that your doctor has a list of people to whom your medical information may be released. More often now, HIPAA consent forms include a request for that information.

Disclosure of personal medical information is permitted to anyone involved with the patient’s health care, and this creates a list of possible sources outside “covered entities.” If Mom comes to the hospital with Grandson, she’s probably not going to have trouble getting information nor is she restrained by HIPAA. Or, if a non-medical stranger brings an injured person to the emergency room, that Good Samaritan is not restrained by HIPAA. And in a similar way, when the firefighter goes to the hospital, the chief or a fellow firefighter may talk toa reporter because the fire department (and the police department) are not restrained by HIPAA. This assumes the fire chief can get the information from the hospital.

So while there are legitimate ways to get information, medical staff is confused by ambiguity and exceptions. Instead of erecting stone walls (and stony faces), application of HIPAA rules should be done with common sense plus compassion added in for the patient, family and friends. It is nearly impossible for medical staff to understand the advice from hospital lawyers and so they make the default, safe choice: say nothing.

No comment yet.

4 in 10 Midsize Businesses Have Experienced A Data Breach

4 in 10 Midsize Businesses Have Experienced A Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Most midsize business leaders view a data breach among their top risks and a majority consider IT security ‘very important’ when selecting a supplier, according to The Hartford’s survey of midsize business owners and C-level executives. They have good reason to be concerned: 43 percent had experienced a data breach in the prior three years, and 13 percent have had a supplier’s data breach impact their business information.

The Hartford survey found most midsize business leaders (82 percent) consider a data breach at least a minor risk to their business. Nearly one-third (32 percent) view it as a major risk.

“All types of businesses have networks and networks can be vulnerable to a breach,” said Joe Coray, vice president of The Hartford’s Technology & Life Science Practice. “As we have seen in recent years, a breach involving a supplier or vendor can impact a business as much as a breach of its own IT systems. Whether businesses are hosting their data internally or entrusting it to external business partners, it is important that they validate how their information is being secured.”

Recognizing the data risks involving suppliers, more than half of the midsize business leaders (53 percent) surveyed consider IT security and data protection practices very important when selecting a supplier. By comparison, 36 percent consider a supplier’s contingency planning and 28 percent view a supplier’s location relative to their business as very important.

No comment yet.

Website Error Leads to Data Breach

Website Error Leads to Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

An error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals. The incident is a reminder to all organizations about the importance of sound systems development life cycle practices.

In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans' members. "As the unintended result of a computer code update Blue Shield made to the website on May 9," the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users' accounts. The problem was reported to Blue Shield's privacy office on May 18.

Blue Shield of California tells Information Security Media Group that the site affected was the company's Blue Shield Employer Portal. "This issue did not impact Blue Shield's public/member website," the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.

"The website was returned to service on May 19, 2015," according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.

Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. "None of your financial information was made available as a result of this incident," the notification letter says. "The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization."

The Blue Shield of California notification letter also notes that the company's investigation revealed that the breach "was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation."

Similar Incidents

The coding error at Blue Shield of California that led to the users being able to view other individuals' information isn't a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.

For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site.

Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS' Office for Civil Rights.

An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.

The corrective action plan required the physicians practice, among other measures, to conduct arisk assessment and implement appropriate policies and procedures.

Measures to Take

Security and privacy expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, says that to avoid website-related mistakes that can lead toprivacy breaches, it's important that entities implement appropriate controls as well as follow the right systems development steps.

"Organizations should have a sound systems development life cycle - SDLC - in place to assess all systems in a production environment, especially those that are externally facing," he says. "Components of a mature SDLC would include code reviews, user acceptance testing, change management, systems analysis, penetration testing, and application validation testing."

Healthcare entities and business associates need to strive for more than just HIPAA compliance to avoid similar mishaps, he notes.

"Organizations that are solely seeking HIPAA compliance - rather than a comprehensive information security program - will never have the assurance that website vulnerabilities have been mitigated through the implementation of appropriate controls," he says. "In other words, HIPAA does not explicitly require penetration testing, secure code reviews, change management, and patch management, to name a few. These concepts are fundamental to IT security, but absent from any OCR regulation, including HIPAA."

Earlier Blue Shield Breach

About a year ago, Blue Shield of California reported a data breach involving several spreadsheet reports that inadvertently contained the Social Security numbers of 18,000 physicians and other healthcare providers.

The spreadsheets submitted by the plan were released 10 times by the state's Department of Managed Health Care. In California, health plans electronically submit monthly to the state agency a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas - but not Social Security numbers. DMHC makes those rosters available to the public, upon request.

No comment yet.

Data breach costs on the rise, according to annual Ponemon Institute study

Data breach costs on the rise, according to annual Ponemon Institute study | HIPAA Compliance for Medical Practices | Scoop.it

Given the number and severity of publicized data breaches over the past year, it should come as little surprise that the average cost of a data breach is on the rise. According to the “2015 Cost of Data Breach Study: Global Analysis,” which was conducted by the Ponemon Institute and sponsored by IBM, the average cost of a data breach increased from $3.52 million in last year’s study to $3.79 million in this year’s edition.

While the year-over-year jump may seem small, the rise actually represents a 23 percent increase in the total cost of a data breach since 2013. The research, which included responses from personnel at 350 companies spanning 11 different countries, also found that lost business as the result of a data breach potentially has the most severe financial consequences for organizations as these costs increased from an average of $1.33 million last year to $1.57 million in 2015. Lost business costs include; abnormal turnover of customers; increased customer acquisition activities; reputation losses; and diminished goodwill.      

Diana Kelley, executive security advisor for IBM Security, said one thing that really stood out to her was the root causes of data breaches examined in the study, the majority of which (47 percent) were found to be the result of malicious or criminal attacks. The study found that the average cost per record to resolve such an attack is $170, compared to system glitches which cost $142 per record to resolve and human error or negligence that cost $134 per record to correct.  

“That indicates something that we’ve seen in other studies that this is organized criminal activity for data breaches,” she said. “We’re moving past the random, somebody left their laptop in a car, and we’re really looking at very targeted attacks from organized criminals.”

Kevin Beaver, an IT security consultant with Atlanta-based Principle Logic LLC, said that data breaches continue to persist on such a massive scale because many companies mistakenly believe they can just buy a piece of security technology that will take care of all of their problems.

“It doesn't work that way,” he said “Even if you have the very best of security controls you still have to have ongoing oversight and vulnerability testing because things are going to fall through the cracks.”

Another common issue, according to Beaver, is that companies simply place too much trust in employees and vendors.

“It's always best to err on the side of caution and put the proper controls in place so everyone, and especially the business, are setup for success. Another big issue I see is all the organizations, especially in the healthcare industry, that believe their high-level audits and policies are sufficient for minimizing their risks. It's not. Unless and until you test for - and resolve - the growing amount of security vulnerabilities on your network, you're a sitting duck waiting to be made to look bad,” said Beaver. “This is especially true to social engineering (i.e. phishing) testing. It's unbelievable how many people are still gullible and give up their network credentials or other sensitive info without question.”

Although data breaches that involve the theft of credit or debit card numbers seem to carry a greater amount of weight with the media and public in general, Kelley said the data shows that things such as protected health Information (PHI) and other personal data are more coveted by hackers as they have a longer lifespan for resale. Kelley advises companies to identify what their “crown jewels” are from a data perspective and to conduct threat assessments and risk modeling around protecting those assets.

“I think organizations need to look at the big picture. We do see evidence of more sophisticated criminal, organized attacks. On the other hand, we can’t forget all of the good security hygiene and just try and focus on what’s the next big scary attack,” said Kelley. “We have to do a very robust, layered set of security throughout our organization to include security awareness and training and monitoring. You’re looking for anywhere in that stack where there could be an exposure or there could be a vulnerability. Companies need to not just think about the big attack, but really think about a robust security model because that is going to help prevent the smaller attacks, as well as the larger attacks.”

Perhaps one of the study’s silver linings is that the involvement of a company’s board-level managers was found to help reduce costs associated with data breaches by $5.5 per record. Insurance protection was also found to reduce cost by $4.4 per record. Despite the increased awareness and involvement by senior leadership, Kelley said companies cannot completely protect against the threats posed by hackers.

“It’s important to remember that awareness and ability to stop something aren’t necessarily always aligned. If we look in the real world, we’re all very aware and highly concerned about something like cancer, but preventing it is very, very difficult,” said Kelley. “We can have the C-suite be very aware of security, but still some companies are at different levels of maturity. Attackers, they are, again, organized and sophisticated, so the level of prevention and controls you need in place to stop the attacks is very high. The fact that we still have attacks going on doesn’t mean companies aren’t putting security controls into place.”   

However, Beaver adds that while some executives may say and do all of the right things in public when it comes to their data protection efforts, the reality is some of them are just paying lip service to the issue.

“It's all about policies and related security theater to appease those not savvy enough - or politically powerful enough - to look deeper or question things further,” said Beaver.  

Conversely, Beaver said that there are a lot of companies who are taking the right approach to cybersecurity, which involves recognition by senior management of the seriousness of the issue.

“I see many organizations doing security well,” he added. “The key characteristics of well-run security are: executive acknowledgement of the challenges, ongoing financial and political support for IT and security teams, periodic and consistent security testing, and the willingness to make changes where changes need to be made - even if it's not politically favorable.”

Another bright spot in the study was that it found a correlation between organizational preparedness and reduced financial impact of a data breach. Companies that employed some level of business continuity management (BCM) within their organization were able to reduce their costs by an average of $7.1 per compromised record.

“Companies that brought in an incident response team or had an incident response program in place were able to save $12.60 per record,” added Kelley. “The biggest takeaway is to get some kind of plan in place. Have business continuity, have an incident response plan in place and be continually detecting and monitoring activity on the network so that if a breach is occurring, you can either see the very beginning of it or you can see one in process and respond as quickly as possible to reduce the impact to the business.”

No comment yet.

Even the Federal Government Can’t Hide: How a High-End Cyberattack Breached One of the Most “Protected” Systems

Even the Federal Government Can’t Hide: How a High-End Cyberattack Breached One of the Most “Protected” Systems | HIPAA Compliance for Medical Practices | Scoop.it

With data breaches being the quickly trending “flavor of the month” criminal activity, it’s no shock that on June 4, 2015 yet another system was hit. This time though, it may be one of the largest cyberattacks in U.S. history—compromising as many as 4 million current and former federal employees’ information. The U.S. Office of Personnel Management (OPM) handles security clearances and background checks and although many would assume that its security is top-notch, the facts on the ground reveal that every place taking in sensitive information—including the government—must update its privacy infrastructure.

In his press statement on Thursday, Rep. Adam Schiff, the ranking member of the House Permanent Select Committee on Intelligence echoed that sentiment and stated that “Americans may expect that federal computer networks are maintained with state of the art defenses [but] it’s clear a substantial improvement in our cyber-databases defenses is perilously overdue. This does not only apply to systems of this magnitude.

Any business that maintains data bases with private information must invest in the proper privacy infrastructure necessary to protect that information. Cyberattacks do not discriminate. From major retailers to well-respected state universities, data breaches run the gamut and from the looks of Thursday’s attack, they are getting more sophisticated. OPM is now working closely with the FBI and the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team to attempt to identify the extent of the harm on federal personnel. But not everyone has the luxury of the entire U.S. government as a “crisis manager” so preventive measures for businesses will make a difference.

At this time, one of the most troubling facts of cyberattacks is that the source is difficult to locate. Sen. Susan Collins, a member of the Senate Intelligence Committee, said the hack was “extremely sophisticated,” and “that points to a nation state” as the responsible party, likely China. No conclusive source has been discovered yet but the lesson here is clear—with private information being involved in almost every aspect of business, measures must be taken to protect it.

No comment yet.

Patients Demand the Best Care … for Their Data

Patients Demand the Best Care … for Their Data | HIPAA Compliance for Medical Practices | Scoop.it

Whether it’s a senior’s first fitting for a hearing aid, or a baby boomer in for a collagen injection, both are closely scrutinizing new patient forms handed to them by the office clerk.  With 100 million medical records breached and stolen to date, patients have every reason to be reluctant when they’re asked to fill out forms that require their social security number, driver’s license, insurance card and date of birth — all the ingredients for identity fraud.  Patients are so squeamish about disclosing their personal information, even Medicare has plans to remove social security numbers on patients’ benefits cards.

Now patients have as much concern about protecting their medical records as they do about receiving quality care, and they’re getting savvy about data protection.  They have every right to be assured by their physician that his practice is as concerned about their privacy as he is about their health.

But despite ongoing reports of HIPAA violations and continuous breaking news about the latest widespread patient data breach, medical practices continue to treat ePHI security as a lesser priority.  And they neglect to train front office staff so the patient who now asks a receptionist where the practice stores her records either gets a quizzical look, or is told they’re protected in an EHR but doesn’t know how, or they’re filed in a bank box in “the back room” but doesn’t know why.

In some cases, the practice may hide the fact that office staff is throwing old paper records in a dumpster. Surprisingly this happens over and over.  Or, on the dark side, the receptionist accesses the EHR, steals patients’ social security numbers and other personal information and texts them to her criminal boyfriend for medical identity theft.

Another cybercrime threatening medical practices comes from hackers who attack a server through malware and encrypt all the medical files.  They hold the records hostage and ask for ransoms.  Medical records can vanish and the inability to access critical information about a patient’s medical condition could end up being life threatening.

Physicians should not only encrypt all mobile devices, servers and desktops, regularly review system activity, back up their servers and have a disaster recovery plan in place, etc. they should also share their security practices and policies with the patient who asks how his office is protecting her records.

Otherwise, the disgruntled patient whose question about security is dismissed won’t only complain to her friends over coffee, she’ll spread the word on Facebook.  Next time a friend on Facebook asks for a referral the patient tells her not to go to her doctor — not because he’s an incompetent surgeon but because he doesn’t know the answer when she asks specifically if the receptionist has unlimited access to her records.

And word gets out through social media that the practice is ‘behind the times.’  The doctor earns a reputation for not taking the patient’s question seriously, and for not putting the proper measures in place to secure the patient’s data.  This is the cockroach running through the restaurant that ends up on YELP.

It’s time to pull back the curtain and tell patients how you’re protecting their valuable data.  Hand them a HIPAA security fact sheet with key measures you’ve put in place to gain their confidence.  For example, our practice:

  • Performs annual risk assessments, with additional security implemented, including encryption and physical security of systems that contain patient information.
  • Shows patients that the organization has policies and procedures in place
  • Trains employees on how to watch for risks for breaches
  • Gives employees limited access to medical records
  • Backups systems daily
  • Performs system activity regularly

Practices that communicate to patients how they are protecting their information, whether it’s provided by the front office staff, stated in a fact sheet or displayed on their websites, not only instills confidence and maintains their reputations, they actually differentiate themselves in the market place and attract new patients away from competitors.

No comment yet.