Breaking Compliance News Blog

Anthem Makes HIPAA History

Posted by Margaret Scavotto, JD, CHC on 10/16/18 3:43 PM

In early 2015, Anthem announced the largest healthcare cyber-attack America has seen. Hackers accessed records of 79 million people. Affected patients brought class action lawsuits against Anthem. In 2017, the lawsuits settled for $115 million.

Yesterday, the OCR announced it has settled the underlying HIPAA violations of this data breach for a whopping $16 million. This settlement far exceeds the next-highest HIPAA settlement we have seen ($5.5 million), and brings 2018's average HIPAA settlement amount up to $4,978,000.

The OCR reported that hackers were able to infiltrate Anthem's system after at least one employee clicked on a spear phishing email. The OCR also found that Anthem: "failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014."

What you can do

Your HIPAA security strategy needs to address the HIPAA Security Rules. If you haven't already done so, conduct a HIPAA security risk analysis (or update yours, if it's time). Review HIPAA Security administrative, technical and security safeguards to make sure you have implemented measures to mitigate risks that could subject your organization to an attack.

And, don't forget to train your staff. The OCR noted that the Anthem breach started when potentially a single employee clicked on a spear phishing email.  You could have the most sophisticated HIPAA security defense available - but if employees can't recognize suspicious emails, you are still vulnerable to cyber-attacks.

New Call-to-action

 

Read More

Topics: security, data breach, HIPAA

The Threat of Nation-State Sponsored Cyber Attacks

Posted by Scott Gima on 7/31/18 7:13 AM

 

The public continues to be bombarded by the media coverage and debate of President Trump’s support or non-support of the U.S. intelligence agencies’ position on Russia. What has taken a backseat is the substance and urgency of a possible cyber-attack. The purpose of this blog is to discuss the threats and its relevance to covered entities and business associates.

On Friday, July 13, 2018, Dan Coats, the director of National Intelligence spoke at the Hudson Institute and discussed the current national security threats against the US. He equated the current risk of a cyber-attack to terrorist attack threats prior to September 11, 2001. The following are a few quotes from his speech:

     In 2001, our vulnerability was heightened…At the time, intelligence and law enforcement communities               were identifying alarming activities that suggested that an attack was potentially coming to the United                 States. It was in the months prior to September 2001 when, according to then CIA Director George Tenet,         the system was blinking red. And here we are nearly two decades later, and I'm here to say the warning             lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.

     Every day, foreign actors — the worst offenders being Russia, China, Iran and North Korea — are                     penetrating our digital infrastructure and conducting a range of cyber intrusions and attacks against targets       in the United States. The targets range from U.S. businesses to the federal government (including our               military), to state and local governments, to academic and financial institutions and elements of our critical         infrastructure — just to name a few.

     All of these disparate efforts share a common purpose: to exploit America's openness in order to undermine       our long-term competitive advantage.

Threat to Healthcare Providers?

Mr. Coats never mentions healthcare providers. So does this mean there is nothing to worry about? Probably not.

Back in January, the Washington Post reported about NotPetya, a 2017 a Russia-sponsored cyber-attack against Ukraine, designed to disrupt their financial system. The ransomware wiped computer data from banks, energy firms, and senior government officials. While 50% of affected computer systems were located in the Ukraine, the attack spread across the globe and affected systems in Denmark, India and the United States. Half of the victims were unintended targets of the attack.

If government-sponsored cyber-attacks are imminent, the NotPetya attack reminds us that another attack can easily result in collateral damage against unintended victims. Healthcare providers could easily become collateral damage, especially those who have not adequately prepared for a ransomware attack. In the healthcare context, that collateral damage can include costly HIPAA Breaches, and, more alarmingly, patient harm due to lack of utilities and electronic medical records.

Mr. Coats’ “red-flag” warning makes clear that cyber-security measures must be in place. The OCR recommends the following preventative security measures as part of HIPAA compliance:

  • Complete a security management process, which includes a risk analysis and implementing security measures to mitigate or remediate those identified risks
  • Implementing policies and procedures to guard against and detect malicious software
  • User training so staff can assist in detecting and report attacks
  • Implementing access controls to limit access to ePHI to only persons or software programs requiring access.

 

HIPAA on a budget:  Get HIPAA compliant with MPA's  HIPAA Tool Kit

Read More

Topics: data breach, HIPAA, security

Is your EHR ready for ransomware?

Posted by Scott Gima on 2/28/18 7:02 AM

In January 2018, EHR vendor Allscripts was a target of a ransomware attack that took down several of its applications, including its EHR and patient management/scheduling systems. FierceHealthcare reported the following notice from Allscripts: “While we cannot guarantee that the hosted Professional suite and hosted Allscripts PM service will be fully restored to all clients on Monday, Jan. 22, we do currently expect to return meaningful service to the majority of clients over the next 12-24 hours."

For example, a medical group was unable to use Allscripts’ e-prescribing system after the ransomware attack. Others could not access their EHR.

The use of cloud-based applications has increased providers’ reliance on EHR vendor security measures. A detailed contract that states standards for EHR data protection is a start. But it only provides the ability to seek legal and financial remedies if the EHR vendor fails to meet its contractual obligations. It does nothing to guarantee uninterrupted access to your data.

A copy of your EHR data that is saved to an on-site computer is the only way to ensure access. A mirror backup provides an exact copy of the data. The technology allows updates to the mirror backup every 15 minutes. When selecting an EHR vendor, the availability of a mirror backup must be a key selection criteria. A local copy of the EHR application is also needed. Without it, the data is useless.

Read More

Topics: records, data breach, HIPAA

What’s In Your Envelope? HIPAA Wants to Know.

Posted by Margaret Scavotto, JD, CHC on 10/25/17 7:05 AM

This summer, Aetna made headlines when it used a contractor to send a mailing to 12,000 members. The mailing involved letters sent in windowed envelopes typical of mass business mailings. For some patients, the following language, revealing the members’ HIV status, was visible through the envelope window: “The purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medic…members can use a retail pharmacy or a mail order pharma….”

This breach of sensitive patient information had health care providers scratching their heads: We didn’t think about this as a risk. How can we possibly anticipate every possible HIPAA breach?

Four months later, we see another HIPAA gaffe involving – yes – a mass mailing. This time, the breach involved a not-for-profit community health plan that provides care and coverage to Medicaid patients with chronic health conditions – like HIV.

The health plan mailed flyers to HIV patients, promoting an HIV research project. The mailroom was careful to assemble the mailing so that no PHI was visible through the envelope window. But, the language “Your HIV detecta” could potentially be seen through the paper envelope.

What’s a provider to do?

Providers are already scrambling to keep up with skyrocketing cyber threats to their ePHI. These two envelope breaches are reminders that HIPAA risks are everywhere, and a HIPAA Privacy Officer’s job never ends. How do we prevent breaches that seem so hard to anticipate?

  • Remember that paper still counts. Yes, healthcare is the #1 target of cyber-attacks. But paper breaches are still very common, and need our attention, too.
  • Use your security risk analysis. Make an ePHI inventory.Then, expand it to include paper and verbal PHI. Include all ways PHI is stored, used, disclosed, and accessed. This should cast a wide net, and capture paper mailings.
  • Use a team approach. When it comes to identifying risks in a diverse and evolving field, more heads are better than one. Talk to your Compliance Committee regularly about HIPAA. Constantly ask people what they are working on, so you can identify HIPAA risks where others may have overlooked them.
  • Keep an eye on your neighbors. These two envelope examples are a cautionary tale for other providers. Watch the headlines and OCR settlements and guidance. Find out how other providers experienced breaches, and do everything you can to prevent them in your own organization.

New Call-to-action

Read More

Topics: HIPAA, data breach

    Privacy Policy           Terms of Use