The U.S. Department of Health and Human Services (“HHS”) recently released a publication entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which sets forth a “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to improve cybersecurity in the health care and public health sector. This publication was developed by a task group consisting of more than 150 health care and cybersecurity experts from the public and private sectors and focuses upon the “five most prevalent cybersecurity threats and the ten cybersecurity practices to significantly move the needle for a broad range of organizations” in the health care industry.

The five cybersecurity threats addressed in the publication are: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety.

The publication recognizes that cybersecurity recommendations will largely depend upon an organization’s size. Therefore, the publication is broken up into two separate technical volumes that are intended for IT and IT security professionals: (i) Technical Volume 1, which discusses ten cybersecurity practices for small health care organizations and (ii) Technical Volume 2, which discusses ten cybersecurity practices for medium-sized and large health care organizations. Specifically, the ten cybersecurity practices described in the Technical Volumes are as follows: Continue Reading HHS Warns Health Care Organizations of Cybersecurity Threats

After eleven years of litigation, including two decisions by the Connecticut Supreme Court, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. has finally reached a verdict. Last month, the jury awarded the plaintiff $853,000 in damages in connection with her physician practice’s 2005 release of medical records in response to a non-HIPAA compliant subpoena. The subpoena was issued in connection with a paternity suit brought by the plaintiff’s former boyfriend, a man whom the plaintiff had specifically requested her physician practice not share her medical information with.

Without speculating too much about its judicial progeny, Byrne nevertheless highlights several areas of HIPAA compliance that should be areas of heightened review for physicians and medical providers now. Please click here for a detailed analysis of this verdict and its implications for providers.

On December 12, 2018, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a Request for Information (“RFI”) “to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information.” Through this RFI, OCR seeks public comment regarding whether and how the HIPAA Privacy and Security Rules could be revised to promote value-based care and care coordination without jeopardizing individuals’ rights to privacy. OCR will accept comments through February 12, 2019.

Specifically, OCR has requested comments regarding the following four topics: Continue Reading OCR Seeks Public Comment on HIPAA Reform

The Upper San Juan Health Service District d/b/a Pagosa Springs Medical Center (“PSMC”), a critical access hospital in Colorado, has agreed to a $111,400 settlement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to resolve a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar because PSMC failed to deactivate the former employee’s username and password following termination of employment. OCR investigated the complaint and discovered that PSMC impermissibly disclosed the protected health information (“PHI”) of 557 patients to the former employee. Moreover, OCR determined that PSMC did not have a Business Associate agreement in place with the vendor of the web-based scheduling calendar.

The Resolution Agreement also includes a two-year Corrective Action Plan. Under the Corrective Action Plan, PSMC must: (i) revise its policies and procedures relating to Business Associates and uses and disclosures of PHI; (ii) submit proposed training materials on the revised policies and procedures for OCR’s review and train workforce members in accordance with the approved training materials; (iii) develop a current Risk Analysis and submit such analysis to OCR for review; and (iv) upon OCR’s approval of the Risk Analysis, provide OCR with a risk management plan that addresses and mitigates the security risks and vulnerabilities identified in the Risk Analysis and documentation that the risk management plan is being implemented.

The Resolution Agreement and Corrective Action Plan are available here.

Our take:

HIPAA requires covered entities and business associates to terminate a workforce member’s access to all systems and databases containing PHI upon the date the workforce member’s employment, or other arrangement with the entity, ends. The PSMC settlement serves as a reminder that the electronic health record is not the only database for which access must be terminated. HIPAA entities should develop a checklist that identifies all systems and databases containing PHI to ensure all access to PHI is terminated upon a workforce member’s separation from the entity.

A few months ago we posted an update on the California Consumer Privacy Act, a mini-GDPR that contains serious privacy ramifications for the U.S. privacy landscape. Likely in response to the upcoming 2020 go-live for the California law, various groups have noticed an uptick in lobbying directed at the passage of a federal privacy law that would pre-empt the California law and help harmonize the various state laws. Pushing to the front of that effort is a new draft federal privacy law proposed by Intel.

The Intel law looks to be written specifically to pre-empt the California law, as it contains language that would pre-empt any State law with civil provisions designed to reduce privacy risk through the regulation of personal data. This pre-emption contains limited exceptions for state-data-breach, contract, consumer protection, and various other laws, but it would drive a hole through California’s law. Furthermore, Intel’s proposed law could pre-empt various specific laws such as Illinois biometric data protection law, and because it does not include any notice provision — it would be reliant on the state-breach-notification statutes to find violations in the first place.

Beyond frustrating state attempts at personal information regulation, the law creates penalty caps that result in disproportionate punishments for smaller and mid-size security incidents and allow larger incidents, typical of a larger company, to operate on an eat-the-fine basis. For example: The Equifax breach from earlier this year affected 143 million Americans. If regulators chose to bring an action, the maximum penalties for the action could be up to $16,500 per violation — that means a maximum penalty of 2.3 trillion dollars. The penalty cap however was set at 1 billion dollars, meaning the largest data breaches will face the lowest penalty-per-impacted individual.

Our take

This proposed national privacy law would primarily serve the interests of the largest players in the tech and data industry, while providing harsher relative penalties to smaller and mid-size players. This law or something similar is likely to see serious political debate in the next few years as lobbying efforts intensify. Expect the heat to turn up as we near January 1, 2020.

On November 2, 2018, the Office of the NJ Attorney General and the NJ Division of Consumer Affairs (collectively, the “State”) announced a $200,000 settlement with the now-dissolved ATA Consulting, LLC, which did business as Best Medical Transcription, (“Best Medical”), and its owner, Tushar Mathur. The settlement resolves allegations involving Best Medical’s role in a 2016 breach that affected more than 1,650 patients of Virtua Medical Group (“VMG”), a network of medical and surgical practices in southern New Jersey. Notably, in addition to civil penalties and reimbursement of attorneys’ fees and investigative costs, the settlement permanently bars Mathur from managing or owning a business in New Jersey.

VMG had contracted with Best Medical for the provision of transcription services. Specifically, three VMG practices submitted dictations of doctors’ letters, medical notes, and other reports to Best Medical through a telephone recording service. Best Medical would then upload the recorded sound files to a password-protected File Transfer Protocol (“FTP”) site and Best Medical’s subcontractor transcribed the dictations into text documents, which were subsequently posted on the FTP site.

In January 2016, it was discovered that the FTP site was inadvertently misconfigured by Mathur during a software update, which changed the security restrictions such that the FTP site was accessible over the internet without the need for any authentication. The files had been indexed by Google, which meant that an individual conducting a Google search using search terms that happened to be included in the dictations could have obtained search results with links to access and download the exposed files. VMG learned of the incident when it received a phone call from a patient indicating that her daughter had found portions of her medical records through a Google web search. VMG had not received notice of the breach from Best Medical. Continue Reading Vendor Responsible for Breach Barred from Conducting Business in NJ

Last week, four different settlement agreements were announced with four different Massachusetts hospitals to settle claims that they had violated HIPAA and state consumer protection and data security laws, by either not obtaining proper patient authorizations before allowing a television documentary to be filmed in the hospital or failing to investigate reports of inappropriate access to medical records by employees. Three hospitals entered settlement agreements and agreed to corrective action plans with the Department of Health and Human Services Office for Civil Rights (“OCR”), while the fourth hospital and an associated medical group entered into a settlement agreement with the Massachusetts Attorney General. OCR initiated its review of the three hospitals it settled with after reading news stories about the hospitals allowing a TV documentary to film inside those hospitals. In one instance, the news story OCR cited as launching its investigation was actually posted on one of the hospital’s websites by the hospital itself. OCR’s investigation revealed that while the hospitals had taken some precautions by, for example, conducting a HIPAA training with the filming crew, the hospitals nevertheless failed to obtain proper authorizations from patients. Collectively, the three hospitals settled with OCR for $999,000.

The settlement with the Massachusetts AG stemmed from two employees of the hospital and medical group inappropriately accessing information on more than 15,000 Massachusetts residents while employed with the settling organizations, ultimately opening cell phone and credit card accounts with the information they improperly obtained. Although the AG alleges that the hospital and medical group were informed of these employees’ misconduct by an inside informant, its complaint further alleged that the hospital and group failed to properly investigate those complaints, verify its information was safeguarded, or discipline the employees in question. The providers did eventually perform a sufficient investigation, but not until after a deceased patient’s widow complained that her husband’s information had been fraudulently used. The AG’s office alleged violations of the Massachusetts consumer Protection Act, Data Security Law, and HIPAA in its complaint filed simultaneously with the consent decree, which included a payment of $230,000.

Our take

Despite what any of us might be feeling or inclined to think to the contrary, HIPAA enforcement is alive and well, both at the federal and state levels. Although there is some indication that OCR has been selective in its enforcement, and is focusing on pursuing large dollar value settlements, the Massachusetts AG settlement demonstrates that state attorneys general can and do enforce HIPAA violations of all sizes, either standing alone or as part of an enforcement action for a state data privacy or data breach law, the latter of which all 50 states now have. These settlements also show on the one hand how regulators will bring enforcement actions and levy fines even in the absence of a patient complaint or when a provider believes it is doing everything right, and how regulated entities need to take reports of unauthorized access or use of PHI seriously, including investigating and reprimanding employees involved, subject to whistleblower protections.

Just last month, the National Institute of Standards and Technology (“NIST”), in concert with the National Cybersecurity Center of Excellence (“NCCoE”), jointly published a behemoth guide to securing Electronic Health Records (“EHR”) on mobile devices.

The guide is a reaction to the growing number of issues with EHR in the mobile application context, as healthcare organizations often have poor EHR integration with their mobile apps. Mobile devices have so many obvious benefits from patient communication to care coordination that organizations are going with the implement first, secure later approach, creating major headaches down the road when the inevitable security incident occurs. In their guide, NIST and NCCoE provide a full analysis of provider side access risks where the provider adds patient information into an EHR system through a mobile device and that same EHR data is accessed elsewhere by another provider via a separate mobile device.

The guide provides a roadmap for healthcare organizations that:

  • maps security characteristics to standards and best practices from NIST and other standards organizations, and to the HIPAA Security Rule
  • provides a detailed architecture and capabilities that address security controls
  • facilitates ease of use through automated configuration of security controls
  • addresses the need for different types of implementation, whether in-house or outsourced
  • provides a how-to for implementers and security engineers seeking to re-create or reference design in whole or in part

We recommend reviewing the guide during the planning phase of any EHR-related mobile application implementation. For a quick overview of the guide, see the one page fact sheet here.

Our take

The guide provides a timely and valuable starting point for CIOs and Privacy Officers that are considering a mobile app implementation. At a high level, §8’s Risk Questionnaire (page 216) provides a great resource for those organizations looking to understand the types of questions they need to ask when selecting a cloud-based EHR vendor. The tables that follow these questionnaires will help an engaged leader to understand the universe and severity of the risks that come with the move to mobile.

As the lazy days of summer wind down slowly at first, and then all at once, now is a good time for a reminder that your own employees returning to work full steam may pose the biggest threat to your cybersecurity. According to the U.S. Department of Health and Human Services Office for Civil Rights, July was the worst month this year for healthcare data breaches. So far in 2018, more individual records have been exposed than for all of 2017, including 1.4 million individual records exposed in the biggest breach from July, which was attributed to a phishing attack. These statistics back up a Verizon report on PHI data breaches that came out earlier this year and found that 58% of PHI data breaches involved insiders, and that healthcare is the only industry in which internal actors post the biggest threat to organizations.

But that doesn’t mean healthcare alone is vulnerable to insider threats, as a Department of Justice criminal complaint filed in June and released earlier this month demonstrates. That complaint alleges that an $81 million bank heist suffered by a Bangladesh bank was carried out by North Korean cybercriminals and started with the criminals sending spearphishing emails to targeted individuals. In those emails, a purported job applicant would ask for a personal interview and attach a .zip file that the applicant claimed was a resume. When opened, the .zip file automatically downloaded malware to the recipient’s computer, which ultimately made its way to the bank’s IT system. This allowed the hackers to allegedly impersonate bank employees, access the SWIFT network, and transfer funds from the bank’s account to an account in the Philippines. Additional malware was used to cover their tracks.

Our take

While certain manipulation of a network as seen in the Bangladesh bank heist may take some skill and expertise, phishing and its targeted variant of spearphising are straightforward exploitations of human error. They demonstrate that allocating budget to pay for cybersecurity technology may not be enough, and resources also need to be spent on employee training and culture shifting. Certainly, layered technology solutions that address different weak points, including two-factor authentication, are important and helpful, but organizations need to take a wider view of cybersecurity and risk reduction to both account for, and attempt to correct, human error.

In its August Cyber Security Newsletter, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued “Considerations for Securing Electronic Media and Devices.” In this guidance document, OCR reminds HIPAA covered entities and business associates that they are required, under the HIPAA Security Rule, to implement policies and procedures that: (1) limit physical access to the organization’s electronic information systems and the facilities in which they are housed and (2) govern the receipt and removal of hardware and electronic media containing electronic PHI (“ePHI”) into and out of an organization’s facility and their movement within a facility.

OCR sets forth the following considerations for covered entities and business associates to take into account when developing policies and procedures regarding device and media controls:

  • “Is there a record that tracks the location, movement, modifications or repairs, and disposition of devices and media throughout their lifecycles?”
  • “Does the organization’s record of device and media movement include the person(s) responsible for such devices and media?”
  • “Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI?”
  • “Are appropriate technical controls, for example, access controls, audit controls, and encryption, in use?”

OCR explains that an organization should use its risk analysis and risk management processes to identify and implement appropriate electronic device and media controls. Moreover, an organization should consider the following factors when determining what security measures to implement: (1) “[i]ts size, complexity, and capabilities;” (2) “[i]ts technical infrastructure, hardware, and software security capabilities;” (3) “[t]he costs of security measures;” and (4) “[t]he probability and criticality of potential risks to ePHI.”

Finally, OCR notes that an organization that has implemented an electronic asset inventory and tracking system will be better positioned to identify and manage risks associated with such devices and media and to respond to and recover from security incidents and breaches.

OCR’s August Cyber Security Newsletter can be found here.

Our take

Healthcare organizations use a variety of different electronic devices and media, including laptops, tablets, smartphones, and USB drives, in their day-to-day activities. Without appropriate processes in place to track and safeguard these devices, organizations are at greater risk of experiencing loss, theft, and the potential breach of PHI. Therefore, such organizations should review their existing electronic devices and media security policies and procedures while taking into account the various considerations set forth above.