The practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah.
OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
In 2017, the UK’s National Health Service (NHS) experienced a severe ransomware attack. This incident resulted in the cancellation of nearly 20,000 medical appointments, including rerouting of cancer patients in emergency care to other destinations. The attack cost NHS trusts nearly $93 million. Proper cybersecurity compliance could have prevented this attack.
Concerns of the cyber-threats have reached the United States as well. According to the secretary of the Department of Homeland Security, cyber weapons and sophisticated hacking currently pose the greatest threat to the United States and the private companies involved .
According to a recently published report from Verizon, 43% of all cyber-threats are aimed at small businesses, with 39% of the total attacks carried out by organized criminal groups. Small and medium scale enterprises remain most vulnerable, due to a lack of awareness and resources . According to the National Cybersecurity Alliance report, over 60% of the small enterprises go out of business within six months of experiencing a cyber-attack.
Although these statistics are frightening, there is some good news. For instance, according to the Verizon report, the incidences of attack to steal credit and debit card information is on the decline. The new chip and pin technology have made these attacks more redundant for hackers. Here are some other innovative trends in cybesecurity worth watching out for in 2020:
The ultimate battle over internet dominance will continue
The incidents of cyberattacks in the recent years has coerced many countries to restrict internet traffic and take other stringent actions. In fact, Russia was one of the first countries that suggested filtering of internet traffic through Kremlin’s Roscomnadzor internet censor node with an aim to create the country’s very own internet “RuNet”, which might ward off cyberattacks. Moscow even tried to influence the BRICS nations (Brazil, Russia, India, China, and South Africa) to create a separate domain name in order to establish hegemony over the internet. Apart from Russia, China too has enforced many policies to establish itself as the thought leader of internet space. Many countries have even emulated China’s policies and formulated anti-privacy and surveillance laws. This has led to massive fragmentation of the Internet world, resulting in the Balkanization of sorts of the technology arena. However, the blame cannot just be placed on Russia and China alone. Even countries in the west have put stringent policies in place to establish dominance under the ambit of mitigating security risks. One such example is UK and the US snubbing Huawei technologies’ economical 5G services. While these fragmentations may create pockets of internet everywhere, it can be helpful in assuaging cybersecurity woes. However, it would lead to more confusion, less transparency, and perhaps strike down innovation. This dilemma is bound to worry the thought leaders even in 2020.
Compliance Assessment To Take Centerstage
In June 2019, American Medical Collection Agency (AMCA) discovered that an unauthorized person had gained access to its web payment portal. Even more surprising was that the attacker had access to its system since August 2018, resulting in a major loss for the organization with 150,000 cases of the data breach. Under the 43% of all cyber-threats, the agency will have to report the breach to all the potential patients, which itself will require very numerous man-hours During such attacks, it is impossible to know the full extent of the breach within a short duration. Moreover, without adequate precautions, organizations can leave their consumers and themselves open to major risks, ranging from legal liabilities to financial and personal loss. It’s easier to avoid such issues with quick response procedures that detect threats in time then pass on the message to concerned stakeholders at the earliest. This compliance procedure is not just mandatory by law, but can save enormous financial loss, and even lives. Hence, compliance assessment is likely to remain one of the highest priorities in fighting cyber-attacks.
Attacks on Multiple Fronts
Cyber-attacks are becoming more sophisticated, and this is likely to continue as multi-vectored attacks like NotPetya, and WannaCry remain active. Using these ransomware executable files, hackers can simultaneously attack multiple fronts of digital infrastructure including mobile devices, network, and cloud systems. It is estimated that less than 5% of today’s systems are capable of handling these advanced attacks. With a widespread lack of awareness about security assessment, these attacks will continue to plague small businesses, large enterprises, and government entities.
Adoption of Data Harbours
According to the US Council of Economic Advisers, cyber-attacks cost the US economy nearly $109 billion in 2016, and pending on cyber-security reached over $120 billion in 2019 globally. Major stakeholders in many industries are threatened, especially in the healthcare and financial fields. On the other hand, cyber threats continue to become more intelligent, systematic, and operate over longer periods of time undetected. This has forced many to create external data harbours for their data, independent of their infrastructure.
Data Privacy Regulation Goes Global
In 2018, the European Union signed the General Data Protection Regulation, or GDPR law. This law has paved the way for more regulations concerning the use of personal data, such as the California Consumer Privacy Act (CCPA). These laws already affected enterprises worldwide due to the global nature of the internet. Moreover, the GDPR covers European citizen’s data access in all countries and promises to penalize breaches stringently. The growing regulation regarding data privacy holds a major implication for firms who do not have access to compliance assessment.
Data regulations could also impact companies who host their data in clouds like Azure, Google, and AWS. The increasing data breaches and growing stringent regulatory environment will be worth monitoring in 2020, as cloud adoption and security plays an increasing role.
If your company is looking for solutions including security assessment, data warehouses, and regulatory compliance, there is a variety of options available. Continuous employee training on cyber-attacks also should remain a high priority, as prominent forms of attacks took place through phishing methods. If you want to protect your organization from bad actors, you have to perform adequate security assessment and training.
In fact, security assessment and risk analysis is the first step towards mitigating cyberattacks. And if you are looking for a perfect partner that can help you keep threats at bay, Databrackets is your destination. Backed by a plethora of services including current trend analysis along with past risk assessment reports, awareness training, threat forecast, and more, Databrackets seamlessly alleviates the cybersecurity woes of your organization.
In an agreement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), Sentara Hospitals (Sentara) have agreed to take corrective actions and pay $2.175 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.
Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.
In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s protected health information (PHI). OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services. Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred. Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has imposed a $1,600,000 civil money penalty against the Texas Health and Human Services Commission (TX HHSC), for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules between 2013 and 2017. TX HHSC is part of the Texas HHS system, which operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities;
It Administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid. The Department of Aging and Disability Services (DADS), a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities, was reorganized into TX HHSC in September 2017.
On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. OCR’s investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals’ ePHI.
The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.
URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR’s investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
The U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) has successfully secured corrective action and resolved a complaint against the Florida Orthopaedic Institute (“Florida Orthopaedic”). The complaint alleged that Florida Orthopaedic unlawfully cancelled a surgery because of a patient’s HIV positive status. After HHS OCR informed Florida Orthopaedic of the complaint and that it would be investigating the allegations, Florida Orthopaedic banned the patient from the practice and cited the patient’s complaint to HHS as a basis for doing so. Retaliation for filing complaints with HHS OCR is prohibited by law.
Florida Orthopaedic is a comprehensive orthopedic practice that employs approximately 40 physicians working in 10 offices and 20 hospitals in the Tampa area. Florida Orthopaedic receives federal financial assistance through its participation in Medicaid and Medicare Part C; and is subject to the requirements of Section 504 of the Rehabilitation Act of 1973 (Section 504). Section 504 prohibits discrimination on the basis of disability (including HIV/AIDS) in health programs or activities that receive HHS funding, such as medical practices, nursing homes, and hospitals.
HHS OCR received a complaint that a Florida Orthopaedic surgeon allegedly made an offensive comment relating to the patient’s HIV status and then refused to perform the patient’s scheduled surgery which prompted the patient to file a complaint with HHS OCR. After informing Florida Orthopaedic of the allegations, and before HHS OCR reached any conclusion as to the merits of the claims, Florida Orthopaedic prohibited the patient from receiving further care at the practice and cited patient’s complaint with HHS as a basis.
The patient informed HHS OCR of the retaliatory dismissal from the practice and on this ground HHS OCR secured several corrective actions from Florida Orthopaedic, including amending its nondiscrimination policies and revising its procedures for dismissing any patient from the practice. Florida Orthopaedic also agreed to provide staff with multiple trainings on HIV, federal non-discrimination laws, grievance procedures, and the requirement to refrain from retaliatory actions. Before Florida Orthopaedic completed its compliance activities, it provided the complainant with referrals to three orthopedic surgeons in the area to prevent further delays in the patient’s health care.
“Patients with HIV have the right to nondiscriminatory health care which includes the right to file complaints with OCR without fear of unlawful retaliation,” said HHS OCR Director Roger Severino. This case is representative of HHS OCR’s continuing compliance work and commitment to the full implementation of the National HIV/AIDS Strategy and the President’s Initiative, Ending the HIV Epidemic: A Plan for America.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016. JHS provides health services to approximately 650,000 patients annually, and employs about 12,000 individuals.
JHS is a nonprofit academic medical system based in Miami, Florida, which operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics.
On August 22, 2013, JHS submitted a breach report to OCR stating that its Health Information Management Department had lost paper records containing the protected health information (PHI) of 756 patients in January 2013. JHS’s internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.
In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical record without a job-related purpose.
On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients’ records since 2011.
OCR’s investigation revealed that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties.
JHS waived its right to a hearing and did not contest the findings in OCR’s Notice of Proposed Determination. Accordingly, OCR issued a Notice of Final Determination and JHS has paid the full civil money penalty.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”
Elite Dental Associates, Dallas (“Elite”) has agreed to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Elite is a privately-owned dental practice located in Dallas, Texas, providing general, implant, and cosmetic dentistry.
On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a social media review by disclosing the patient’s last name and details of the patient’s health condition. OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page. Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule. OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.
“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”