Agape Health Services, has agreed to pay $25,000 to OCR in HIPAA fines for failure to implement multiple HIPAA security rules.Continue reading
Beware of COVID-19 Cyber Scams
The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19. CISA encourages individuals to remain vigilant and take the following precautions. Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information. Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19. Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information. Review CISA Insights on Risk Management for COVID-19 for more information.
HIPAA Compliance and Zoom Video Conferencing
Learn how to comply HIPAA regulations while using Zoom for your telehealth needs and wants.
Can a healthcare entity use Zoom video conferencing as a Telehealth or video conferencing platform with a patient?Continue reading
Understand GDPR Compliance and fines before you regret
From May 25, 2018, all companies and organizations that control or process personal data of the EU populace have to mandatorily comply with GDPR Compliance.
From May 25, 2018, all companies and organizations that control or process personal data of the EU populace have to mandatorily comply with GDPR Compliance.Continue reading
Top 5 Trends in Cybersecurity in 2020
Cybersecurity trends in 2020 to prevent sophiticated cyber weapons and hacks in US and globally. Regulations to comply such cyberattacks are discussed.
In 2017, the UK’s National Health Service (NHS) experienced a severe ransomware attack. This incident resulted in the cancellation of nearly 20,000 medical appointments, including rerouting of cancer patients in emergency care to other destinations. The attack cost NHS trusts nearly $93 million. Proper cybersecurity compliance could have prevented this attack.
Concerns of the cyber-threats have reached the United States as well. According to the secretary of the Department of Homeland Security, cyber weapons and sophisticated hacking currently pose the greatest threat to the United States and the private companies involved .
According to a recently published report from Verizon, 43% of all cyber-threats are aimed at small businesses, with 39% of the total attacks carried out by organized criminal groups. Small and medium scale enterprises remain most vulnerable, due to a lack of awareness and resources . According to the National Cybersecurity Alliance report, over 60% of the small enterprises go out of business within six months of experiencing a cyber-attack.
Although these statistics are frightening, there is some good news. For instance, according to the Verizon report, the incidences of attack to steal credit and debit card information is on the decline. The new chip and pin technology have made these attacks more redundant for hackers. Here are some other innovative trends in cybesecurity worth watching out for in 2020:
- The ultimate battle over internet dominance will continue
The incidents of cyberattacks in the recent years has coerced many countries to restrict internet traffic and take other stringent actions. In fact, Russia was one of the first countries that suggested filtering of internet traffic through Kremlin’s Roscomnadzor internet censor node with an aim to create the country’s very own internet “RuNet”, which might ward off cyberattacks. Moscow even tried to influence the BRICS nations (Brazil, Russia, India, China, and South Africa) to create a separate domain name in order to establish hegemony over the internet. Apart from Russia, China too has enforced many policies to establish itself as the thought leader of internet space. Many countries have even emulated China’s policies and formulated anti-privacy and surveillance laws. This has led to massive fragmentation of the Internet world, resulting in the Balkanization of sorts of the technology arena. However, the blame cannot just be placed on Russia and China alone. Even countries in the west have put stringent policies in place to establish dominance under the ambit of mitigating security risks. One such example is UK and the US snubbing Huawei technologies’ economical 5G services. While these fragmentations may create pockets of internet everywhere, it can be helpful in assuaging cybersecurity woes. However, it would lead to more confusion, less transparency, and perhaps strike down innovation. This dilemma is bound to worry the thought leaders even in 2020.
- Compliance Assessment To Take Centerstage
In June 2019, American Medical Collection Agency (AMCA) discovered that an unauthorized person had gained access to its web payment portal. Even more surprising was that the attacker had access to its system since August 2018, resulting in a major loss for the organization with 150,000 cases of the data breach. Under the 43% of all cyber-threats, the agency will have to report the breach to all the potential patients, which itself will require very numerous man-hours During such attacks, it is impossible to know the full extent of the breach within a short duration. Moreover, without adequate precautions, organizations can leave their consumers and themselves open to major risks, ranging from legal liabilities to financial and personal loss. It’s easier to avoid such issues with quick response procedures that detect threats in time then pass on the message to concerned stakeholders at the earliest. This compliance procedure is not just mandatory by law, but can save enormous financial loss, and even lives. Hence, compliance assessment is likely to remain one of the highest priorities in fighting cyber-attacks.
- Attacks on Multiple Fronts
Cyber-attacks are becoming more sophisticated, and this is likely to continue as multi-vectored attacks like NotPetya, and WannaCry remain active. Using these ransomware executable files, hackers can simultaneously attack multiple fronts of digital infrastructure including mobile devices, network, and cloud systems. It is estimated that less than 5% of today’s systems are capable of handling these advanced attacks. With a widespread lack of awareness about security assessment, these attacks will continue to plague small businesses, large enterprises, and government entities.
- Adoption of Data Harbours
According to the US Council of Economic Advisers, cyber-attacks cost the US economy nearly $109 billion in 2016, and pending on cyber-security reached over $120 billion in 2019 globally. Major stakeholders in many industries are threatened, especially in the healthcare and financial fields. On the other hand, cyber threats continue to become more intelligent, systematic, and operate over longer periods of time undetected. This has forced many to create external data harbours for their data, independent of their infrastructure.
- Data Privacy Regulation Goes Global
In 2018, the European Union signed the General Data Protection Regulation, or GDPR law. This law has paved the way for more regulations concerning the use of personal data, such as the California Consumer Privacy Act (CCPA). These laws already affected enterprises worldwide due to the global nature of the internet. Moreover, the GDPR covers European citizen’s data access in all countries and promises to penalize breaches stringently. The growing regulation regarding data privacy holds a major implication for firms who do not have access to compliance assessment.
Data regulations could also impact companies who host their data in clouds like Azure, Google, and AWS. The increasing data breaches and growing stringent regulatory environment will be worth monitoring in 2020, as cloud adoption and security plays an increasing role.
If your company is looking for solutions including security assessment, data warehouses, and regulatory compliance, there is a variety of options available. Continuous employee training on cyber-attacks also should remain a high priority, as prominent forms of attacks took place through phishing methods. If you want to protect your organization from bad actors, you have to perform adequate security assessment and training.
In fact, security assessment and risk analysis is the first step towards mitigating cyberattacks. And if you are looking for a perfect partner that can help you keep threats at bay, Databrackets is your destination. Backed by a plethora of services including current trend analysis along with past risk assessment reports, awareness training, threat forecast, and more, Databrackets seamlessly alleviates the cybersecurity woes of your organization.
OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information
In an agreement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), Sentara Hospitals (Sentara) have agreed to take corrective actions and pay $2.175 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.
Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.
In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s protected health information (PHI). OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services. Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred. Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sentara/index.html
OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has imposed a $1,600,000 civil money penalty against the Texas Health and Human Services Commission (TX HHSC), for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules between 2013 and 2017. TX HHSC is part of the Texas HHS system, which operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities;
It Administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid. The Department of Aging and Disability Services (DADS), a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities, was reorganized into TX HHSC in September 2017.
On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. OCR’s investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals’ ePHI.
The Notice of Proposed Determination and Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html
Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement
The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.
URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR’s investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
In addition to the monetary settlement, URMC will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules. The resolution agreement and corrective action plan may be found at http://www.hhs.gov/hipaa/
HHS Office for Civil Rights Secures Corrective Action and Ensures Florida Orthopedic Practice Protects Patients with HIV from Discrimination
The U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) has successfully secured corrective action and resolved a complaint against the Florida Orthopaedic Institute (“Florida Orthopaedic”). The complaint alleged that Florida Orthopaedic unlawfully cancelled a surgery because of a patient’s HIV positive status. After HHS OCR informed Florida Orthopaedic of the complaint and that it would be investigating the allegations, Florida Orthopaedic banned the patient from the practice and cited the patient’s complaint to HHS as a basis for doing so. Retaliation for filing complaints with HHS OCR is prohibited by law.
Florida Orthopaedic is a comprehensive orthopedic practice that employs approximately 40 physicians working in 10 offices and 20 hospitals in the Tampa area. Florida Orthopaedic receives federal financial assistance through its participation in Medicaid and Medicare Part C; and is subject to the requirements of Section 504 of the Rehabilitation Act of 1973 (Section 504). Section 504 prohibits discrimination on the basis of disability (including HIV/AIDS) in health programs or activities that receive HHS funding, such as medical practices, nursing homes, and hospitals.
HHS OCR received a complaint that a Florida Orthopaedic surgeon allegedly made an offensive comment relating to the patient’s HIV status and then refused to perform the patient’s scheduled surgery which prompted the patient to file a complaint with HHS OCR. After informing Florida Orthopaedic of the allegations, and before HHS OCR reached any conclusion as to the merits of the claims, Florida Orthopaedic prohibited the patient from receiving further care at the practice and cited patient’s complaint with HHS as a basis.
The patient informed HHS OCR of the retaliatory dismissal from the practice and on this ground HHS OCR secured several corrective actions from Florida Orthopaedic, including amending its nondiscrimination policies and revising its procedures for dismissing any patient from the practice. Florida Orthopaedic also agreed to provide staff with multiple trainings on HIV, federal non-discrimination laws, grievance procedures, and the requirement to refrain from retaliatory actions. Before Florida Orthopaedic completed its compliance activities, it provided the complainant with referrals to three orthopedic surgeons in the area to prevent further delays in the patient’s health care.
“Patients with HIV have the right to nondiscriminatory health care which includes the right to file complaints with OCR without fear of unlawful retaliation,” said HHS OCR Director Roger Severino. This case is representative of HHS OCR’s continuing compliance work and commitment to the full implementation of the National HIV/AIDS Strategy and the President’s Initiative, Ending the HIV Epidemic: A Plan for America.
For additional information on HHS OCR’s work on HIV/AIDS issues, visit: www.hhs.gov/civil-rights/for-individuals/special-topics/hiv
To learn more about civil rights and health information privacy laws that HHS OCR enforces, and to find information on filing a complaint, visit us at www.hhs.gov/ocr.
Follow HHS OCR on Twitter at twitter.com/HHSOCR
OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules between 2013 and 2016. JHS provides health services to approximately 650,000 patients annually, and employs about 12,000 individuals.
JHS is a nonprofit academic medical system based in Miami, Florida, which operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics.
On August 22, 2013, JHS submitted a breach report to OCR stating that its Health Information Management Department had lost paper records containing the protected health information (PHI) of 756 patients in January 2013. JHS’s internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.
In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient’s medical information on social media. JHS subsequently determined that two employees had accessed this patient’s electronic medical record without a job-related purpose.
On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients’ records since 2011.
OCR’s investigation revealed that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient ePHI to the minimum necessary to accomplish their job duties.
JHS waived its right to a hearing and did not contest the findings in OCR’s Notice of Proposed Determination. Accordingly, OCR issued a Notice of Final Determination and JHS has paid the full civil money penalty.
“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”
The Notice of Proposed Determination and Notice of Final Determination may be found at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jackson/index.html.