Information Security

State of Maryland fails OIG security audit, Medicaid data at risk

OIG performed a vulnerability assessment scan to determine if there were existing vulnerabilities on the MMIS (Medicaid Management Information System) network, devices, websites and database. And while OIG officials found the state adopted a security program for the system, there were “significant system vulnerabilities.”

Officials did not disclose details of the vulnerabilities found, but said that they were significant enough to "have allowed unauthorized access and exposed Medicaid data and the disruption of critical Medicaid operations.”

The State said there was no evidence of a breach or unauthorized access. And, while a security program was in place, the control were not sufficient to keep the systems protected. Recommendations were made to the state to update the security program and systems to meet federal requirements. 

Complying with HIPAA alone won't cut it - Covered entities need to keep up with changes in state laws

For healthcare organizations operating in multiple states, the complexity of compliance with privacy and security rules goes beyond understanding HIPAA. Add Colorado to the list of states with new laws defining special requirements for reporting breaches to the attorney general and definitions of personal information that include biometric data. While HIPAA allows for up to 60 days to provide notice to an individual regarding a breach, and also up to 60 days to report breaches of >500 individuals to the Office of Civil Rights (OCR), the new Colorado law requires notice to the individual within 30 days. Colorado is the most recent state to join the club of states with more stringent reporting rules than HIPAA requires, including most recently Alabama which enacted a 45 day time frame.

According to Cofense, 91% of cyber attacks begin with a phishing email

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a standard healthcare organizations can implement to reduce their susceptibility to cyber attacks by reducing vulnerabilities associated with spoofing. Spoofing occurs when a hacker attempts to impersonate the legitimate domain by making an email appear to come from within the organization. Despite training regarding phishing, staff still may be fooled by emails that look like they come from a legitimate domain. DMARC can be set-up to monitor email traffic and send alerts (most permissive setting) or in the most aggressive setting, block incoming emails.

Per HIPAA News (2018, May 26) "For the study, Valimail reviewed the domains of 928 healthcare companies around the globe with annual revenues over $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those firms (13%) have adopted DMARC to secure their domains and stop email spoofing."

HIPAA Covered Entities Should Start Saving for a Rainy Day (aka Big Breach)

A provision of the HITECH Act of 2009 that has yet to be implemented is establishing a mechanism for the victims of a HIPAA related breach to share in any settlement or monetary penalties assessed. The Office of Civil Rights (OCR) plans to issue notice of proposed rule making in November 2018 in an effort to satisfy this HITECH requirement. In the meantime, HIPAA covered entities may want to consider revisiting their internal efforts to comply with the Privacy and Security rules to mitigate future risk as well as consider planning for a reserve commensurate with the potential exposure if a major breach were to occur.

Former California State Contractor Sued Over Breach Of HIV Patient Privacy

According to Kaiser Health News, "A security breach by a private company that contracted with California’s public health department inadvertently allowed unauthorized access to the HIV status of 93 people, according to a lawsuit filed this week in San Francisco County Superior Court."

NJ medical group fined $418K for HIPAA business associate error

Virtua Medical Group, comprised of more than 50 medical practices across New Jersey, agreed to a fine of more that $418,000 by the state attorney general. An investigation found that the records of about 1,600 patients were exposed. What makes this situation unique, however, is that the server in question was operated by a third-party business associate - in this case a transcription vendor. 

The Virtua breach occurred in January 2016 when transcription services vendor Best Medical Transcription updated the software associated with a File Transfer Protocol (FTP) website which inadvertently reconfigured the server to allow access without a password so patient records were searchable via Google. Even after Best Medical fixed the misconfiguration shortly after it was discovered, cached indexes of the records remained accessible on Google.
But the company never notified Virtua. Instead, the medical practice found out about the breach after a patient’s mother called to report she found portions of her daughter’s medical record online. Two weeks later, Virtua notified law enforcement and individually removed each patient’s information from Google’s cache.
Still, state prosecutors alleged that, among other violations, the provider was delayed in responding to the breach and failed to maintain a written log of when the FTP site was accessed. In addition to paying the fine, Virtua is required to hire a third-party professional to analyze the group’s security risks.

No fine for Best Medical? Business Associates are expected to adhere to the same standards as Covered Entities, though it appears in this case they got off easy. Is it an anomaly? If anything, it is a clear signal to Covered Entities that they must be properly vetting their Business Associates to ensure that they are working with organizations who understand and can comply with HIPAA requirements. 

NY Attorney General: Record number of data breaches in 2017

New York Attorney General Eric Schneiderman said Thursday that there were a record number of data breaches in his state during the year 2017. In his report titled “Information Exposed: 2017 Data Breaches in New York State,” Schneiderman reveals that 1,583 breaches were reported to his office in 2017, impacting the data of 9.2 million New Yorkers. 

Indicating that current laws are inadequate, Schneiderman's office also introduced new legislation with stricter reporting requirements for any organization doing business with New York residents: 

However, current law does not require most companies to maintain reasonable data security, except if the company collects social security numbers. Companies also are not required to report breaches of certain critical data types, including username-and-password combinations, and biometric data like the fingerprint you use to unlock an iPhone.
To address these inadequacies in the law, my office introduced the Stop Hacks and Improve Electronic Data security, or SHIELD Act, which would require companies to adopt administrative, technical, and physical safeguards for sensitive data. These standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not.
The standards are tailored to the sensitivity of the data retained and the size and complexity of the business. The SHIELD Act also expands the types of data that trigger reporting requirements in the event of exposure to include username-and-password combinations, biometric data, and HIPAA-covered health data.
My office is also preparing new legislation that would require companies like Facebook to notify my office, and in turn consumers, as soon as they learn that their users’ personal data has been misused. 

With an increasing number of states across the nation introducing their own information and data security regulations, where does this leave HIPAA? It is crucial for healthcare entities to understand the requirements of each regulation but following one does not mean the other can be ignored.