Category:

The federal law that protects health information is violated often and easily, and it's hardly ever enforced...After spending the past year reporting on loopholes and lax enforcement of the Health Insurance Portability and Accountability Act, the federal patient-privacy law known as HIPAA, I’ve come to realize that it’s not just celebrity patients who are at risk. We all are...I’ve talked to hundreds of people who say their medical records were hacked, snooped in, shared or stolen...In each story, a common theme emerged: HIPAA wasn’t working the way we expect. And the agency charged with enforcing it, the HHS office for civil rights, wasn’t taking aggressive action against those who violated the law...We all know HIPAA... It’s what requires us to stand behind a line, away from other customers, at the pharmacy counter or when checking in at the doctor’s office...It is used to scare health-care workers, telling them that if they improperly disclose others’ information, they could pay a steep fine or even go to jail...But in reality, it is a toothless tiger...And even though the civil rights office can impose large fines, it rarely does: It received nearly 18,000 complaints in 2014 but took only six formal actions that year. A recent report from the HHS inspector general said the office wasn’t keeping track of repeat offenders, much less doing anything about them...Making matters worse, HIPAA does not allow patients to sue health providers for damages if they violate the law. So if the federal government doesn’t enforce the law, there are often no consequences for breaking it...Moreover, the government needs to write regulations to implement provisions of a 2009 law that would give patients whose privacy has been violated a share of the money HHS recovers. Finally, the government has yet to submit to Congress a report due in 2010 with recommendations for how to deal with the privacy of health information not covered by HIPAA.

More than 720 data breaches occurred this year, and the top seven cyberattacks alone have left more than 193 million personal records open to fraud and identity theft...Of the seven, the healthcare industry has the dubious honor of three top spots, with the Anthem breach leading the pack...Our research indicates that cybercriminals are increasingly going after targets in the medical and healthcare verticals, which store valuable patient data that can't be reissued like a credit card...Each of the top seven data breaches compromised more than 5 million records, indicating that attackers are becoming stealthier, are employing more sophisticated techniques and are going after bigger and more lucrative targets...The top 7 breaches:

1. Excellus BlueCross BlueShield
2. Premera Blue Cross
3. Vtech
4. Experian/T-Mobile
5. OPM
6. Ashley Madison
7. Anthem

Lahey Hospital and Medical Center has agreed to pay $850,000 in a settlement with HHS' Office for Civil Rights to resolve alleged privacy and security violations stemming from the theft of a laptop computer with unencrypted patient records…health system also entered into a corrective action plan to address other privacy and security issues raised during the breach investigation. Lahey “impermissibly disclosed” electronic medical records of 599 individuals “for a purpose not permitted by the privacy rule” under the Health Insurance Portability and Accountability Act…Lahey had failed to meet a number of other HIPAA requirements, including not conducting “an accurate and thorough” security risk analysis, failing to assign “a unique username for identifying and tracking user identity” on the stolen computer and failing to “implement a mechanism to record and examine activity” on the computer.

Chinese hackers linked to the mainland government attempted to gain entry into computer systems at 7 companies including two unnamed pharmaceutical companies, according to a U.S. cybersecurity researcher…the attacks began on Sept. 26, but were ultimately unsuccessful. News of the attacks came a day after President Barack Obama and Chinese President Xi Jinping had agreed to stop any government attempts to penetrate corporate networks to support their respective domestic industries… Pharmaceutical companies are a natural target for hackers looking to help their clients or employers shave years and billions of dollars off the time and expense of creating modern drugs.

Regulators have logged dozens, even hundreds, of complaints against some health providers for violating federal patient privacy law. Warnings are doled out privately, but sanctions are imposed only rarely. Companies say they take privacy seriously...CVS is among hundreds of health providers nationwide that repeatedly violated the federal patient privacy law known as HIPAA between 2011 and 2014...Other well-known repeat offenders include the U.S. Department of Veterans Affairs, Walgreens, Kaiser Permanente and Walmart...I don’t like the idea of repeat offenders not being called to task for that behavior and I would like to see us doing more in this regard...The number of health information privacy complaints submitted to the Office for Civil Rights within the Department of Health and Human Services has increased dramatically in recent years, in part because of the introduction of an online complaint portal...Using data provided by OCR under the Freedom of Information Act, ProPublica is launching a new tool, HIPAA Helper, which allows users to look up reports of privacy violations by provider for the first time. OCR’s material often referred to the same entities by multiple names. CVS was listed as “CVS,” “Pharmacy, CVS,” “Caremark, CVS,” “CVS Caremark”...We have standardized organizations’ names to make searching easier.

Only half of small urban hospitals have two-factor authentication capability…Fewer than half of U.S. hospitals support an infrastructure capable of two-factor authentication, The Office of the National Coordinator for Health IT reported…while 35 percent of critical access hospitals and 40 percent of small rural hospitals report the lowest levels of capability…Two-factor authentication requires users to give at least one other form of identification beyond username and password to get access to electronically protected information, such as a PIN and fingerprint or voice recognition…The process is a low-cost, effective way to meet HIPAA standards, but not enough hospitals have implemented it into their cybersecurity plans…cybersecurity experts assert reported levels of adoption are still drastically low, given the steady rise in healthcare data breaches and the increase in hackers targeting the healthcare industry…Some states are above the bar on establishing two-factor authentication. Ohio raked at the top with 93 percent adoption..Vermont, with 83 percent…Delaware, with 81 percent…On the other hand, Montana, with 19 percent, North Dakota, with 23 percent, and Maine, with 26 percent, saw the lowest percentages…

A hospital in Kentucky is notifying patients of a security incident, after it was discovered that some of its computers had been infected with a keystroke logger designed to capture and transmit data as it was typed…Muhlenberg Community Hospital had detected the malware on some of its machines…Affected computers were used to enter patient financial data and health information, potentially including names, addresses, telephone numbers, birth dates, Social Security numbers, driver's license/state identification numbers, medical and health plan information, financial account numbers, payment card information and employment-related information. Additionally, some credentialing-related information for providers may also be impacted…officials did say that they believe the malware could have captured username and password information for accounts or websites that were accessed by employees, contractors or providers using the affected terminals.

Imagine if simply typing “password123” into a computer did not open your email account, but an internet-connected medical device responsible for feeding you drugs or monitoring your blood oxygen or insulin levels...It may sound like the nightmare stuff of fiction, but the lack of basic cyber security on hospital equipment is attracting hackers who want to use them as a way to enter medical networks...Experts say that while they have not yet seen someone die as a result of hacking, the risks are growing...Motives for attacks could range from wanting to harvest patient information or stealing intellectual property from medical trials to simply wanting to create chaos...Devices with default passwords that are left unchanged, and outdated operating systems that are connected to the network, such as medical databases, are all too common in healthcare...Each provider needs to carefully examine for themselves what types of risk are being brought in by new devices. They will have to give careful consideration to making sure they are kept up to date, behind firewalls and in networks segmented off from key medical and personnel data…

Healthcare IT security: you have a bad reputation. When it gets down to healthcare there’s always a little chuckle about how bad they are…This year was among the worst in cybersecurity across the healthcare sector…On average, companies that got breached did not know it for 270 days and some had even been breached for seven years without knowing it…that two-thirds of those entities did not even discover the breach internally; it was pointed out to them, either by someone outside the organization or by the federal government...As bad as breaches are, however, there are other worse threats emerging that hospital CIOs, CISOs and IT departments should understand and prepare for.

1. Ransomware
2. DDoS (Distributed Denial of Services)
3. Wiper attacks
4. Intellectual property theft
5. Straight theft of money
6. Data manipulation
7. Data destruction

9 in 10 industries report PHI breaches; many unaware protected data exists within company records…It's not just hospitals. Or even payers. Some 392 million health records have been accessed in 1,931 protected health information breaches across a staggering 90 percent of industries, according to preliminary findings from a new Verizon report…These industries, across 25 countries, have seen health insurance information, personnel files or other data outside of traditional healthcare settings or industries stolen…"What makes our findings even more troubling is that many sectors - especially those outside of the healthcare industry - aren't even aware that they hold this type of data,"…Unlike with other data breaches, PHI breaches face an equal number of internal and external hackers…hacker tactics are determined by the type of data they're seeking and its location, rather than the country or company size…"This data can be extremely damaging in the hands of those wanting to commit various types of financial fraud,"...