Cybersecurity

Arizona Cybersecurity HIPAA Fine
Cybersecurity, Fines, HIPAA

Big Fish, Big Fine

February 3, 2023 Comments Off on Big Fish, Big Fine

February 3, 2023 A hacker dropped a line and an Arizona-based nonprofit health system got baited, hook line and sinker. Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a settlement resolving a data breach. The breach, executed by a “threat actor”, disclosed the protected health information of 2.1 million consumers. Ouch!  Outlined by the HHS, the HIPAA violations include: The investigation began back in 2016 after OCR received a receipt of a breach report. The hacker was able to access PHI such as patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medication, diagnoses and conditions, and health insurance information.  As part of the settlement, the hospital paid $1,250,000 to OCR and agreed to a Corrective Action Plan. The plan highlights efforts to resolve their violations against the HIPAA Security Rule.  Before you catch yourself becoming a victim of “here fishy fishy”, make sure all your ducks – or should we say fish – are in a row. As we continue to see the relevance and impact of cybersecurity incidents increase, you should be more alert and secure than ever. And if you’re thinking, well that was a hospital – that could never happen to me, be careful what your next Go Fish card is. Whether you’re a big fish in a little pond or a little fish in a big pond, hackers are targeting healthcare. This particular hospital is facing extensive hours of work to complete its Corrective Action Plan which includes conducting a risk analysis, developing a risk management plan, implementing and distributing policies and procedures, and regular follow-up with the HHS. Conveniently, these are all things Abyde can help with. Reach out today to find out how we can save you over 80 hours a year and a time-consuming Corrective Action Plan down the road.

Easy way to understand ePHI
Cybersecurity, HIPAA

Toothpaste, Baseball, and ePHI

December 2, 2022 Comments Off on Toothpaste, Baseball, and ePHI

December 2, 2022 Covered entities and business associates, like healthcare providers, that use online tracking technology should be aware of their ePHI management to HIPAA standards  OCR Recently Released a Bulletin Outlining the Proper Use of Tracking Tech in Accordance with HIPAA Compliance Have you ever talked about being out of toothpaste at work, and then when you get home there’s an ad for Colgate on your tablet as you decide what to order for dinner? It’s creepy, but it’s efficient. You’ve been targeted and the Colgate marketing department is doing its job. In this example, the transmission of your tracked demographics and shopping habits is not as sensitive as the transmission of your patient’s data.  Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin regarding the correlation between sharing electronic protected health information (ePHI) and online tracking technology. While we aren’t experts in targeted advertising, we are HIPAA experts. There are rules that apply to regulated entities, like you, when collecting information through tracking technologies or disclosing ePHI to vendors you may be working with. The OCR put it plainly, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA rules.”  Do you know if your PHI is being captured through online tracking? Are you monitoring what patient data is being shared with third-party vendors? Even more important, do you use Google Analytics or Meta Pixel – if so, you might want to listen up. Whether you set this tracking up yourself or a third-party agency did, without permissible disclosures from your patients, if their ePHI is shared through the tracking technology, you are putting your practice and patients at risk.  Let’s head around the bases to make sure you’re covering your bases.  Nice base hit – you made it to first. The first thing you can do is ensure you have Business Associate Agreements (BAA) in place with all third-party vendors, especially those who create, maintain, or receive ePHI. While you’re cross-checking if your vendors meet the definition of a business associate, make sure your agreements denote the permitted use case for ePHI.  And the crowd goes wild – way to steal second. Before you think well I’ll just ask the vendor to delete any protected data before they use or save it, that’s not going to cut it. Per the OCR, “Any disclosure of PHI to the vendor without individuals’ authorizations…requires that there is an applicable Privacy Rule permission for disclosure.” Through the Privacy Rule, patients are empowered to have more control over their health information to access and make any changes as needed and boundaries are set on the use and release of health records, including the minimum necessary standard for information disclosures.  A bunt from your teammate gets you over to third – nice work! Before we round out to home, ask yourself if the risk is worth the reward. And if you’re still unsure, check in with your Security Risk Analysis and scorecard – another benefit to Abyde’s ongoing compliance. We work with you to identify the potential risk and exposure associated.  As we make our way to home base, we will summarize with this: if ePHI is involved in any of the data the tracking technology is sharing, HIPAA rules need to be followed. Here are the final words from the OCR, “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.”

NIST Updated HIPAA Guidance
Cybersecurity, HIPAA

The National Institute of Standards and Technology (NIST) Updates Guidance on HIPAA Compliance Rules

January 29, 2022 Comments Off on The National Institute of Standards and Technology (NIST) Updates Guidance on HIPAA Compliance Rules

July 29, 2022 You know that exciting feeling when apps have an update that adds awesome new features?! It’s like Christmas morning over here for us at Abyde. The National Institute of Standards and Technology (NIST) just updated its guidelines and added an awesome new feature! After six years, NIST made a significant update by providing guidance to HIPAA-covered entities to follow the HIPAA Security Rule in order to better safeguard patients’ personal and protected health information. Read below to find out what changes were made to the guidelines.  The revised guidance connected HIPAA Security Rule items to NIST Cybersecurity Framework subcategories. The advice remains mostly unchanged, with a few minor structural changes and a renewed emphasis on risk assessments and risk management. NIST Cybersecurity Specialist, Jeff Marron states, “We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs. Our goal is to offer guidance and resources you can use in one readable publication.” NIST recommended the following guidelines for practices: NIST Cybersecurity Specialist, Jeff Marron also stated, “The identification of vulnerabilities or conditions that a threat could use to cause impact is an important component of risk assessment. While it is necessary to review threats and vulnerabilities as unique elements, they are often considered at the same time,”. It is important to note that HIPAA and cybersecurity operate best as a team, and a practice with both will operate smoothly. We all understand the need of HIPAA compliance, but practices must also understand the importance of cybersecurity. The more funding and resources allocated to IT security employees, the better off the firm will be when cyber dangers eventually arise. Satisfying HIPAA and cybersecurity regulations is critical to safeguarding your practice and patients from a data breach or HIPAA violation. While these are undoubtedly items that should be emphasized regardless of the government’s spending intentions, the suggestions by the government and NIST add a sense of urgency to ensuring that these vital protections are in place. With the increasing frequency of cyberattacks going on nowadays, ensuring HIPAA compliance is more important than ever.  We were chatting with our Partner, Darkhorse Tech, and they talked about how HIPAA compliance services provide a framework for security (essential for any dental business), but they do not provide a proactive response to cyber threats. Instead, they provide preventative methods to safeguard your data and keep you in compliance. So in order to have everything covered your practice needs to adopt an additional layer of security, you should no longer rely exclusively on low-quality anti-virus software to defend you. By enlisting the help of specialists who are actively working to prevent an attack before it occurs, reacting to any threats in real-time, and staying up to speed on the current and impending dangers, you can shift your security measures from preventative and reactive to proactive. Darkhorse Tech CMO, Brian Ash, states, “The latest updates to HIPAA make compliance, reporting, and cyber security even more vital for our clients.  While we have been recommending the addition of Abyde for HIPAA compliance for some time, the new guidelines make now the time to commit.  Along with Abyde’s software we are making the addition of a Security Operations Center (SOC) our top priority.  We vetted many options but are recommending Blackpoint Cyber as our SOC of choice.” As we can see, the NIST provided a great update to their Quizlet so that your practice can maintain a good grade in compliance school. So, I think it is time to take a step back and review that NIST guidance so that your practice can always pass the exam! So ensuring that you’re adequately securing this data begins with a thorough knowledge of what needs to be secured and that’s why we have the ideal study partner for you (Abyde) to assist you with all of your compliance needs!

$600K Settlement for HIPAA Breach
Fines, HIPAA

NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People

January 28, 2022 Comments Off on NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People

January 28, 2022 We aren’t even a full month into 2022 and it’s already looking like increasing HIPAA enforcement might be a New Year’s Resolution for the state of New York. Starting the year off strong, New York Attorney General Letitia James just announced a $600k settlement with vision benefits provider EyeMed as a result of a healthcare data breach that compromised the Protected Health Information (PHI) of over 2 million individuals. It all started back in June of 2020 when cybercriminals got ahold of an EyeMed email account after the provider failed to implement any multi-factor authentication and sufficient password management processes. In just a week of the hackers having access to the EyeMed email account, they were able to obtain emails and attachments from up to six years prior. The following month, the same attacker used the email account to send out 2,000 phishing emails, looking to acquire the login credentials of other EyeMed users. This lack of proper safeguards and security protocols enabled millions of individuals’ names, social security numbers,  addresses, medical diagnoses’ and other sensitive data to be compromised. This latest settlement adds on to the continued rise in cyber attacks and government enforcement seen over past years, further proving just how important having a strong cybersecurity and HIPAA program are for healthcare providers. So if your New Year’s Resolution is to avoid a cyberattack yourself, we recommend ensuring that you have the following in place: While data breaches and cyberattacks aren’t always totally avoidable, checking off the list items above is a great way to reduce your chances. But in the case that you’ve already experienced a data breach in 2021, it’s important to note that the annual minor breach reporting deadline (classified by HIPAA as incidents impacting fewer than 500 individuals) is rapidly approaching on March 1, 2022. And as for any major incidents affecting 500+ individuals – the reporting requirement is within 60 days of discovery (or less depending on your state). So some final words of advice? Have the necessary compliance and security programs in place to protect your practice from falling victim to an attack like EyeMed. And in the chance that you do experience a breach, follow the breach reporting requirements to reduce the fines and penalties that could come as a result.  

Controlling Access to Your ePHI
Cybersecurity, HIPAA

How Are You Controlling Access to Your ePHI?

July 22, 2021 Comments Off on How Are You Controlling Access to Your ePHI?

July 22, 2021 While there might not be such a thing as a real-life fairy godmother, technology has granted us the power to access a whole world of information with just a click of a mouse. Anything from research, shopping, to chatting with friends is now so simple it almost seems like magic, but this “instant-access” ability is a double-edged sword when it comes to the privacy and security risks that follow in its reign. Now if there’s one industry that truly feels the weight of technologies twofold, it’s healthcare. While sharing, receiving, and storing electronic protected health information (ePHI) is now easier than it ever was before, the heightened number of healthcare data breaches and cyber attacks seen over recent years have identified the ‘Achilles’ heel’ of technology’s power of accessibility. This ongoing battle between ease of access and security risks has been the topic of several Office for Civil Rights (OCR) alerts shared over the past year, and most recently, the main focus of their Summer 2021 Cybersecurity Newsletter.  The newsletter titled “Controlling Access to ePHI: For Whose Eyes Only?” highlights a recent report that found that “61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors.” So while most healthcare organizations know not to go and give the keys of the castle away to just anyone, technology has made access a possibility for really anyone who has a decent internet connection. But the even more striking statistic featured in the newsletter? It’s not just hackers that you have to worry about, the security incident report also uncovered that 39% of those data breaches were actually committed by insiders. Though most fairy-tales feature an evil villain, these insider breaches aren’t always the result of a malicious act. In addition to the multi-million dollar hacking schemes that we see all too often, are stories of staff impermissibly accessing ePHI or leaving sensitive data unattended. So if you’re wondering how you can best protect your practice, the answer is to have the proper authorization policies, procedures, and controls in place.    When it comes to those necessary policies and controls, the HIPAA Security Rule identifies certain standards and specifications that healthcare organizations are required to implement. The two standards, Information Access Management and Access Control, are administrative and technical safeguards that work in tandem to protect and secure ePHI – but what exactly do they entail? Information Access Management This standard essentially defines how access to ePHI is authorized and requires HIPAA-covered entities and business associates to implement policies and procedures regarding information access. So, what do some of these specific policies include? Access Control In addition to the administrative requirement for access management, Access Control is a technical safeguard that actually limits the availability of that ePHI based on the organizations’ Information Access Management policy. The OCR’s newsletter describes the necessary controls to coincide with the “flexible, scalable, and technology-neutral nature of the Security Rule” and provides a wide range of control mechanisms for organizations to consider and implement where they see fit. They also provide four implementation specifications which include: So as complementary requirements of the HIPAA Security Rule, your organization is expected to have these standards in place to best prevent both outsider and insider threats. And while it would be nice if you could just have a knight in shining armor there to guard your practice from cyber threats and impermissible ePHI access – implementing the safeguards provided above, and ensuring all staff members are trained on proper access, is the next best thing.

Latest OCR Cybersecurity Updates
Cybersecurity

Latest OCR Cybersecurity Updates

July 1, 2021 Comments Off on Latest OCR Cybersecurity Updates

July 1, 2021 With Cyber Security Awareness Month right around the corner, the multiple cyber alerts issued by the Office for Civil Rights (OCR) in the month of June serve as a perfect preamble for the importance of prioritizing data protection all year round. These government-issued Cyber Alerts have become all too familiar in the healthcare industry, with the past year seemingly filled with emergency directives and scam tactics to be aware of. So with healthcare data breaches on the rise and the most recent warnings of a heightened risk of ransomware and IT system vulnerabilities – ensuring your organization has the necessary programs in place is essential to avoid falling victim. What did the most recent Cyber Alerts cover?  In early June, the White House and Cybersecurity and Infrastructure Agency (CISA) released a memo titled “What We Urge You to Do to Protect Against the Threat of Ransomware.” This alert urged healthcare organizations to take appropriate action in protecting against ransomware threats and covered several best practices that providers can take to enhance cybersecurity including: While keeping up with the above steps should be done on a regular basis, the more recent OCR notice covers additional vulnerabilities organizations should be aware of. According to the memo shared on June 25, 2021 – Eclypsium Security Researchers have discovered a vulnerability in the Dell BIOSConnect feature available on over 180 models of consumer and business devices. Dell urges all customers to ensure that their devices are updated to the latest version and provided a full list of impacted devices and steps to address the vulnerability that can be found here.  Additionally, this memo also included an advisory from CISA due to the multiple vulnerabilities found in the ZOLL Defibrillator Dashboard. The agency warns that these vulnerabilities may allow a remote user to take control of an affected system and emphasizes that all organizations should review the ICS Medical Advisory and apply the recommended mitigations.  So now what?  Well, for any healthcare organization of any size – data breaches and cyberattacks are becoming more and more of a concern. Implementing the necessary technical safeguards,  following guidance on ransomware prevention, and keeping all devices and IT systems up to date with the latest version is key to steering clear of heightened vulnerabilities like the ones outlined in recent government memos. Unfortunately, as technology and threat actor tactics continue to evolve, these new and increasing threats don’t seem to be going away anytime soon. So keeping your practice and your patients’ data protected in the long run starts with having both a security AND compliance program in place now.

HIPAA Compliance and Security
Cybersecurity, HIPAA

Compliance and Security: A Match Made in HIPAA Heaven

December 29, 2020 Comments Off on Compliance and Security: A Match Made in HIPAA Heaven

December 29, 2020 Peanut butter and jelly, macaroni and cheese, rock and roll – there’s really no mistaking that some things are just better in pairs. While these might be the obvious examples to tag along with the old 80’s hit “It Takes Two to Make a Thing Go Right”  there’s another dynamic duo that plays an important role in your practices’ daily operations: Compliance and Security.  Compliance and security go hand-in-hand, making the perfect team when it comes to protecting patient data. But falling into the trap of thinking that achieving one means meeting the other can mean double trouble for your practice – so it’s important to understand the differences between the two and how to ensure you’re checking both off your list.  What is compliance? Compliance is kind of like the bread and butter of your practice. It essentially focuses on the regulatory requirements involved in the protection of sensitive patient data – meaning that you not only have a secure technical environment but also have the know-how and documentation to prove it. Compliance is a comprehensive set of standards that practices must meet to avoid fines but should be viewed as more of a baseline when it comes to security, not the end all be all. Complying with HIPAA means meeting various requirements outlined in the HIPAA Security and Privacy Rule – but there’s more to the story when it comes to ensuring that patient data is fully protected.  What is security?  Security is the whole system of policies, processes, and technical controls specific to your practice. The goal of security is to ensure the best possible protection of the confidentiality, integrity, and availability of patient data – which in the age of technology means constantly updating to mitigate the risk of ever-changing threats. When we think of security we often think of locks on practice doors and passwords on computers but those safeguards only brush the surface of true security.  Having the proper technical safeguards in place, and staying up to date on any new threats, such as the recent threat to Microsoft Exchange vulnerabilities knowing how to properly mitigate a potential threat, and staying educated are just some ways to meet your practice’s security needs.   So, what’s the difference?  While both are crucial in protecting patient data, security and compliance are not one and the same. The key distinction between the two is that compliance requirements are a bit more predictable whereas security standards are rapidly evolving with current risks and threats. This, unfortunately, means that even if you check off each of the compliance requirement boxes doesn’t exactly mean that your practice is 100% secure –  which is why you are still at risk for a cyberattack even if you have a complete HIPAA compliance program in place.  Why you need both!  Just like Batman and Robin, when you put the two forces together – they’re pretty unstoppable. And with cyberattackers playing the role of the modern-day villain, establishing strong compliance AND security programs are the best, and perhaps the only way to ensure you’re taking every measure to protect patient data. 

Cybersecurity Awareness Continues
Cybersecurity

Cybersecurity Awareness Continues

October 29, 2020 Comments Off on Cybersecurity Awareness Continues

October 29, 2020 Cybersecurity Awareness Month is wrapping up (believe it or not it’s almost Halloween, if you’ve lost track of the days this year like we have), but as the month ends the protections and measures you have in place to prevent a cyberattack should remain in full force.  Just a quick glance at our HIPAA news page shows a growing list of recent HIPAA enforcement efforts, many stemming from cyberattacks that could have been avoided. Couple that with growing cyber threats during COVID-19 and you have yourself a pretty good idea of why cybersecurity should stay top of mind for months to come. We know that the word ‘cybersecurity’ can be a little vague – and even daunting – so here’s a recap of the latest and greatest threats to watch out for: Ransomware Activity  Phishing Schemes Missing Key Technical Safeguards Properly Mitigating Potential Threats Staying Educated   Not convinced cybersecurity is important? Just look at the data:  We can probably agree that unless you put your practice in a bubble there really is no such thing as being 100% protected from every cyberthreat out there. Since totally cutting off your patient’s sensitive information is impossible, the next best thing is to have all the necessary technical safeguards and be aware of how to properly handle a threat.  

Cybersecurity Awareness Month
Cybersecurity

Cybersecurity Awareness Month

October 1, 2020 Comments Off on Cybersecurity Awareness Month

October 1, 2020 Today may be the kickoff of Cyber Security Awareness month, but it’s never too early (though, possibly too late) to pay attention to the cyberthreats that surround independent practices.   Now we know there’s probably plenty of other things that sound a little more exciting than cybersecurity – but the recent Cybersecurity Advisory from the Office for Civil Rights (OCR) highlights why having the right safeguards in place to secure your patient’s protected health information (PHI) is, well, kind of a big deal. With the rapid increase of cyber threats due to COVID-19 already on your mind, here’s some key takeaways appropriate to cybersecurity awareness month to help your practice handle a suspected cyber threat like a pro:   We know that channeling your inner investigator and hunting for clues does sound like fun but knowing how to handle a suspected breach is just the tip of the iceberg when it comes to cybersecurity. While there’s no sure-fire way to avoid falling victim to a cyberattack, you can implement various technical safeguards to reduce the risk.  Having a strong defensive line isn’t just important for football (cybersecurity isn’t the only thing we’re excited about this month) – it’s also imperative to making it a bit harder to access your practice’s data. Having multiple barriers to entry and a better understanding of how to detect a threat is the best way to protect your practice and following the right process after an attack will help to mitigate the damage done.

$1.5 million HIPAA Fine
Cybersecurity, Fines, HIPAA

OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation

September 21, 2020 Comments Off on OCR Announces $1.5 Million Dollar Settlement for Systemic Non-compliance after a Hacking Incident Sparked Investigation

September 21, 2020 The OCR is certainly seeing $$$ this September. On top of the record five fines announced last week, the Office for Civil Rights (OCR) has just announced the latest settlement of a whopping $1,500,000 fine and 2-year corrective action plan for an orthopedic clinic out of Georgia. Athens Orthopedic Clinic found themselves in the HIPAA violation hot seat after a hacking incident sparked an OCR investigation beginning in 2016. The OCR found Athens Orthopedic had longstanding noncompliance with HIPAA rules, especially required technical safeguards, that led to the breach incident.   On June 26, 2016, the orthopedic clinic was notified that their database of patient records had been posted online for sale. Two days later, a hacker contacted the clinic demanding money in return for the stolen database. After investigation, Athens Orthopedic determined that the hacker was able to gain access through a vendor’s credentials on June 14, 2016, and the hacker continued to access protected health information (PHI) for a month after the initial breach. On July 29, 2016, Athens Orthopedic filed a breach report with the OCR noting all of the sensitive PHI that had been hacked: names, dates of birth, social security numbers, and other personal medical information of the 208,557 patients affected. The breach initiated a full-scale investigation into the clinic’s HIPAA program, where the OCR discovered a laundry list of key compliance elements that the practice was missing: Cyber threats are an ongoing and rising threat to the healthcare industry. When practices lack the proper safeguards to secure their patients’ PHI, they put themselves at the top of hackers ‘easy target’ list (would your practice be posted if such a list existed?). Along with the fine, OCR Director Roger Severino emphasized that “Hacking is the number one source of large healthcare data breaches. Healthcare providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.” So how do you ‘hack proof’ your business? Well, you probably can’t completely prevent a hack given how quickly hackers adapt to new security measures, but your practice CAN go a long way to avoid being targeted (and getting slapped with a HIPAA fine) by ensuring your HIPAA compliance program – especially your technical safeguards – is up to scratch.

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X