Electronic Health Records

October 31, 2018 by Joseph Martin

Anthem is one of the largest insurance providers in the United States. Unfortunately in 2015, they had the dubious honor of suffering the largest health data breach in history. It left protected health information of nearly 79 million of their customers exposed.

As a result, a division of the US Department of Health and Human Services called the Office for Civil Rights (OCR), levied the largest fine against the company in the agency’s history. They were fined a staggering sixteen million dollars.

An investigation into the matter revealed that Anthem had not put sufficient safeguards in place to protect patient data. As a result, hackers were able to breach the system via a phishing attack and make off with customer names, addresses, dates of birth, social security numbers, email addresses and employment information.

The Director of OCR, Roger Serverino, had this to say:

“The largest health data breach in US history fully merits the largest HIPAA settlement in history. Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Tim Sadler, the CEO of Tessian, added the following:

“During the three years since the Anthem breach took place, spear-phishing attacks have increased significantly in their indistinguishability and effectiveness. Yet human error has remained inherent, inevitable, and largely ignored as a security vulnerability by organizations.”

He concluded his remarks by pointing out that advanced AI algorithms and machine learning could be employed to help spot the kinds of attacks used to such great effect against Anthem, in order to minimize the risks going forward.

If your business is in any way connected to the healthcare industry, this approach certainly bears further investigation.

Joseph Martin

President & CEO
I hope you enjoyed this article. My mission is to take your stress away from dealing with IT problems. Call (252) 565-1235 or send me a message at our contact us page if you have a question, comment or want help.

May 26, 2018 by Joseph Martin

Depending on which side of the privacy debate you’re on, you’re either going to love or hate this announcement:

“Fitbit intends to use Google’s new Cloud Healthcare API to help the company integrate further into the healthcare system, such as by connecting user data with electronic medical records.”

Rarely has a single sentence been so fraught with risk, while simultaneously promising such great opportunity.

On the plus side, the potential for innovation is virtually unlimited, and this new partnership will no doubt be a boon for the still-struggling wearables market. There are also potential increases in health care delivery efficiency, but the privacy concerns surrounding the issue are very real.

One has to only think back to the recent Allscripts fiasco, in which some 1,500 healthcare providers found themselves impacted by a nasty ransomware attack.

Google already collects copious amounts of data on its users, and with Fitbit angling to tap into healthcare records, the amount of private and personally identifiable information collected on users is bound to grow exponentially.

In addition to that, depending on exactly what data Fitbit attempts to link, it could very well make them a “business associate” from a HIPAA perspective. This can expose one or both companies to increased liabilities and vastly stricter standards on how the data can be used, and the steps that must be taken to safeguard it.

Right now, those details are very much in the air, and the issue could go either way. But there are some legal experts who believe that Google and Fitbit will be able to skirt the issue sufficiently so that they will not gain the “business associate” classification.

For Fitbit’s part, the company had this to say: “We have a longstanding commitment to privacy and data, and our data practices will continue to be governed by the Fitbit Privacy Policy. We are not sharing our user data with Google, we are partnering with Google to host Fitbit user data, similar to other cloud/hosting service providers. We take our obligation to safeguard users’ personal information very seriously and are committed to protecting the privacy and security of our users, while being transparent about our data practices.”

Comforting words, but they have done little to allay the concerns of privacy advocates, who see any number of negative outcomes associated with the new partnership. This is a debate that will no doubt be continuing for quite some time to come.

Joseph Martin

May 19, 2018 by Joseph Martin

The Department of Health and Human services has issued a warning to healthcare providers to be on high alert for the SamSam strain of ransomware, which has been used to attack eight different health care entities so far this year.

SamSam made its first appearance in 2016 and is seeing increasingly widespread use so far this year. Unfortunately, the healthcare industry is considered by most to be a soft target. On the Dark Web, healthcare data has become more highly sought after than credit card data, which is only going to put more healthcare entities at risk.

The most tragic component of this is that when a hospital’s network goes down, they stand to lose more than just money and control over patient data. Lives are also at risk. Although none of the attacks to this point have resulted in patient deaths, it’s statistically inevitable. As these attacks continue to increase in frequency, scope and scale, sooner or later, someone will die because of them.

According to security experts, the root of the problem lies in the fact that guarding against such attacks is seen as fundamentally an IT issue. The truth is that it is an organization-wide issue, and should be treated as such, because attacks like these pose an existential threat. Treating the issue as something for a single department to be responsible for inevitably leads to a lack of funding and an inadequate incident response plan. This leaves most organizations completely unprepared to deal with an attack and its aftermath.

Even more worrisome is the fact that an increasing number of ransomware attacks simply destroy the data. Sure, the ransom note still gets displayed, but the hackers simply have no intentions of unlocking the files, and they build their software accordingly. Most recently, hackers have taken to corrupting encrypted data files, which can cause lingering problems for months or even years after they’re unlocked.

This problem is only going to get worse until we all start taking data security more seriously.

Joseph Martin

April 13, 2018 by Joseph Martin

There’s a lot to talk about in Apple’s latest update to iOS. Version 11.3 boasts some significant changes and is well worth getting. We’ll go over the highlights below.

Battery management is the biggest and most significant change. Last year, the company found itself in hot water when they began quietly throttling older phones and slowing down their performance because older phones have batteries that begin to degrade. In the absence of throttling, it’s entirely possible that a user’s phone will simply shut down when it attempts to run a process that requires more power than the aging battery can provide.

Despite the company’s good intentions, their decision to throttle older phones met with serious backlash from their normally adoring customer base, and the company has changed their approach in 11.3. Now, throttling is optional and under user control if you have an iPhone 6, 6S/6S Plus, 7, or 7 Plus SE. However, all users, regardless of model now have access to a new battery health screen so they can keep tabs on the condition of their battery and make good decisions about if and when to replace.

Another significant change is the addition of a new Health Records section, which allows users to get easy access to their medical records if their doctor also utilizes the app.

On the business side, the 11.3 update comes with Business Chat, which allows select businesses to communicate with customers directly in the iMessage app, rather than via social media or email. While there aren’t a lot of companies taking advantage of this feature yet, you can bet that in coming weeks, you’ll see a slew of big names signing up to take advantage of the service.

There is a raft of other, smaller features in 11.3, but even if there weren’t, the “Big Three” mentioned here would make the update well worth getting. Kudos to Apple!

Joseph Martin

March 26, 2018 by Joseph Martin

It used to be the case that credit card companies and retail outlets were the primary targets of hackers around the world. Make no mistake, they still get attacked with regularity, but the hackers have found a new and even more lucrative target: Health Organizations.

According to a new report jointly produced by the Ponemon Institute and Merlin International, the medical/healthcare industry suffered nearly a quarter (23 percent) of all the data breaches that occurred in 2017. It gets worse. Those breaches exposed PHI and PII of more than five million individuals.

The reason for the shift away from credit card data to medical records comes down to profits. PHI and PII can often be sold on the Dark Web for ten times the amount that credit card information will bring. The hackers are simply obeying the laws of economics and going where the money is.

Brian Wells, the Director of Healthcare Strategy at Merlin International had this to say about the report:

“In an increasingly connected, digitally centric world, hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase in scope over time.

Healthcare organizations must get even more serious about cyber security to protect themselves and their patients from losing access or control of the proprietary and personal information and systems the industry depends on to provide essential care.”

Worst of all, a shocking percentage of medical/healthcare companies don’t seem to be serious about cyber security at all. Although the average cost of a medical data breach is approximately four million dollars, a staggering 49 percent of companies in the industry don’t have an incident response plan of any kind. There’s no process in place to properly respond to an attack, or to mitigate the fallout if a breach occurs. These companies are sitting ducks.

Used with permission from Article Aggregator

Joseph Martin

December 10, 2017 by Joseph Martin

Cottage Health System, a company that operates five hospitals in the Santa Barbara area of California, is the latest firm to have been hit with a hefty fine for losing control of PHI and PII for patients that it serves.

In this case, more than 55,000 patients were impacted between 2013 and 2015.

Cottage Health discovered the breach late in 2013. The company received a voicemail message informing company officers that there was a large file containing PHI of an unspecified number of its patients available online, without encryption or password protection that could prevent unauthorized access. In 2015, the company suffered a second, much smaller breach that impacted 4,596 of its patients.

As a result of the investigation that followed, the California Attorney General determined that the Cottage Health System had violated California’s Confidentiality of Medical Information Act, as well as several federal HIPAA regulations.

Under the terms of the agreement, in addition to a $2 million fine, the company has been required to upgrade its data security practices, including:

• Training employees on the collection, storage and proper use of PHI and PII

• Maintaining a reasonable set of policies and protocols surrounding incident tracking reports, risk assessment, data retention, internal audits and incident management plans, subject to external review

• Encrypting all PHI and PII in transit

• Assessing all hardware and software used in Cottage Health’s network for potential vulnerabilities, and upgrading as appropriate

• And conducting periodic testing to identify and address additional vulnerabilities.

This most recent incident serves as a painful reminder to any company involved in the handling of PHI and PII. According to Elizabeth Hodge, a health care attorney of the law firm Akerman, LLP:

“Even if the Office for Civil Rights slows down its enforcement activities going forward, covered entities and business associates should still anticipate enforcement activity by state attorney’s general enforcing their respective state laws.”

Joseph Martin

October 19, 2017 by Joseph Martin

Data security is no laughing matter, and even small exposures can lead to hefty fines, no matter the size of your company.

Last year, the federal government sent shockwaves through the industry when they began an aggressive campaign of investigating and punishing companies for HIPAA infractions, logging more than a dozen high profile settlements.

While it’s true that this particular case did not involve a HIPAA violation, it has much in common with the hefty fines the federal government has been levying as of late for even small HIPAA infractions. This particular incident revolved around a spreadsheet which contained personal data on 660 ACA enrollees in the state of Vermont.

The spreadsheet was on a remote server managed by Samanage USA, a small North Carolina-based IT support service, and was improperly secured, allowing for unauthorized access to it.

As it happened, one of the people on the spreadsheet was doing a Google search of her own name and came across the entry in a search result. When she saw it, she immediately notified the state’s Attorney General, which prompted a formal investigation.

The search result was traced back to Amazon’s Web Services platform, and then to Samanage. An Amazon engineer emailed Samanage to inform them that it had PII improperly secured and publicly accessible, and asked them to remove it.

Samanage began an investigation of their own, found the problem and promptly corrected it, but failed to inform their client company, WEX Health about the breach.

Ultimately, this is what got Samanage in trouble. According to the settlement, the $264,000 fine was levied specifically for not notifying the proper authorities that the breach had occurred, which, under Vermont state law, included WEX Health.

The reason that this was not seen as a HIPAA breach was that Samanage was a subcontractor for the information services provider to a health plan offered through the ACA’s marketplace. As such, they were designated as a non-covered entity where HIPAA privacy, security, and breach notification rules were concerned.

Imagine how much bigger the fine would have been if they had been in violation. A sobering thought indeed.

Joseph Martin

Contact Info

Navigation