8 Tips on Giving Patients Access to Their Records

HHS Points to Ways to Improve Compliance With HIPAA Requirements   Under the HIPAA Privacy Rule, patients and their authorized representatives have the right to access their electronic or paper health records. Unfortunately it’s often easier said than done, and federal regulators want that to change. Complaints from patients about the lack of access to their records have remained consistently among the top five issues in HIPAA cases that are investigated and closed with corrective action by HHS’ Office for Civil Rights. In order to help address the issue leaders at HHS have issued a new training module and a research report. Patient access can be a tricky issue. The policy is straightforward – give the patient his or her information. Execution is often more complicated.   Training Module OCR’s latest training module notes that “an individual has the right to receive protected health information in the form and format requested if readily producible.” It depends on the entity’s capabilities. That means if an entity maintains information electronically, at least one type of digital format must be accessible by the individual. The individual also has the right to specify the mode of transmission or transfer, including unsecure email, as long as the individual is warned about the security risks, according to the OCR. Patients can also ask for other modes of transmission if the request is within the capabilities of an entity and the mode would not present unacceptable security risks to PHI on the entity’s systems. Yet another option is individuals have the right to request a healthcare provider to transmit their health information to a third party, which could include a competing healthcare provider, family member or friend, research institution or mobile health application. Tips for Providing Access The ONC report notes: “Healthcare practices have the opportunity now to improve their records request processes and reduce the burden on consumers.” Among the report’s tips for improving their ability to provide patient access to records is creating “a streamlined, transparent, and electronic records request process” that may include: Allowing patients to easily request and receive their records from their patient portal. Setting up an electronic records request system outside of the patient portal. Creating a user-friendly, plain language online request process. Using e-verification to quickly confirm the record requestor’s identity. Including a status bar or progress tracker so consumers can see where they are in the request process – for example, indicate when the request is received, when their records are being retrieved, and when they’re ready for delivery. Making sure consumers know that they can request their record be provided in different formats – such as PDF or CD – and delivered in the way they choose, such as by email or sent to a third party....

Read More

How Vulnerable Are Your ATMs?

Attackers are increasingly hacking into banks’ networks to gain access to the IT infrastructure connected to their ATMs. They then push malware onto the ATMs that allows a low-level gang member to walk up and enter a preset numerical sequence into the ATM to make it dispense all of its money in what’s known as a “jackpotting” or “cashing out” attack. Such attacks also allow them to steal card data from ATM machines. For attackers, the appeal is simple: It’s safer and easier than walking into a bank with a gun and trying to rob it. Many remote attacks that install malware on ATMs begin with a phishing attack against a bank employee. Network-based attacks require more intelligence than physical attacks, however this tactic allows cybercriminals to extract cash on command from multiple ATMs. These remote-access attacks can also bypass existing defenses, such as firewalls, VPNs, or network segmentation that might be in place. How It’s Happened One spree in July 2016 targeted 41 ATMs in Taiwan, resulting in the theft of $2.7 million in cash. Police said attackers installed malware on 22 ATMs manufactured by Wincor-Nixdorf – now known as Diebold Nixdorf – run by Taiwan’s First Commercial Bank. The attackers first hacked into the bank’s London-based networks. Then they accessed the bank’s voice recording system and stole the domain administrator’s account credentials, used the credentials to gain VPN access to the bank’s Taiwan branch, mapped the company’s intranet topology, identified the ATM software updating system and figured out the required administrator credentials. From there, the attackers logged into the ATM update server, set up a fake update package to the distribution management system, and uploaded it to the ATMs as if it were a real update. The package instructed the ATMs to enable their telnet service, which the attackers used to remotely access the ATMs and upload three pieces of malware, including a test program that criminals standing in front of an ATM validated. Once the hackers confirmed that the ATMs were ready for the attack, they uploaded and ran modified vendor test tools that dispensed the maximum number of banknotes that the machine was capable of. From there they moved on to other ATMs and repeated the process. After each ATM had been jackpotted the remote hackers wiped the malicious programs off the victimized ATM and logged off. Banks may be unaware they’ve been hacked until money goes missing. Some types of malware are also designed to delete themselves from an ATM after they’ve been used to jackpot it, effectively dissolving most traces of the criminal activity. Physical Attacks Continue To Be Top Threat There’s been significant growth in remote ATM attacks and other types of...

Read More

More ACH Changes Coming September 2017

The business world continues to evolve and banking is no different. There are two new rule changes being implemented in September this year. Beginning September 15, 2017, Same Day ACH will be available for debit entries, enabling the same-day processing of virtually any ACH payment. The Rule enables the option for same-day ACH payments through additional ACH Network functionality, without affecting previously available ACH schedules and capabilities: Originating financial institutions (ODFIs) are able to submit files of same-day ACH payments through two additional clearing windows provided by the ACH Operators. The actual ACH Operator schedules are not determined by the NACHA Operating Rules. A morning submission deadline at 10:30 AM ET, with settlement occurring at 1:00 PM. An afternoon submission deadline at 2:45 PM ET, with settlement occurring at 5:00 PM. Virtually all types of ACH payments, including both credits and debits, are eligible for same-day processing. Only international transactions (IATs) and high-value transactions above $25,000 are not eligible. Eligible transactions account for approximately 99 percent of current ACH Network volume. Another function of the same-day ACH rollout is that all RDFIs are required to receive same-day ACH payments, thereby giving ODFIs and Originators the certainty of being able to send same-day ACH payments. The second rule to go into effect this September is that, effective September 29th, ODFIs are required to identify and register their Third-Party Sender customers. The hope is that the rule will promote consistent customer due diligence among all ODFIs, and serve as a tool to support NACHA’s continuing efforts to maintain ACH Network quality. Initial Registration For ODFIs with no Third-Party Sender customers a statement to that effect is sufficient. However, for ODFIs with Third-Party Sender customers, the Rule requires them to provide basic registration information for each Third-Party Sender. Fortunately the ODFI should already have that information. Information needed: ODFI’s name and contact information Name and principal business location of the Third-Party Sender Routing number for the ODFI that was used in the Originating DFI Identification field for Third-Party Sender ACH transactions Company Identification(s) of the Third-Party Sender. The registration requirement will apply to Third-Party Senders that are the ODFI’s direct customers, as well as those other Third-Party Senders that are direct customers of the first Third-Party Sender. The Rule obligates Third-Party Senders to provide, upon request, any registration information needed. If you have any questions on the new ACH rules and how this new, rapid environment will affect your bank’s risk profile call ITPAC...

Read More

Cyberattacks Fuel 2017’s Biggest Breaches

With the exception of one large insider theft, hacker attacks, some involving ransomware, continue to be the method of choice behind the biggest health data breaches reported so far this year to federal regulators. As of July 3rd, 149 breaches affecting nearly 2.7 million people have been reported to the Department of Health and Human Services’ ‘wall of shame’. Of those 2017 breaches, 53 are listed as hacking/IT incidents. Even though that’s only 35% of breaches it represents almost 60% of the individual victims; 1.6 million in all. Four of the five largest breaches reported so far in 2017 involved hacking/IT incidents. At least two have been disclosed by healthcare entities in their public breach notification statements as involving ransomware. Those incidents include a ransomware attack reported to HHS on June 16 by Airway Oxygen, a Michigan-based provider of oxygen therapy and home medical equipment affecting 500,000 individuals as well as a March incident reported by Texas-based specialty practice, Urology Austin that affected nearly 280,000 individuals. Neither the Airway Oxygen nor Urology Austin breaches are listed on the ‘wall of shame’ with details referencing ransomware. However each entity issued breach notification statements to affected individuals naming ransomware as the culprit. 5 Largest Health Data Breaches in 2017: Commonwealth Health 697,800 – Theft Airway Oxygen 500,000 – Hacker Urology Austin 279,663 – Hacker Harrisburg Gastroenterology 93,323 – Hacker VisionQuest Eyecare 85,995 – Hacker However, despite the continuing surge in hacking related incidents, the largest health data breach added so far this year to the federal tally was an insider incident that was reported in March by Bowling Green, Kentucky-based Med Center Health, owned by Commonwealth Health Corp. That incident, affecting 698,000 individuals, involved a former Med Center Health employee who allegedly obtained patient information on an encrypted CD and encrypted USB drive, “without any work-related reason to do so,” the company said in a statement. Breaches Since 2009 Since the HIPAA breach notification rule took effect in 2009, 1,971 breaches impacting nearly 174.3 million individuals have been posted. Of those only 322 are listed as hacking/IT incidents. Those incidents affected about 130.2 million individuals, or nearly 75 percent of all victims impacted by reported health data breaches. In recent weeks, a number of large breaches involving ransomware-related hacking incidents were reported to federal regulators. Recent Hacker Breaches Among other recent incidents added to the ‘wall of shame’ involving hacker attacks: Cleveland Medical Associates, based in Tennessee, reporting to HHS on June 20th a ransomware attack occurring in April that involved protected health information of 22,000 individuals. Family Tree Health Clinic, based in Texas, reporting to HHS on June 19 a ransomware attack occurring in April that impacted data of 13,402...

Read More

Mississippi Medicaid Website Transmitted Unencrypted Email

Unsecure Email Incident a Reminder of Risks to PHI A breach report involving the transmission of protected health information via unencrypted email offers a reminder of the need to pay attention to safeguarding PHI no matter where it resides, including website forms used to collect information and smartphone apps. According to the HHS “Wall of Shame”, the Mississippi Division of Medicaid reported on May 26, 2017 to the U.S. Department of Health and Human Services the unauthorized access/disclosure incident that affected about 5,220 individuals. In a statement, Mississippi DOM stated that on April 7, 2017, DOM officials became aware of an issue with the online service that the agency used to create forms posted to the DOM’s website. “Once an online form was submitted, the information was also emailed to designated staff within the agency. The email containing the information was not transmitted in a secure manner (i.e. encrypted). This resulted in the possible exposure of information that may have been entered into certain online forms.” Once the error was discovered, the online forms were immediately removed from the website and the use of the online form service was terminated. The incident may have involved names, birth dates, addresses, phone numbers, email addresses, admission and enrollment dates, health insurer, condition, Social Security numbers, and Medicare and/or Medicaid identification numbers. Potential Risks Some security and privacy experts acknowledge that the likelihood of the DOM email being compromised during transmission is low. Nevertheless, using encryption helps ensure that messages sent to the wrong recipients cannot be viewed. Criminals are more likely to try to compromise an email system that contains unencrypted messages. Many more covered entities and business associates are becoming more aware of email-related security risks. Risk or privacy impact assessments should highlight whether “clear text” emails are generated through such things as website forms, used on sites to collect information from insurers or patients, or by using various types of smartphone apps. This issue may be overlooked due to when organizations are addressing email security, they tend to focus only on their email servers and services. Based on Mississippi DOM’s description of the incident, it seems to be more of system or application issue than a person failing to encrypt. That highlights the need to ensure that due diligence is completed on any tech solutions or apps to ensure that they have necessary safeguards. The best situation is to set up email to automatically encrypt, based on trigger words appearing in the subject line or a lexicon detecting certain data in the message such as Social Security numbers, credit card information, medical record numbers, and other PHI. Potential security risks involving email containing PHI: Sending or receiving email on...

Read More

Changes to FFIEC Cybersecurity Tool help banks meet baseline.

A just released update to the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool will should help make meeting regulators’ demands for “baseline” cybersecurity more attainable. The changes only impact Appendix A of the tool but those changes make a difference for smaller institutions. For example, many smaller institutions were not able to meet the tool’s requirement for having a data-flow diagram. Many smaller institutions do not have data-flow diagrams. They may have network diagrams or network topologies but if they don’t have a data flow diagram, they can’t reach baseline in the cybersecurity maturity level rating. Now, due to the updates to Appendix A, banks and credit unions don’t have to prove that they have a data-flow diagram. They just have to prove that there are compensating controls. So in the absence of a data-flow diagram they may be able to meet this requirement with a detailed network topology. The tool, which the FFIEC introduced in June 2015, has been criticized by some security experts for its vagueness and diversion from other well-established cybersecurity assessment frameworks, such as the NIST Cybersecurity Framework. The tool also has been criticized by banks and credit unions, which claim its use does not seem voluntary, as regulators have repeatedly insisted. While the FFIEC’s Cybersecurity Assessment Tool may have flaws it’s important for all institutions to use the tool to assess their own cybersecurity preparedness. It can give institutions a different perspective on additional threats that they might be facing. Walk through it; talk about the different items. Take two or three different sessions to complete it. Don’t think you need to get it all done at one time. Work with your IT committee and senior management to discuss each area and understand, ‘Are we actually compliant with these particular areas? And if we do want to move to a higher complexity organization or services that may increase our inherent risk level, what is it we might need to do, then, in order to meet that from a cybersecurity maturity level standpoint?’ The changes made should make it easier for smaller institutions to reach the baseline. In the meantime if you have any questions about cybersecurity or audit preparation give ITPAC a call...

Read More

Phishing Incident Leads to $400,000 HIPAA Settlement

HIPAA Enforcement Agency Cites Lack of Timely Risk Analysis, Again Colorado-based Metro Community Provider Network is just another healthcare entity to learn a painful lesson from the Department of Health and Human Services Office for Civil Rights regarding the importance of conducting a timely and comprehensive risk assessment. The breach was reported in early 2012 after a hacker accessed employees’ email accounts and obtained 3,200 individuals’ electronic PHI through a phishing scam. The OCR found that MCPN took necessary corrective action related to the phishing incident, but MCPN had failed to conduct a risk analysis until mid-February 2012 – about a month after they reported the breach. According to the OCR “Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.” When MCPN finally conducted a risk analysis, that study, as well as all subsequent risk analyses, did not meet the requirements of the HIPAA security rule. “As we have seen in the past, the investigation focused on the failure of conducting an enterprise wide information security risk analysis and implementing a risk management plan to address the vulnerabilities found by the assessment.” The lack of a timely, comprehensive, and enterprise-wide risk analysis – as well as failure to follow up with mitigation remedies to address risks identified in the assessments – have been a recurring theme in most of OCR’s 47 HIPAA enforcement actions related to breach investigations since 2008. The OCR continues to view a good risk analysis as foundational to HIPAA Security Rule compliance as almost all breaches lead OCR to identifying a lack of risk analysis and risk management. In its statement about MCPN, OCR implies that the $400,000 settlement amount in that case also might’ve been higher. However, OCR notes it “considered MCPN’s status as a federally-qualified health center when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care.” MCPN Corrective Action Plan In its corrective action plan with OCR, MCPN agreed to take a number of steps to bolster its security practices, including: Conducting a comprehensive and thorough risk analysis of security risks and vulnerabilities that includes systems at all current MCPN facilities; Developing an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis; Reviewing, and if necessary, revising, its current HIPAA security rule policies and procedures based on the findings of the risk analysis; Providing its workforce with revised training materials based on any revisions to its...

Read More

Messaging Apps Create New Privacy Headaches for Banks

Many businesses have benefitted from the proliferation of mobile devices and text messaging apps that facilitate quick, round-the-clock communications. However, these technologies can make it difficult to monitor and control the unauthorized distribution of confidential data. This is critically important in highly regulated industries like banking. To give you an idea of how messaging apps have caused headaches for banks, on March 30, UK regulators fined a former managing director of Jeffries Group for divulging confidential client information. The banker, Christopher Niehaus, shared confidential information with two friends using WhatsApp, a popular messaging app. The exposed information included the identity of client, the details of a deal involving the client, and the bank’s fee for the transaction. It’s somewhat surprising that the breach was discovered at all. Because data sent on WhatsApp are encrypted and Mr. Niehaus used his personal mobile phone to send the messages, Jeffries Group only viewed the communications—and subsequently informed regulators—after Mr. Niehaus turned his device over to the bank in connection with an unrelated investigation. Many banks use tools to monitor data sent to and from company-owned devices and e-mail accounts. However, companies cannot read messages delivered on programs offering end-to-end encryption, like WhatsApp or Apple’s iMessage, even if the information is sent on a company-owned device or network. Therefore, policies and tools intended to protect confidential information can be circumvented by employees using common texting apps. Companies utilizing “bring your own device” practices face even greater risks. Even though end-to-end encryption may safeguard data from hackers, confidential information is often exposed when a device is lost or stolen. Remember, most data breaches are caused by lost, unencrypted, devices and employee errors than third-party attacks. Given the growing popularity of encrypted texting apps, employers need to accept that they are not able to monitor all of their employees’ electronic communications. Data monitoring tools won’t save you. That means it’s vital to enact and enforce up-to-date confidentiality policies. Employees may not understand that workplace confidentiality policies extend to communications on personal devices. Remind them to treat messages like public in-person conversations and refrain from discussing confidential information on messaging app. Now more than ever, training employees to maintain confidentiality and make smart decisions is the most effective method of preventing damaging breaches. If you have any questions on encryption, data security, or confidentiality policies contact ITPAC today....

Read More

Texas Ransomware Attack Highlights Need For Legacy Data Protection

A ransomware attack on a Texas urology practice that could potentially affect nearly 280,000 patients ranks as one of the largest health data breaches of 2017. On January 22nd Urology Austin, suffered a ransomware attack that encrypted data stored on its servers. Among the information impacted by the ransomware were names, addresses, birthdates, SSN’s, and medical information. Their mitigation effort included restoring data from backups and wiping the servers clean. Executing this plan allowed Urology Austin to not pay the ransom. Although the attack did not have an impact on the practice’s electronic health records, other applications, including legacy data, were potentially affected. Why was the breach so large? Because the Urology Austin ransomware incident potentially affected legacy applications, the pool of potential victims was much larger and some of those receiving notifications may not have been active Urology Austin patients for many years. Protecting Patient Data Healthcare entities holding on to data many years after caring for individuals who are no longer patients is a common occurrence. A big issue in healthcare is that many entities do not destroy anything related to patients. That leads to a highly probable, and increasingly vulnerable, situation where there is information in systems and databases for patients that have not received care in quite some time. Using technologies like data loss prevention solutions that search for and find old patient information that can be removed from active or production systems and archived properly is an important protection for healthcare providers. All PHI, including older legacy data of former patients, must be properly safeguarded. Every provider needs to have a data retention policy and supporting procedures in place, include how to irreversibly destroy/delete data when it is no longer needed to support legal requirements and patient care needs. If you don’t need data, eliminate the data and lower your risks by having less data to protect. Lessons It’s encouraging that Urology Austin didn’t pay the ransom and executed an up-to-date backup plan that allowed them to resume patient care quickly. It’s important to remember that in order to prevent back-up data from being impacted by ransomware and other attacks, back-up data needs to be stored offline. Many organizations don’t take this critical step, and as a result the backups are attached to their network and the ransomware then encrypts the backups as well. If you have questions about storing legacy patient data, IT security, response plans, or ransomware preparedness call ITPAC today.  ...

Read More

New Phone Scam Is Deceptively Simple

Don’t pick up the phone to answer calls from unknown numbers. Instead, let them go to voicemail. While many of us do that anyway, that’s now the FCC’s advice to all Americans in response to an ongoing series of attacks designed to trick victims into uttering a single word. According to a March 27th alert, this scam centers on tricking victims into saying the word “yes,” which criminals record and later use to attempt to make fraudulent charges on a person’s utility or credit card accounts. This scam begins when a consumer answers a call and the person on the other end of the line asks, “Can you hear me?” The caller then records the consumer’s “Yes” response and obtains a voice signature. That voice signature can be used later by the scammers to impersonate the victim and authorize fraudulent charges over the telephone. If you’re targeted While there’s no way to prevent criminals from running these types of scams, law enforcement and consumer rights groups always encourage victims to file a report regardless of whether or not there has been a financial loss. For anyone targeted by the “yes” scam, the FCC recommends immediately reporting the incident to the Better Business Bureau’s Scam Tracker and to the FCC Consumer Help Center. For more information about tools for blocking robocalls, texts and marketing calls visit https://www.fcc.gov/consumers/guides/stop-unwanted-calls-texts-and-faxes If you have any questions on IT security or protecting your business or personal accounts from the scams being perpetrated today, contact ITPAC and keep your information safe....

Read More