CISA Issues Guidance on Protecting Sensitive Data and Dealing With Double-Extortion Ransomware Attacks

Ransomware attacks are significantly higher in 2020 and there is no sign that cyberattacks utilizing the file-encrypting malware will diminish. Attacks continue to increase this year to the level where there was nearly half the number of attempted ransomware attacks in Quarter 2 of 2021 as there were in the entire 2019.

The majority of threat actors executing ransomware attacks are now making use of double extortion techniques, where ransoms should be paid not only to get the keys to decrypt files but also to avoid the publication of information stolen in the attacks. The theft of records prior to file encryption has helped ransomware gangs to demand big ransom payments because the threat to leak the data has considerably increased the possibility of getting ransom payments. A lot of victims pay the ransom to stop data exposure, although they have good backups that can enable them to recover the encrypted information for free.

The Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance to help public and private sector institutions deal with the danger of double-extortion ransomware attacks. The guidance includes best practices for avoiding cyber threat actors from getting access to networks, actions to make sure sensitive data are secured, and procedures that ought to be adopted when responding to a ransomware attack.

There are a number of measures specified in the document that is essential not just for stopping ransomware attacks but likewise for restricting their severity. It is important to retain offline, encrypted backups of information and to routinely test the backups to ensure that file recovery is really achievable. It is furthermore essential to create and maintain a basic cyber incident response plan, resiliency plan, and related communications plan, and to conduct exercises to make sure that a quick response to an attack is achievable. To prevent attacks, steps should be taken to deal with the major attack vectors, such as phishing, RDP compromises, and the exploitation of internet-facing vulnerabilities and misconfigurations. Naturally, all companies must also make certain to follow good cyber hygiene procedures.

To protect sensitive information, institutions should know where sensitive records are kept and who has got access to those data databases. It is additionally crucial to make sure that sensitive information is just stored for as long as is strictly needed. Physical and cybersecurity recommendations ought to be enforced, including encrypting sensitive data at rest and in transit, limiting access to physical IT assets, and employing firewall and network segmentation to impede attempts at lateral movement within systems. CISA likewise advises making sure the cyber incident response and communications plans consist of response and notification processes for data breach occurrences.

Fast and effective response to a ransomware attack is crucial for restricting the harm triggered and holding costs down. The cyber incident response plan must detail all the steps that must be taken, and the order that they ought to be undertaken. The preliminary step is learning which systems were impacted and quickly isolating them to protect network operations and prevent further data loss. The next step should only be done if its’ not possible to take out affected devices from the network or to temporarily shut down the network, and that is to power down impacted devices to stop further passing on the ransomware infection.

After that, triage impacted systems for restoration and recovery, consult with the security group to develop and document an initial comprehension of what has happened, then engage internal and external groups and stakeholders and give instructions on how they can help with the response and recovery processes. Institutions must then comply with the notification specifications discussed in their cyber incident response plan.

The guidance document – Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches – is available on this link.

NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) is considering to revise and update its guidance on enforcing the HIPAA Security Regulation and is in search of feedback from stakeholders on areas of the guidance that must be modified.

NIST released the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – on October 2008. In the past 13 years, cybersecurity has changed and the threat conditions has changed significantly. NIST’s cybersecurity assets have likewise changed throughout that time and a revision to the guidance is already long overdue.

NIST will be changing the guidance to include its new cybersecurity solutions, is going to increase knowledge of non-NIST sources related to compliance with the HIPAA Security Rule, and will revise its observance guidance for HIPAA-covered organizations and business associates.

Particularly, NIST has asked for comment from stakeholders regarding their experiences using and following the resource guide, which includes the parts of the guidance that were helpful and those that were not, together with the reasons why.

NIST would like to find out from covered entities and business associates that have utilized the guidance and have discovered key ideas to be missing, and for stakeholders who observed that the guidance is not applicable to their company to provide data on how it can be made much more relatable, helpful, and actionable to a larger selection of audiences.

Covered entities and business associates have followed the HIPAA Security Law in different means. NIST is looking for data on any tools, resources, and strategies that were followed that have been proven beneficial, and for covered entities that have enjoyed positive results with their compliance plans to share details on how they handle compliance and security at the same time, evaluate risks to ePHI, identify whether the security procedures put in place are efficient at protecting ePHI, and how they document demonstrating sufficient implementation. NIST additionally wishes to hear from any covered entity or business associate that has enforced known security procedures that have diverged from the observance of the HIPAA Security Rule.

Stakeholders are asked to post feedback  until June 15, 2021 for consideration before the proposed update. Submitted remarks will be considered and implemented as much as it is practicable.

Recommendations for Network Defenders to Determine and Avert Russian Cyber Operations

A joint cybersecurity alert was released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS) regarding the Russian Foreign Intelligence Service or SVR’s persistent cyber operations.

The notification offers more information about the tactics, techniques, and procedures (TTPs) utilized by SVR attackers to get access to networks and the sneaky attack tradecraft employed to move laterally in breached systems. Best practices were presented to permit network defenders to enhance their defenses, secure their networks, and perform investigations to find out whether their systems were already compromised.

The alert comes after the April 15, 2021 joint notice from the NSA, CISA, and FBI that states the U.S. Government’s formal declaration that the SolarWinds supply chain attack was done by SVR cyber actors known as CozyBear, the Dukes, APT29 and Yttrium. The CVR operatives are mainly targeting government agencies, policy analysis agencies and think tanks, IT businesses, and critical infrastructure organizations to collect intelligence data.

Prior to 2018, SVR agents were mostly utilizing stealthy malware on victims’ systems however have already evolved their focus to target web resources, such as cloud-based email services like Microsoft Office 365, as was the SolarWinds supply chain attack.

Misconfigurations of systems are exploited and breached accounts are utilized to mimic regular traffic in online environments. The hackers can steer clear of detection when attacking cloud resources as a lot of companies don’t efficiently secure, monitor, or even completely understand these environments.

The SVR operatives have formerly employed password spraying to find out weak passwords related to administrative accounts. These attacks are carried out in a slow and low way to avert detection, for instance attempting small numbers of passwords at periodic periods employing IP addresses in the country where the target is based. As soon as administrator access is acquired, modifications are created to the permissions of email accounts on the network to enable the interception of emails. After an account is compromised, it is normally accessed utilizing one IP address on a leased virtual private server. In case an account is accessed which turns out to be useless, permissions are modified back to the default settings to reduce the chance of detection.

Zero-day vulnerabilities in virtual private networks (VPN), which includes the Citrix NetScaler vulnerability CVE-2019-19781, were also exploited to acquire network access. When exploited, user credentials are gathered and utilized to authenticate systems on the network with no multifactor authentication enabled. Attackers tried also to access web-based resources with information of interest to the foreign intelligence service.

A Go-based malware variant referred to as WELLMESS has been employed to get persistent access to systems and, in 2020, was mainly utilized in targeted attacks on businesses involved in the development of the COVID-19 vaccine, with the attackers focusing on Active Directory servers and research repositories.

The SVR cyber actors are using custom malware and open source and commercially sold tools in their attacks. A number of recommendations and best practices are available to assist network defenders to boost the methods used by SVR agents and identify potential attacks that are happening.

Secured Vendor Access and HIPAA Compliance

Before the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, paper files were still stashed in cabinets and sensitive data was typically transmitted by hand or via a fax machine.

After almost 25 years, , the healthcare industry looks entirely different, with the exception of the use of fax machines by some. Everything is now saved on computers and sent over the web. It is more efficient but there are some risks. Serious data breaches connected to healthcare entities increased resulting in the exposure of very sensitive personal health information (PHI). Many data breaches involve third-party and vendor access that cost more in terms of penalties and reputational ruin.

A hacker is able to easily access countless patient records and bring about extensive damage – releasing private data, deleting crucial health information, stealing identify, and attacking using ransomware.

Today, healthcare organizations not only deal with problems related to patient health care. There are now complicated cybersecurity problems beyond the medical environment that must be dealt with.

Taking into consideration the challenges of HIPAA noncompliance, healthcare organizations usually benefit from using the services of third-party vendors that particularly manage HIPAA regulatory compliance. To completely protect patients, vendors must have clear guidelines that limit access, continue to be transparent and auditable, and sustain the most up-to-date information security steps.

Importance of Limiting Vendor Access

Who can access patients’ data, how do they access the data, and how much data do they access (or should access)? These are vital concerns for technology vendors.

First, every member of the IT team must only get the level of access necessary to make sure HIPAA compliance and data security, which include constraints on time, extent, and job functionality. Every vendor rep must utilize a unique username and password to sign in to the system and undergo multi-level authentication that is linked to their personal details. In addition, an auto logoff when inactive for a brief period could stop unauthorized access using another person’s credentials.

The Necessity of Auditable Reports

An automatic audit program enables healthcare organizations to filter unauthorized access and to track the data breach source. An efficient audit system retains specific login data of each support connection system and provides comprehensive detail of each sign in, including place, time, personnel and extent of access to the patients’ information, and other sensitive data.

These reports are not just important for internal security reasons but are essential for showing HIPAA compliance in connection with permitting vendors to access your network.

The Value of Data Reliability and Security

The weakness in data security typically happens at access points and transmission. Nevertheless, frequent updates to security configurations secure data from problems and avoid data breaches during transmission. To maintain data integrity and security, the following are recommended:

  • advanced transmission standards (AES) in 128-, 192- and 256-bit modes
  • customer control of configurable encryption
  • data encryption standards (DES) of Triple DES10

The healthcare industry is responsible when patient data is compromised. Therefore, a third-party IT security vendor must know how to satisfy the highest standards of HIPAA compliance. Remote access to the network of a healthcare facility is often neglected. It could potentially result in data exposure and breaches. Make sure that your vendors have legit reasons to access your patients’ data and are HIPAA compliant.

FTC Reaches an Agreement with SkyMed to Settle a 2019 Consumer Data Breach Case

SkyMed, an emergency services provider in Nevada, has agreed to a settlement with the Federal Trade Commission (FTC) after the audit of its information security strategies, which was prompted by a 2019 data breach that compromised the personal data of consumers.

Security researcher Jeremiah Fowler informed SkyMed in 2019 that a misconfiguration of the Elasticsearch database resulted in the leaking of patient information. The data of 136,995 patients was accessible online without needing any authentication. The database can be viewed by using any web browser. The personal data in the database can be downloaded, modified, or deleted.

The information contained in the database included patient names, email addresses, addresses, birth dates, membership account numbers, and health data. Fowler likewise found artifacts associated with ransomware in the database. Upon notification, SkyMed started an investigation yet did not find any evidence that suggests the misuse of any content in the database.

According to SkyMed’s breach notification, some old information might have been exposed briefly when data was transferred from the old system to the new one. The compromised information is no longer accessible and only included names, physical and email addresses, telephone numbers, and membership ID numbers. No healthcare data or payment data was accessible and there’s no evidence that data was misused.

The FTC looked into the incident and did an audit to find out if the FTC Act was breached. The FTC determined several failures in security and breach responses. The FTC claimed SkyMed did not investigate if the unauthorized persons accessed the database when security was down, and that the provider didn’t sufficiently examine the database to know what data it stored. SkyMed consequently failed to ascertain if any health data was potentially exposed. When SkyMed verified the exposure of the database, the company removed the database to avert any unauthorized access. SkyMed additionally was unable to determine the people impacted by the breach.

The FTC stated that SkyMed’s website showed a “HIPAA Compliance” seal, giving the notion that the provider’s privacy and security policies were HIPAA compliant. However, SkyMed hadn’t been through a third-party review of its information security procedures and no government organization had evaluated its HIPAA compliance statements. As per the FTC, SkyMed had fooled customers for over 5 years by showing the HIPAA Compliance seal to its clients.

The FTC explained that SkyMed had no “reasonable measures” in place for securing the personal data of people who registered for its emergency services. SkyMed had no data loss prevention solutions, lack access controls, and failed to employ authentication for its systems. When SkyMed encountered a security breach, it failed to identify the compromised database containing personal data for 5 months until a security researcher found it.

The type of data exposed could likely bring about considerable damage to customers. SkyMed could have avoided or mitigated these data security issues if it had employed promptly available, and fairly low-cost, procedures.

The FTC alleged SkyMed had violated Section 5 of the FTC Act by engaging in unfair and/or misleading acts or procedures, which resulted in two counts of deception, one for the HIPAA compliance and another for its breach response. SkyMed additionally engaged in unfair information security practices.

Concerning the settlement, SkyMed is forbidden from misrepresenting its information security policies, data breach response, and the way the company safeguards the security, privacy, integrity, and confidentiality of the personal data, and involvement in any privacy or security plan sponsored by the federal government or any third party, which include self-regulatory or standard establishing company.

SkyMed needs to notify all affected consumers and give details regarding any information that was possibly exposed. A data security program needs to be implemented and managed by selected, competent staff. The program should consist of a company-wide risk assessment to pinpoint possible internal and external hazards, and safeguards ought to be integrated to make sure to mitigate risks and protect personal information.

There must be records of the database that can be accessed for monitoring. Data encryption should be enforced for sensitive information like financial account information, passport numbers, and medical data. All databases that contain personal data are necessary for monitoring and there must be restrictions to control access to sensitive information. SkyMed is additionally necessary to approve yearly compliance with the FTC settlement.

OCR Releases HIPAA Guidance on Disclosures of PHI to Health Information Exchanges

A new Health Insurance Portability and Accountability Act (HIPAA) Rules guidance has been released by the Department of Health and Human Services’ Office for Civil Rights that address disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an entity that allows electronic PHI (ePHI) sharing between over two unaffiliated entities including health plans, healthcare providers, and business associates. The purpose for sharing ePHI includes patient treatment, billing, or medical operations; for reporting public health activities to PHAs, and for offering other products and services like patient record storage and data collection and analysis.

HIPAA allows using HIEs and disclosing health information to enhance public health, which has become particularly crucial throughout the COVID-19 public health emergency. Under the HIPAA Privacy Rule, HIPAA-covered entities and their business associates can share PHI to an HIE for submitting reports to a PHA that is involved in public health, without getting individual authorization first.

This kind of disclosures are allowed under the following circumstances:

  • If disclosures are mandated by federal, state, local, or other legislation that the court can enforce
  • If the HIE is operating under the authority or agreement with a PHA for a public health action
  • If the HIE is a business associate of the covered entity or another business associate and wants to share ePHI to a PHA for public health reasons*

*The HIPAA Privacy Rule just allows an HIE which is a business associate of the covered entity or another business associate to share ePHI to a PHA for public health reasons when it is specifically mentioned that they can do this in the business associate agreement (BAA) it signed with the covered entity. But because of the COVID-19 public health emergency, OCR issued a notice of enforcement discretion saying that it will not take action against a business associate not expressly permitted to share ePHI to a PHA in their BAA in case it shares ePHI to a PHA in good faith and for public health reasons. In such instances, the business associate should notify the covered entity in 10 calendar days regarding the disclosure. The notice of enforcement discretion is good only until a COVID-19 public health emergency is in effect.

ePHI disclosure by an HIE to a PHA is limited to the minimum required data to accomplish the goal for the disclosure. It is expected to get a request from a PHA to share a summary report to the PHA or HIE as the minimum required PHI to accomplish the public health goal of the ePHI disclosure.

The HIPAA Privacy Rule allows a covered entity to share ePHI to a PHA via an HIE, even though it did not receive a direct request for the PHI from the PHA, as long as the covered entity is aware that the PHA is utilizing the HIE to get such data, or that the HIE is operating on account of the PHA.

Although in this case there is no need to acquire authorizations from persons whose PHI is being disclosed, those persons should be notified regarding the disclosures. That may be done by saying ePHI disclosures will take place for public health reasons in the provider’s Notice of Privacy Practices.

The new OCR guidance, including a number of examples associated with COVID-19, is available on the HHS website.

 

New Resources for MHealth App Developers and Cloud Services Providers Available at OCR Portal

The Department of Health and Human Services’ Office for Civil Rights has released more resources targeted for mobile health application developers and gave its Health App Developer Portal a new name after updating it.

The portal called Resources for Mobile Health Apps Developers gives mobile health application developers guidance on the HIPAA Privacy, Security, and Breach Notification regulations and their importance to mobile health applications and application programming interfaces (APIs).

The portal contains a Health App Use Scenarios and HIPAA guidance document, which talks about the need for mHealth applications to comply with the HIPAA Rules and whether an app developer is going to be considered as a business associate.

OCR explained that integrating privacy and security protections into technology solutions boosts their value by giving users some assurance that the data is safe and is going to be utilized and shared only as authorized or required. Federal and state laws sometimes require such protections, for instance, the HIPAA Security, Privacy, and Breach Notification Rules.

The Federal Trade Commission (FTC) together with the Food and Drug Administration (FDA) and the HHS’ Office of the National Coordinator for Health IT (ONC) developed the portal that gives access to the Mobile Health Apps Interactive Tool. Developers of health-related apps can use this Tool to know what federal regulations are likely applicable to their apps. By providing answers to questions with regards to the nature of the apps, developers will learn which federal regulations are applicable and will be given resources with more detailed information concerning each federal rule.

The portal likewise contains information regarding patient access rights as provided by HIPAA, how they affect the data obtained, stored, processed, or sent via mobile health applications, and how the HIPAA Rules impact APIs.

The portal was updated following the ONC’s final rule that required health IT developers to create a safe, standards-based API that providers can utilize to help patients access the information saved in their electronic health records. Although having quick access to health data is essential for patients so that they could check errors, request corrections, and share their health information for research uses, transmitting information to third-party apps, which HIPAA may not cover, may create a privacy risk.

OCR has earlier stated that the moment healthcare companies have provided a patients’ health information with a third-party application, as permitted by the patient, the data is not covered by HIPAA in case the app developer isn’t a healthcare provider’s business associate. Healthcare providers won’t be accountable for any resultant use or sharing of any electronic protected health information (ePHI) distributed to the app developer.

The portal also has an FAQ that makes clear how HIPAA is applicable to Health IT. There is also a guidance document detailing how HIPAA is applicable to cloud computing so cloud services providers (CSPs) can fully understand their accountabilities under HIPAA.

OCR Emphasizes the Value of Creating and Keeping a Comprehensive IT Asset Inventory

Though risk analysis is a very important requirement of the HIPAA Security Rule, the Office for Civil Rights data breach investigations and compliance audits show that it is often not complied with. There are HIPAA-covered entities that completely ignored this requirement, but most cases of noncompliance were because of the inability to conduct a comprehensive risk analysis throughout the organization.

Before conducting a comprehensive risk analysis, it is necessary to know first how your organization receives ePHI, where it goes, where it is stored, and what systems are used to access that data. One common cause of risk analysis noncompliance is not understanding the location of all ePHI in the organization.

The Summer 2020 Cybersecurity Newsletter of OCR featured the essentiality of having  a complete information technology (IT) asset inventory and details its role in the risk analysis process. An IT asset inventory lists all the organization’s IT assets, including descriptions, serial numbers, names, and other data used to distinguish the asset, such as its location, version (operating system/application), and the individual responsible for the asset.

Although an IT asset inventory is not required under the HIPAA Security Rule, it is a helpful tool for the development of a complete, organization-wide risk analysis. It helps organizations to know where ePHI may be located, and improve their HIPAA Security Rule compliance.

An IT asset inventory does not just include physical hardware like mobile gadgets, servers, workstations, peripherals, portable media, firewalls, and routers. Software assets and applications, such as operating systems, anti-malware tools, email, administrative and financial records systems, databases, and electronic health record systems, are also included.

IT solutions such as backup software, virtual machine managers/hypervisors, and other administrative tools should also be included. Data assets that contain ePHI that an organization generates, receives, stores on its electronic devices or and media, and sends via its network should be included as well.

Small healthcare providers can create and maintain an IT asset inventory manually. Large and more complex companies can use dedicated IT Asset Management (ITAM) solutions, which use automated discovery and update processes to make sure no asset is overlooked.

In creating an IT asset inventory, be sure to add assets that may be used to access ePHI or networks or ePHI storage devices. Though IoT devices are not used for storing or accessing ePHI, they may be used to get network or device access that enable ePHI viewing.

If vulnerable IoT devices are unpatched, an intruder could exploit it to get a foothold into a company’s IT network and possibly access ePHI. There have been several reported incidents such as this.

Organizations that lack a complete IT asset inventory may fail in recognizing and mitigating risks to ePHI. A comprehensive view of the company’s environment is necessary to ensure the performance of an accurate and detailed risk analysis that comply with the Security Rule.

Another purpose of an IT asset inventory is in the creation of policies and procedures that cover the acceptance and withdrawal of hardware and electronic media containing ePHI in and out of the company. The IT asset inventory can help spot unauthorized devices that someone connected to the network. It can also help ensure that no device, software, or IT asset is missed when performing updates and security patches.

The NIST Cybersecurity Framework can help organizations create an IT asset inventory. A guidance on IT asset management in its Cybersecurity Practice Guide published by NIST is available. Another tool from HHS that can help with IT asset management includes inventory capabilities that permit  manual or bulk input of asset information with regards to ePHI.

Data Breaches Announced by University of Maryland Faculty Physicians and Highpoint Foot & Ankle Center

A phishing attack on the University of Maryland Faculty Physicians, Inc. (FPI) potentially permitted unauthorized people to obtain access to the protected health information (PHI) of the University of Maryland Medical Center (UMMC) patients.

FPI, which is a physician practice group composed of faculty members from the University of Maryland School of Medicine, offers support services to doctors and personnel at UMMC facilities.

Upon learning about the unauthorized email account access, FPI secured the email account and started a thorough investigation to ascertain the nature and magnitude of the breach. On May 26, 2020, FPI affirmed that an unauthorized individual obtained access to the account comprising the PHI of 33,896 patients from February 6, 2020 to February 11, 2020.

The types of data contained in the email account differed from one patient to another and might have included these data elements in combination with patient names: Birthdate, medical record number, and clinical data correlated to the treatment acquired at a UMMC facility or from an FPI-affiliated doctor. A few Social Security numbers were likewise identified in email messages and file attachments. There’s no proof found hinting that the attacker accessed or acquired patient information.

FPI and UMMC have carried out an assessment of policies and procedures and took action to strengthen email security in order to avoid further breaches in the future.

25,554 Patient Data of Highpoint Foot & Ankle Center Potentially Exposed

Highpoint Foot & Ankle Center based in Chalfont, PA uncovered that an unauthorized person carried out a remote access attack and obtained access to its network comprising 25,554 patient files. The healthcare provider discovered the data breach on May 20, 2020 and took immediate action to stop further unauthorized access to the system.

A prompt internal investigation done showed that the unauthorized person accessed patient data that comprised patient names, birth dates, addresses, telephone numbers, diagnosis and treatment data, and Social Security numbers. In spite of the verified unauthorized access by the hacker, there is no proof identified that showed the access or copying of patient data. There is likewise no report filed indicating the misuse of patient information.

Highpoint Foot & Ankle Center has put in place extra precautions to avoid more security breaches and has given the impacted patients free membership to credit monitoring and identity theft protection services via MyIDCare.

Guidance For Contacting COVID-19 Patients Concerning Blood and Plasma Donations

Whenever patients get an infectious respiratory disease like COVID-19, the immune system produces antibodies that give protection to the body when the pathogen is contracted again. The antibodies found in the blood of patients who get healed from this kind of sickness are invaluable, because they not only give protection to the patient, but that protection can be transmitted to other patients as well.

Two preparations can be made from the donation of plasma and blood: hyperimmune immunoglobulin and convalescent plasma. Hyperimmune immunoglobulin and convalescent plasma were both used to effectively treat patients who got other viral respiratory illnesses. Considering the severeness of COVID-19 and the high fatality rate, these therapies can be important for patients who are finding it hard to combat the illness. Research studies are currently ongoing to test if antibody treatments are potent against COVID-19.

To take part in these programs, previously diagnosed COVID-19 patients must be contacted and questioned if they would like to donate their blood and plasma. However, does the HIPAA Privacy Rule permit this contact?

On June 12, 2020, the Department of Health and Human Services’ Office for Civil Rights published guidance for healthcare organizations regarding the HIPAA Privacy Rule and the permission to get in touch with COVID-19 patients to ask for blood and plasma donations.

According to OCR, the HIPAA Privacy Rule doesn’t stop healthcare organizations from getting in touch with COVID-19 patients to ask for blood and plasma donations and there is no need to ask for prior consent from the patient.

Healthcare organizations can get in touch with patients to tell them about the options to donate blood and plasma to help in the COVID-19 response to boost the chances of other patents to fight the disease.

HIPAA covered entities and business associates responding on their behalf could use or share PHI for reasons of treatment, medical operations, and payment without the need to get patient authorization first. Asking for a blood or plasma donation doesn’t fall under the classification of a treatment since the blood/plasma is not going to be used for patient treatment, rather it is being employed for population-based medical care operations to better health, case supervision, and coordination of care, which are listed in the meaning of healthcare operations.

Certain misunderstandings regarding the contacting of patients to request blood donations would make up marketing communications, which are typically not allowed by the HIPAA Privacy Rule without getting patient authorization first.

In this instance, there is an exception to the Privacy Rule’s Marketing provision as per the OCR guidance. A covered health care entity is allowed to communicate regarding the covered entity’s population-based case supervision and associated medical care operations activities, so long as the covered entity does not get direct or indirect payment from, or for the third party whose service is referred to in the communication (for example, a blood and plasma donation center).

Patient authorization is necessary before disclosing PHI to a third party, like a blood and plasma donation center, to permit contact of a COVID-19 patient to ask for blood and plasma donations on behalf of the donation center’s own needs.

H-ISAC Publishes Framework for Managing Identity in Healthcare

The Health Information Sharing and Analysis Center (H-ISAC) issued a framework for CISOs to handle identity and protect their company against identity-centric cyberattacks. This second white paper published by H-ISAC covers the identity-centric solution to security. The first white paper talks about why an identity-centric strategy to cybersecurity is needed today, with the new white paper explaining how to implement that approach.

By implementing the framework, CISOs can manage the entire identity lifecycle of patients, practitioners, employees, and business partners in a way that guards against identity cyberattacks, reduces risk and improves operational efficiencies.

The framework was created for CISOs at healthcare companies of varying sizes. Consequently, it does not provide a one-size-fits-all model. Instead, parts of the framework may be used in a different way according to various conditions and use cases. CISOs have to evaluate the resources available and their special risks and make a decision on how best to utilize the framework.

The framework highlights the diverse elements that are needed in a modern identity-based approach to cybersecurity and shows how those elements incorporate and inter-relate to protect the enterprise.

The framework’s central idea is simple. How to enable users to access resources with security against cyberattacks. The primary focus of the framework is identity governance and administration system, which works as the central nervous system that connects in all the other elements and makes certain they work easily together.

The identity governance and administration system enable organizations to put in place set regulations and processes associated to the development, removal, and update of accounts, take care of policies and processes of all areas of their identity and access management (IAM) system, handle privilege escalation requests, perform audits for compliance purposes, and remediate any improper use of the IAM system.

The framework makes use of identity directories as an authoritative identity store for a firm, which explains roles, accounts, attributes, and the privileges connected with various roles and accounts. The white paper points out three guiding concepts for authorization:

  • Granting privileges – Privileges should be securely controlled and assigned according to roles, rights, and duties
  • Managing privileges – Processes need to be specified to manage privileges and update them with changing conditions
  • Reviewing privileges – Reviews must also be performed to make sure that users were assigned rights that are applicable for their role and accountabilities.

A couple of years ago, access to resources only requires a password, but threat actors today are skilled at stealing passwords and consequently, the security utility of passwords has declined. H-ISAC hence recommends using multi-factor authentication. The framework improves upon MFA and endorses

  • Device authentication, which ensures only trusted devices get access to resources
  • Human authentication, which makes sure that the authorized person is using that device
  • Privileged access management, which is used for session tracking and to employ more levels of authentication to avert credential compromise and restrict privilege escalation
  • Analytics, which is used to determine anomalies that can suggest attempts by unauthorized persons to get access resources, for instance using a device to access resources from California and then from New York five minutes later

The framework additionally specifies four use cases:

  1. Managing users and modifying privileges once an employee switches role
  2. On-boarding new employees
  3. Credentialing new patients
  4. Credentialing a third-party business partner for minimal systems access

Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

The Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) issued a joint guidance on managing the cybersecurity tactical response when facing emergency cases, for instance, a pandemic.

Threat actors will attempt to exploit emergency scenarios to carry out attacks, which was plainly the case at this time of the COVID-19 pandemic. In a lot of instances, the length of an emergency will restrict the possibility for threat actors to exploit, but during a pandemic the time frame of exposure is longer. The SARS-CoV-2 outbreak was announced on January 30, 2020 as a public health emergency, providing threat actors sufficient time to take advantage of COVID-19 to perform attacks on the healthcare sector.

The important element to handling the greater level of cybersecurity risk at the time of emergency cases is preparation. Without preparation, healthcare institutions will be continuously fighting fires and rushing to enhance security at the moment when resources are stretched thin.

The recent guidance was produced during the COVID-19 pandemic by H-ISAC, HSCC’s Cybersecurity Working Group (CWG), the healthcare industry and government cybersecurity specialists and is meant to assist healthcare organizations to create a tactical response for handling cybersecurity threats that arise during emergencies and to assist them to improve their degree of preparedness.

During the COVID-19 crisis, cyber threat actors have carried out a variety of attacks on healthcare companies which include phishing attacks, domain attacks, and ransomware and malware attacks. The attacks happen at a time when healthcare institutions were trying to give patient care for highly infectious patients, set up remote diagnostic and treatment services, and switch to teleworking to avoid the spread of COVID-19. The modification in working routines substantially amplified the attack surface and launched new vulnerabilities and attack vectors.

The vulnerability to malicious cyber-actors increases for each gain provided by automation, interoperability, and data analytics. To curb these attacks prior to they happen, it is important for healthcare companies to establish, employ, and maintain present and effective cybersecurity procedures.

Healthcare organizations of all sizes could use the guidance document to enhance their cybersecurity programs and get ready for emergency scenarios. Smaller healthcare providers may use the guidance for choosing appropriate measures to enhance their security posture, while bigger organizations that have already prepared their tactical crisis response may make use of the guide as a checklist to make sure nothing is overlooked.

The guidance document places tactics, practices, and activities into four major categories:

  • Education and Outreach
  • Enhance Prevention Techniques
  • Enhance Detection and Response
  • Take Care of the Team

The cybersecurity response to an emergency is mostly based on technical settings, however, HSCC/H-ISAC makes clear that education and outreach have an essential role in the response strategy’s success. In emergency circumstances, even the perfectly laid plans may come unstuck with no appropriate education and outreach. Organizations that communicate their plans efficiently will minimize misunderstandings, boost response times, and increase the efficiency of their cybersecurity plan. The guide details how to create a communication plan and perform policy and procedure assessments properly.

Stopping cyberattacks is crucial. The majority of healthcare companies will have put in place a variety of measures to combat cyberattacks before the public health emergency, however HSCC/H-ISAC advocates three practices that ought to be assessed: Restricting the likely attack surface, strengthening remote access, and using threat intelligence feeds.

Restricting the attack surface calls for efficient vulnerability management, quick patching, protecting medical devices and endpoints, and regulating third-party network access. The guidance document advises a few of the means of protecting remote access, and how to take advantage of threat intelligence feeds to avoid attacks and speed up the response.

A lot of attacks are hard to prevent, therefore it is crucial for systems to be created and executed to identify successful attacks and react immediately. The guidance document recommends several steps to improve detection and reaction to attacks.

It is additionally essential to manage the team. In desperate circumstances, health, safety, work security, and financial steadiness are all important issues for healthcare workers. It is essential for companies to communicate properly with their employees and deal with these concerns and talk about how the company will help employees throughout the crisis.

The guidance document can be viewed on this link. HSCC introduced a second guidance document earlier this month that features steps healthcare companies can take on to safeguard trade secrets and research. The guidance document can be downloaded here.

Send FTC Your Comments on the Health Breach Notification Rule

The U.S. Federal Trade Commission (FTC) wants to get some feedback on its breach notification requirements intended for non-HIPAA-covered entities that gather personally identifiable health data.

The FTC introduced the Health Breach Notification Rule in 2009 together with the American Recovery and Reinvestment Act of 2009 (ARRA). The regulation became effective on August 22, 2010 and so the FTC began its active enforcement of compliance on February 22, 2010.

Healthcare information collected, stored, or transmitted by covered entities under the Health Insurance Portability and Accountability Act (HIPAA) including healthcare providers, healthcare clearinghouses and health plans, as well as business associates of covered entities is considered as protected health information (PHI).

The FTC’s Health Breach Notification Rule is applicable to personal health records (PHRs), or electronic records that contain personally identifiable health data that are kept, shared and controlled by or mainly for a particular person. The FTC rule is applicable to vendors of personal health records and PHR-associated entities, which are firms that send data to PHRs, provide products and services via PHR websites, or access certain data in PHRs.

All entities governed by the FTC’s Health Breach Notification Rule should send breach notifications to affected people and the FTC with no unreasonable delay and within 60 days from the time the breach was discovered. The FTC should be informed within 10 days of discovering a breach when it affects 500 or more people. When a service provider encounters a breach, the service provider needs to alert the PHR firm. The FTC website posts notices of data breaches impacting 500 or more people.

Every 10 years, the FTC typically evaluates the rules. Within the 10 years since the rule was first passed, the FTC website only published 2 breaches, because the majority of breach reports involved less than 500 records. The FTC additionally reports that enforcement of compliance was not needed because there were limited entities to which the regulation is applicable.

A lot of PHR vendors and associated entities are required to comply with the HIPAA Breach Notification Rule because they are either HIPAA-covered entities or business associates of those entities. Nevertheless, the FTC clarifies that a greater number of entities may soon be subjected to its rule.

As people make use of direct-to-consumer technologies (for instance mobile health apps, virtual assistants, and health tools), for their health data and services, more companies might need to follow the FTC’s Rule.

With the COVID-19 pandemic, the use of these communication platforms has increased considering the HHS temporary refrain from issuing financial penalties on entities that use non-HIPAA-compliant platforms in connection with the rendering of telehealth services. The FTC rule may consequently be more applicable now than 10 years ago.

The FTC wants to get feedback on certain questions concerning the effectiveness, advantages, and relevance of its rule to know whether to keep the rule as it is, scrap it, or update it to improve its benefits on consumers.

The Federal Register will accept comments for 90 days from the date of the rule’s publication. A copy of the request for public comment is available on Bloomberg Law.

CISA Gives New Notification About APT Groups Attacking Healthcare Providers

Advanced Persistent Threat (APT) groups continue to target healthcare organizations, pharmaceutical companies, research organizations, and others engaged in responding to the COVID-19 crisis, forcing another joint notification from cybersecurity authorities in the United Kingdom and the United States.

The previous alert by the UK’s National Cyber Security Centre (NCSC) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) was published on April 8, 2020. The current alert gives more details on the strategies, techniques, and processes that APT groups used to access networks and sensitive information.

In the most recent alert, CISA/NCSC mentioned that APT groups are focusing their efforts on organizations engaged in COVID-19 research to get sensitive data on the COVID-19 response as well as research information to boost the domestic research initiatives in nations that give funding to APT groups.

APT groups usually target healthcare providers to get patient personal data, intellectual property, and data that lines up with the country’s priorities. APT groups don’t seem to do attacks in higher numbers, they have changed their target and are now focusing attacks on institutions involved in the COVID-19 response. CISA/NCSC advise that initiatives to get sensitive information are ongoing with national and global healthcare companies being targeted to get sensitive COVID-19 research information.

One type of attack being done is targetiing supply stores, which are considered as a weak link that could be taken advantage of to access higher value victims. Supply chains are vulnerable because a lot of employees of companies in the supply chain are currently operating from home because of the COVID-19 lockdown.

The APT groups are utilizing different strategies to access networks, get control, and steal sensitive information. The alert increases consciousness of two strategies that were discovered in the last few weeks: vulnerabilities exploitation and password spraying.

Plenty of employees working from home while there is pandemic access to their corporate systems through virtual private networks (VPNs). A number of commercial VPN tools were found to have vulnerabilities that attackers are currently exploiting. Last year, VPN solutions from Pulse Secure, Palo Alto Networks, and Fortinet had vulnerabilities but patches were made available to fix the problems. A lot of companies are likewise affected by the Citrix vulnerability, CVE-2019-19781. Though patches were available a few months ago, many companies are still vulnerable to attack because they have not applied the patches. APT groups are scanning for organizations that are still exposed to the Citrix and VPN vulnerabilities and are working on exploiting them.

APT groups are likewise password spraying attacks to access corporate networks. Password spraying is similar to brute force attack that uses often used accounts. The attackers use a frequently used password to check if it permits system access. The same password is then used on several accounts prior to repeating the process with another password. That procedure goes on until the attackers discover the right password. The password spraying tactic is generally successful.

When an attack is successful, the correctly guessed password is utilized for accessing other accounts that probably used the same password. Attackers additionally download global address lists that are employed for other password spraying attacks. The attackers also move laterally, if possible, to steal other credentials and sensitive information.

CISA/NCSC presented the following mitigations  to help healthcare companies strengthen security against these attacks:

  • Ensure VPN clients and infrastructure are up-to-date and use the most recent software versions
  • Patch all software programs and operating systems immediately.
  • Configure multi-factor authentication to block the use of stolen or brute forced passwords to access accounts
  • Protect the management interfaces of crucial systems to keep attackers from getting privileged access to important assets
  • Improve tracking capability to discover network infiltrations.

NSA Cybersecurity Guidance for Teleworkers and Recommended Useful COVID-19 Threat Resources

The National Security Agency has released cybersecurity guidance for teleworkers to help enhance security while working from home. The guidance was introduced mainly for U.S. government workers and military service people. However, it also applies to healthcare sector workers offering telehealth services from home using their PCs and smartphones.

There are lots of communication solutions available for consumers and companies with varying offers of cybersecurity protections. The guidance document discusses 9 essential things to consider when choosing a collaboration program. By evaluating each service based on the 9 requirements, remote employees can select the most suitable solution to satisfy their demands.

The NSA highly advises performing high-level security checks to know how the security functionality of every platform works against particular security standards. These checks are helpful for determining risks related with the functions of each solution. The guidance document additionally gives details on utilizing the collaboration services safely.

The NSA wants the guidance to be assessed by all workers who are currently working from home to enable them to make a smart decision concerning the best communication and collaboration programs that can be used to fulfill their particular needs, and for employees to take the actions laid out in the guidance document to minimize potential cyberattacks.

The guidance document entitled Selecting and Securely Using Collaboration Service for Telework is available for download on this page.

The American Hospital Association (AHA) /American Medical Association (AMA) likewise published healthcare-specific guidance for remote employees. This must be utilized along with NSA guidance.

OCR’s Suggested Resources for Helping Healthcare Organizations Fight COVID-19 Risks

On April 30, 2020, the HHS’ Office for Civil Rights recommended a number of resources addressing the present threat landscape. OCR also recommended actions that need to be taken to lessen risks to a good and right level, as listed below:

Senators Request CISA and U.S. Cyber Command to Create Healthcare-specific Cybersecurity Advice

A group of Senators belonging to two parties wrote to the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and U.S. Cyber Command asking for healthcare care-specific cybersecurity advice on how to manage coronavirus and COVID-19-associated risks.

Richard Blumenthal, (D-CT), Tom Cotton (R-AR), Mark Warner (D-VA), Edward J. Markey (D-MA) and David Perdue (R-GA) composed the letter because of the increasing cyber espionage and cybercriminal activity directed at the medical care, public health, and research industries all through the COVID-19 outbreak.

The letter mentioned a report published by the cybersecurity company FireEye which pointed out that the Chinese hacking group, APT41, was conducting an important campaign, directed at the healthcare segment. The hacking group is taking advantage of vulnerabilities in networking devices, cloud application and IT management solutions to access healthcare networks – identical systems that are currently being employed by telecommuting employees for giving telehealth at the time of the outbreak. A number of other threat groups having a connection to China have likewise increased their attacks on U.S targets using COVID-19-themed campaigns.

Threat actors from Russia, North Korea and Iran are also doing attacks on international health institutions and public health organizations of U.S. allies. There were a number of false campaigns linked to Russia, China and Iran in an attempt to divert the response of the U.S. to the COVID-19 pandemic.

The healthcare sector already has difficulties protecting against attacks from nation-state threat groups and cybercriminal gangs prior to the SARS-CoV-2 pandemic. Medical providers are now stressed and pressured because of the COVID-19 pandemic and the condition is critical now. In the event that the cyberattacks become successful, there is a big risk of public health response disruption.

Hospitals depend on electronic information like electronic medical records, email communications, and internal networks. Many still use legacy equipment. Any attack can bring about disruption, diversion of resources, and loss of critical time. Even a somewhat minor attack can bring about big disruption. One example is the attack on the Department of Health and Human Services. It was a rather minor technical problem with email, yet it hampered the work of the HHS in organizing the federal government’s service. In case of a ransomware attack, EHRs can be taken out of action causing disruption and potentially grave consequences.

The Senators have asked the two agencies to employ the expertise and assets that were created to fight against these risks and to take the required steps to safeguard the healthcare sector for the duration of the coronavirus pandemic.

The Senators have asked public and private cyber threat intelligence like indicators of compromise from attacks on the medical care, public health, and research industries to be extensively shared to support network defenders prevent the attacks. They have likewise asked the agencies to organize with the HHS, Federal Bureau of Investigation (FBI) and Federal Trade Commission (FTC) to help raise awareness of cybercrime, cyberespionage, and fake information campaigns.

The Senators have requested to provide the National Guard Bureau with threat testing, resources, and extra guidance to help employees working with state public health departments and local emergency management agencies to make sure they have the facts they require to guard critical infrastructure against cybersecurity breaches.

The agencies were asked to speak with partners in the private medical care, public health, and research industries about the resources and data required to enhance protection against attacks, including vulnerability recognition tools and threat hunting.

To stop the fake information campaigns that are being done, the Senators told the agencies to think about giving public statements, the same as the joint statement given regarding election interference on March 2.

Lastly, they told the agencies to assess further required steps to detect and prevent attempts to intrude, manipulate, and meddle with medical care, public health, and research industries.

HHS Holds Off Enforcement of New Interoperability and Data Sharing Regulations

The HHS is going to enforce discretion when it comes to compliance with the latest interoperability and data sharing regulations that the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) released on March 9, 2020.

The final decision to hold off enforcement is because of the COVID-19 outbreak. The ONC, CMS, and HHS’ Office of Inspector General (OIG) are convinced that at this time of the COVID-19 pandemic, healthcare providers should be allowed some versatility in complying with the latest interoperability and data sharing regulations.

There is no change with the dates for complying with the new regulations, though the two agencies are going to exercise enforcement discretion so that healthcare providers can concentrate their efforts on handling the COVID-19 outbreak.

ONC stays dedicated to making sure that patients and healthcare providers can gain access to electronic health information, whenever and wherever it is needed. During this crucial time, resources should be centered on combating the COVID-19 pandemic. To help in the crucial work during this time along with the data sharing initiatives, ONC plans to use enforcement discretion for three months at the conclusion of a number of ONC Health IT Certification Program compliance dates related to the ONC Cures Act Final Rule to give flexibility whilst making sure the objectives of the rule stay on target.

Read the details of the compliance dates and the timetable for ONC’s enforcement discretion on this page.

The CMS is offering healthcare providers 6 months more to comply with its regulation. Patients need to have safe access to their medical information now unlike any other time before. Hospitals ought to do everything that they can to make sure that patients get proper follow-up care. However, with a pandemic this big, it is very important for a healthcare system under attack by COVID-19 to have flexibility. The enforcement discretion will give hospitals 6 months more to follow the new prerequisites.

The ONC, CMS, and OIG will keep on monitoring the implementation scenario to find out if other actions are needed.

Guidance Issued on Allowable PHI Disclosures to First Responders During the COVID-19 Outbreak

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released additional guidance on HIPAA and COVID-19, the illness resulting from the 2019 Novel Coronavirus or SARS-CoV-2. The latest guidance document gives covered entities the cases of permitted disclosures of protected health information (PHI) according to the HIPAA Privacy Rule to ensure that first responders to people exposed to SARS-CoV-2 or showing signs of COVID-19 can disclose their PHI.

The latest guidance uses a Q&A format and makes clear when covered entities are allowed to share PHI including names and other ID details to first responders, police officers, public health specialists and paramedics without first needing a HIPAA authorization.

The document concurs that the HIPAA Privacy Rule permits disclosures of PHI if the data is necessary to give treatment when the law requires disclosure, when first responders like paramedics are vulnerable to getting COVID-19 and require data to avoid infection, and when disclosure can stop or minimize a critical and impending threat.

OCR additionally stated that a PHI disclosure is allowed whenever a request for PHI is made by a correctional institution or a police officer in legal custody of an inmate or another person, and PHI is needed to provide medical services to the person, to make sure the health and security of a person or other people within the institution, those transporting the person, and when PHI is needed to preserve security, protection, peace and order within a correctional institution.

OCR clarifies that a hospital is allowed to give an EMS dispatch a listing of names and addresses of all people identified to be positive for the COVID-19 test to be used on a per-call basis. The availability of that data ensures that any staff going to a patient’s location in response to an emergency is aware of the need to take extra safety measures, such as putting on personal protective equipment (PPE), to protect their own health and wellbeing.

911 call center personnel may request data concerning a patient’s signs or symptoms to know if there’s a probability of infection with SARS-CoV-2. The data is then handed to law enforcement authorities and other people who responded to an occurrence at the person’s place to make sure they do something to secure themselves.

In all instances, a covered entity should take reasonable attempts to restrict the disclosed data to the least amount required to achieve the reason for the disclosure.

OCR Director Roger Severino stated that the country needs the help of first responders now more than ever and OCR should do all that is necessary to keep them safe while they help other people. This guidance document helps make certain that first responders have access to updated infection data so that they remain safe including the public.

The guidance document entitled COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders, and public health authorities may be downloaded from the HHS website.

HIPAA Compliance and COVID-19 Coronavirus

No doubt HIPAA covered entities, including healthcare organizations, healthcare clearinghouses, health plans, and business associates of covered entities, have a lot of questions concerning HIPAA compliance and the COVID-19 coronavirus cases. There might be misunderstandings regarding the sharing of information of people who have gotten COVID-19 and those possibly exposed to the 2019 Novel Coronavirus, and with whom data may be shared.

HIPAA Compliance and the COVID-19 Coronavirus Pandemic

There is obviously consternation regarding HIPAA compliance and the COVID-19 Coronavirus pandemic as well as the application of the HIPAA Privacy Rule and Security Rule. Since the start of the HIPAA, there has been no disease outbreak on this enormity ever encountered.

It is essential to take note that the HIPAA Privacy and Security Regulations still apply in the course of a public health emergency like a disease outbreak, and this is applicable to HIPAA compliance and COVID-19. The HIPAA Security Rule makes certain the safety of the protected health information (PHI) of patients and calls for reasonable safety measures to be enforced to prevent impermissible uses and disclosures. The HIPAA Privacy Rule limits the uses and disclosures of PHI to those associated to a treatment plan, bill payment, and healthcare procedures.

Whenever public health emergencies are announced, it is typical for the Secretary of the HHS to give partial HIPAA waivers in areas affected by the emergency. In these situations, particular terms of the HIPAA Privacy Rule are suspended for 72 hours since the time a HIPAA-covered entity follows its disaster procedures. As of March 16, 2020, the Secretary of the HHS has not announced any HIPAA suspensions. Even with no HIPAA waiver, the HIPAA Privacy Rule allows sensible uses and disclosures of patients’ sensitive data.

In February 2020, OCR published a bulletin regarding the 2019 Novel Coronavirus, which confirms what the HIPAA Privacy Rule permits when it comes to sharing patient data while in emergency scenarios, like an infectious disease outbreak. The bulletin summary is detailed below.

Allowed Uses and Disclosures of PHI in Emergency Situations

PHI disclosure is permitted without first getting patient consent for treatment purposes. Disclosures are additionally allowed for coordinating care, for patient referrals, and consultations with other medical experts.

With a condition like COVID-19, it is important to alert public health authorities as they require the details so as to ensure the health and safety of the public. It is allowable to share PHI with public health authorities including the Centers for Disease Control and Prevention (CDC) and others in charge of making sure of the security of the public, like state and local health departments. In these situations, PHI can be disclosed without acquiring consent from a patient.

Disclosures of PHI are likewise allowed to avoid and minimize a serious and impending threat to a particular individual or the public, so long as such disclosures are allowed by other rules. These sorts of disclosures do not need consent from a patient. In such instances, it is the discretion of the medical specialists to evaluate the nature and the seriousness of the threat.

Disclosures of Data to Persons Engaged in a Patient’s Care

The HIPAA Privacy Rule allows disclosures of PHI to people engaged in the health care of a patient like friends, family, caregivers, and other people that the patient identified.

HIPAA covered entities are furthermore allowed to share patient data so as to identify, find, and alert family members, guardians, and other people in charge of the patient’s treatment, regarding the patient’s whereabouts, general condition, or demise. That consists of sharing data with authorities, the media, or even the general public.

In such instances, verbal authorization must be acquired from the patient prior to the disclosure. A healthcare expert should otherwise be able to sensibly infer, using expert judgment, that the patient doesn’t object to a disclosure that is identified to be for the patient’s best interest.

Information may furthermore be shared with disaster relief agencies that are approved by law or charters to help in disaster relief initiatives, for example for organizing the notice of family members or other individuals concerned in the patient’s treatment regarding the location of a patient, their condition, or demise.

The HIPAA Minimum Required Standard Applies

Healthcare specialists should make reasonable efforts to make sure that shared PHI is limited to the minimum required information to accomplish the objective for which the data is being disclosed.

When a public health authority or official asks for the data, covered entities can count on representations from the public health official or authority that the asked for details is the minimum required amount, when that reliance is sensible based on the conditions.

Disclosures With Regards to COVID-19 Patients to the Press

HIPAA is not applicable to press disclosures related to infections, however, HIPAA is applicable to disclosures of HIPAA-covered entities and their business associates to the press. In such instances, the HIPAA-covered entity or business associate may give restricted information in case there is a request regarding a patient by name. The details disclosed ought to be restricted to the general condition of the named individual and the specific area in the facility, given that the disclosure is in line with what the patient desires. The standing of the patient must be described using terms like undetermined, fair, good, critical, serious, treated and released, treated and moved, or dead.

All other data should not be shared with the media or any person not engaged in patient care without first acquiring written permission from the patient concerned.

Disclosures of Data Concerning COVID-19 by Non-HIPAA Covered Entities

It is important to note that HIPAA simply is applicable to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. Other entities are not constrained to share information concerning the 2019 Novel Coronavirus and COVID-19; nevertheless, while HIPAA may not be applicable, other federal and state regulations may do.

The HIPAA Privacy Rule covers the communications between companies and workers. HIPAA is not applicable in case a worker informs an employer that he or she has contracted COVID-19 or are on self-quarantine since they are showing signs of COVID-19. HIPAA is applicable in case a hiring manager is told about a worker testing positive by the health plan of the company.

American Medical Association Playbook Dispels Common HIPAA Right of Access Myths

The American Medical Association (AMA) has issued a new HIPAA playbook to enable physicians and their practices to fully grasp the HIPAA Right of Access so that they could comply with this crucial requirement of HIPAA.

Misunderstandings regarding the HIPAA Right of Access may lead to financial charges for noncompliance. The HHS’ Office for Civil Rights presented a new HIPAA Right of Access enforcement initiative in 2019 and has actually taken action against two healthcare companies that were not delivering patients copies of their medical records promptly. Both cases began with a single patient who complained about not being provided with a copy of the requested health records and closed with an $85,000 financial fine.

Patients must get access to their healthcare information so as to make educated decisions regarding their own wellness. Under HIPAA, patients have the right to get hold of a copy of their health records, however, healthcare companies can face difficulties complying with all of the legal specifications of HIPAA. These difficulties, combined with misunderstandings regarding the HIPAA Right of Access, have kept some providers from providing patient requests for copies of their health information.

The Patient Records Electronic Access Playbook was published to teach physicians and their practices regarding the requirement to provide patients access to their medical documents and the legal requirements associated to medical record access and the providing of information to patients.

The 104-page document is split into four components and addresses the legal requirements of HIPAA and patient access laws and the difficulties physician practices encounter when adhering to the HIPAA Right of Access. The playbook consists of guidance to assist doctors to overcome difficulties and recommendations for operationalizing the provision of records access.

The document additionally dispels a number of the common myths regarding providing patients and third parties their health records, the health information that can and cannot be shared, the price that healthcare organizations can ask for providing copies of medical records, and how medical information should be provided.

The playbook clarifies that even though patient portals are being used adherence to the HIPAA Right of Access is not sure. Patient portals do not usually permit patients to access all health data and copies of medical records should still be provided to patients. AMA advises giving patients the chance to access their health information over a number of media. The playbook likewise covers providing health records to third parties upon request, which are two facets of the HIPAA Right of Access that have created misunderstandings for a lot of physician practices.

AMA states in the playbook that healthcare organizations ought to know about the functionality of their EHRs, and explore how patient information could be delivered to other healthcare organizations, how information may be fed into patient sites, and how to copy patient files to USB drives or CDs.

Healthcare organizations must also try to encourage patients to take more interest in their health and acquire a copy of their health information and examine those records for flaws. The patient can be encouraged to use applications and access medical information to become an active winner of his or her health. Patients may better take care of their health by realizing and managing all of their medical information.