HIPAA Compliance of Amazon Lex

Amazon recently made an announcement that the Amazon Lex chatbot service is now supporting Health Insurance Portability and Accountability Act (HIPAA) compliance so healthcare organizations can use it without violating the HIPAA Rules.

Amazon Lex provides a service that lets users create conversational interfaces into apps by means of text and voice. It enables making chatbots that use lifelike, normal language to interact with users, ask questions, gather and provide information, and do a variety of tasks including booking appointments. Amazon Alexa also uses this conversational engine powering Amazon Lex.

Until recently, the potential of using Amazon Lex in healthcare is limited because it wasn’t HIPAA-compliant. It is not allowed to use the solution in association with electronic protected health information (ePHI). Amazon’s business associate agreement (BAA) does not cover this service as well.

Amazon affirmed on December 11, 2019 that the AWS business associate agreement (BAA) addendum now includes Amazon Lex. Hence, the service can now be used with workloads in connection with ePHI, as long as there is a BAA in place. Amazon Lex has been put through third-party security checks under several AWS compliance programs. It is not only HIPAA eligible, but it is likewise compliant with SOC and PCI.

Just like with any software program, a BAA doesn’t ensure compliance. Amazon has made certain of the implementation of proper safety measures to protect the integrity, confidentiality, and availability of ePHI. However, it is the obligation of users to implement the solution the right way and to use it in compliance with HIPAA Rules.

Amazon has published a whitepaper on Architecting for HIPAA Security and Compliance on AWS. This provides guidelines for setting up AWS services that hold, process, and transfer ePHI. Instructions on the management of Amazon Lex were also published.

Healthcare Data Breach Report for October 2019

October saw a 44.44% month-over-month rise in healthcare data breaches. The HHS’ Office for Civil Rights received 52 breach reports having 661,830 healthcare records exposed, stolen or impermissibly disclosed.

Including this month’s report, the total figure of breached healthcare records for 2019 is over 38 million. That translates to 11.64% of the United States population.

October 2019 Largest Healthcare Data Breaches

1. Betty Jean Kerr People’s Health Centers with 152,000 individuals affected due to hacking/IT Incident
2. Kalispell Regional Healthcare with 140,209 individuals affected due to hacking/IT Incident
3. The Methodist Hospitals, Inc. with 68,039 individuals affected due to hacking/IT Incident
4. Children’s Minnesota with 37,942 individuals affected due to unauthorized access/disclosure
5. Tots & Teens Pediatrics with 31,787 individuals affected due to hacking/IT Incident
6. University of Alabama at Birmingham with 19,557 individuals affecte due to hacking/IT Incident
7. Prisma Health – Midlands with 19,060 individuals affected due to hacking/IT Incident
8. South Texas Dermatopathology Laboratory with 15,982 individuals affected due to hacking/IT Incident
9. Central Valley Regional Center with 15,975 individuals affected due to hacking/IT Incident
10. Texas Health Harris Methodist Hospital Fort Worth with 14,881 individuals affected due to unauthorized access/disclosure

Causes of Healthcare Data Breaches in October 2019

  • In October, the following incidents were reported:
    18 hacking/IT incident reports involved 501,847 individual healthcare records. The average breach size and median breach size were 27,880 records and 9,413 records, respectively.
  • 28 breach reports due to unauthorized access/disclosure incidents involved 134,775 records. The mean breach size and median breach size were 4,813 records and 2,135 records, respectively. Those breaches consist of 15 different reports from Texas Health Resources.
  • 5 loss/theft incidents involved 13,454 records. The mean breach size and median breach size were 2,350 records and 2,752 records, respectively. There was one improper disposal incident, which involved 11,754 records.

Location of Breached Health Data

Phishing still causes challenges for healthcare companies. Healthcare providers struggle in blocking phishing attacks and not detecting them quickly. A number of phishing attacks were reported that took weeks to identify.

Though multi-factor authentication could help to lower the risk of cybercriminals stealing and using credentials o gain access to corporate email accounts, a lot of healthcare companies simply use this vital security control after the occurrence of a phishing attack.

This increased number of “other” breaches is because of the mailing error incident at Texas Health, which resulted in 15 of the 19 breach incidents belonging to the other category.

Most of the network server breaches were because of ransomware attacks, including the biggest healthcare data breach in October. That breach shows how crucial it is to have a backup copy of all data, which is tested to ensure data recovery and to have one backup copy kept on a device that is not networked or exposed online.

Data Breaches by Covered Entity Type

There were 45 data breaches reported by healthcare providers. Health plans reported three breaches, and business associates of HIPAA-covered entities reported four breaches. Four breaches were also tainted by business associate involvement though the covered entity reported them.

Healthcare Data Breaches by State
There were 24 states where healthcare providers and business associates reported data breaches. The following is the tally of breach reports by state:

  • Texas reported 17 incidents with 15 breach reports from Texas Health
  • Ohio reported 4 breaches
  • California reported 3 breaches
  • Arkansas, Florida, Maryland, Louisiana, South Carolina, New Mexico, and Virginia reported two breaches each
  • Arizona, Alabama, Georgia, Indiana, Illinois, Kentucky, Minnesota, Mississippi, Missouri, Montana, Oregon, New York, South Dakota, and Washington reported 1 breach each

HIPAA Enforcement Actions in October 2019

The HHS’ Office for Civil Rights announced two financial penalties for HIPAA violations in October – One was a settlement and one was a civil monetary penalty.

OCR investigated Elite Dental Associates after receiving a complaint from a patient whose PHI was publicly disclosed in a Yelp review. OCR discovered that her PHI wasn’t the only one disclosed in that way. OCR likewise found out that the practice does not provide sufficient information in its notice of privacy practices and therefore did not comply with the HIPAA Privacy Regulation. Elite Dental Associates settled this HIPAA violation case by paying OCR $10,000.

OCR investigated Jackson Health System after the media disclosure of PHI. A photo of an operating room containing the health data of two people including a popular NFL star was published. The OCR investigation revealed several violations of the Security Rule, Privacy Rule, and Breach Notification Rule in a span of several years. OCR charged Jackson Health System with a civil monetary penalty worth $2,154,000.

HIPAA Seal of Compliance Awarded to Eagle Consulting Group

Eagle Consulting Group, a provider of managed services in Anchorage, AK, received HIPAA Compliance certification from Compliancy Group.

Eagle Consulting Group has many clients belonging to the healthcare sector and provides them with proactive IT services. While managing infrastructure and software solutions, the group is allowed access to electronic protected health information (ePHI). An organization like Eagle Consulting Group is deemed as a business associate under the Health Insurance Portability and Accountability Act and must be HIPAA compliant.

Eagle Consulting Group collaborated with Compliancy Group in order to demonstrate to its clients that it has a trusted HIPAA compliance plan.

Eagle Consulting Group employed the cutting edge HIPAA compliance software solution of Compliancy Group, which is popularly known as The Guard. This software program is handy for monitoring progress towards achieving HIPAA compliance. Once an efficient compliance program is established, The Guard functions as a very valuable tool to manage compliance.

Compliancy Group’s HIPAA experts advised Eagle Consulting Group in finishing the 6-stage HIPAA Risk analysis and remediation plan. After completing the program, the company was confirmed as effectively satisfying the minimum data privacy and security criteria mandated by HIPAA. The company has put in place policies and procedures that ensure the maintenance of HIPAA compliance. Employees perfectly understand their responsibilities in securing ePHI.

Because Eagle Consulting Group had successfully verified its risk analysis and remediation program, Compliancy Group awarded the HIPAA Seal of Compliance to the company.

The HIPAA Seal of Compliance proves to existing and upcoming clients in the healthcare industry that Eagle Consulting Group has satisfactorily complied with the minimum standards under the HIPAA Privacy, Security, and Breach Notification Rules. It is therefore identified as a managed service provider that is HIPAA-compliant.

In the event of being selected for a compliance audit, Eagle Consulting Group can show regulators its confidence that it is in full compliance of HIPAA. The company could similarly help its healthcare clients merge all the necessary technical safety procedures to safeguard their digital networks and keep all ePHI secure.

Patients Can Use the New Alexa Healthcare Skill to Manage Their Medications

Amazon’s Alexa now offers a new healthcare skill that patients could utilize in managing their prescribed medications and buying prescription refills.

At the start of this year, Amazon said that it has created a HIPAA-eligible setting for skill developers that integrates the required safety measures to comply with the specifications of the HIPAA Privacy and Security Regulations. Amazon created an invite-only platform for a select team of skill developers to make new skills that can be beneficial to patients.

The new skill is a product of a joint effort of Amazon and Omnicell, a medicine management firm. Amazon approached Omnicell and proposed to the company to generate the new skill after noticing that numerous Alexa users used their tools to create medication reminders. Amazon had obtained responses from a number of users who asked for enhancements to be made to the reminders feature to permit them to put several reminders a day for taking their medicines.

At first, the new Alexa feature will be accessible to clients of the Giant Eagle pharmacy, which manages more than 200 pharmacies all through the Midwest and Mid-Atlantic. With the new skill, patients can place reminders for taking their prescription drugs, look at their present prescription medications, and buy prescription refills from Giant Eagle just by giving voice commands to their Alexa devices.

The new skill comes with a selection of privacy and security protections to avert unauthorized access and improper use. After allowing the Giant Eagle Pharmacy skill and associating their account, users must create a voice profile and input a PIN. Alexa will identify a user through their voice profile, however, it is required that they provide their PIN before relaying any information. Healthcare associated information is also censored in the app to keep privacy. Voice recordings are reviewed and deleted at any time via the Alexa app, Privacy Settings, or by giving voice commands following authentication.

According to VP and general manager of Omnicell, Danny Sanchez, this recent technology is only the start, as we keep on identifying easy to use pharmacy steps that voice-powered devices can execute in real life to keep the patient at the heart of care and improve pharmacy workflow.

With the initial skill release, Amazon will have useful data that can be employed to enhance the customer experience. More pharmacy chains will be added in the New Year.

Resolving the Communication Issues in Healthcare

According to a recent TigerConnect study, 52% of healthcare organizations have communication disconnects that adversely impact patients on a daily basis or several times per week.

These communication challenges are causing disappointment for healthcare workers. They make it more difficult to coordinate patient care, thus leading to lapses in care. In fact, the effect of poor communication is significant and impacts the entire company.

At best, inefficiency in communication brings about delays that raise the price tag of providing healthcare. At worst, weak communication contributes to preventable medical mistakes, physician burnout and, in the most serious cases, it may cause death.

A lot of healthcare establishments are still greatly reliant on obsolete communication technology for instance fax machines and pagers. Groups of healthcare workers utilize various tools for communication and, in spite of an increasingly mobile labor force, landlines are depended on far too often.

TigerConnect research has revealed that communication programming in hospitals is terribly fragmented. 89% of hospitals still make use of fax machines and 39% still heavily rely on pagers for communicating with particular departments, functions or, even organization-wide.

Even if the advanced communications technology is used, it is frequently applied in silos. Nurses and physicians may be shifted onto advanced communications systems, however other people are not. As a result, complete benefits are not achieved.

These communication issues are not just a reason for stress for healthcare workers, patients are likewise noticing them. A Harris poll of patients performed in August 2019 revealed that patients are disappointed by ineffective communication in healthcare when staying in or visiting the hospital, and by the techniques providers are utilizing when communicating with them.

Correcting Broken Communication in Healthcare

TigerConnect is going to host a webinar in which the scope of the communication issues in the U.S. healthcare sector will be talked about together with the difficulties that communication disconnects are producing.

Dr. Will O’Connor, CMIO of TigerConnect and Jorge Jeffery, Data Scientist & Researcher, will speak about these topics and will recommend a solution that will enhance communication in healthcare, boost workflow efficiency, decrease common bottlenecks that are delaying patient throughput, and how enhancements in communication could make sure a lot more patients are seen quickly and the price tag of healthcare provision can be lowered.

Details of the Webinar:
Topic: Fixing Broken Communications in Healthcare

When: Thursday December 12, 2019 at 1.00 PM Eastern Time / 12:00 PM Central Time / 11:00 AM Mountain Time / 10.00 AM Pacific Time

Webinar Hosts: Dr. Will O’Connor, CMIO of TigerConnect / Jorge Jeffery, Data Scientist & Researcher

A Q&A session will follow after the webinar. Sign up here.

Timothy Noonan is the New Office for Civil Rights Deputy Director for Health Information Privacy

Timothy Noonan is now the Deputy Director for Health Information Privacy as announced by the Department of Health and Human Services’ Office for Civil Rights (OCR).

The function of the Deputy Director for Health Information Privacy is to head the Health Information Privacy Division of the OCR, supervise the national health information privacy policy and outreach activities of OCR, and manage and implement the HIPAA Security, Privacy, and Breach Notification Rules and the confidentiality terms of the Patient Safety Rule.

Noonan served as Acting Deputy Director for Health Information Privacy beginning January 29, 2018, after Iliana Peters left. Before accepting the Acting Deputy Director for Health Information Privacy position, Noonan functioned as the Southeast Regional Manager of OCR, prior to going to OCR’s headquarters to work as Acting Associate Deputy Director for Regional Operations as well as the Acting Director for Centralized Case Management Operations.

In the 22 months that Noonan was Acting Deputy Director for Health Information Privacy, he helped protect over $37 million in HIPAA civil monetary penalties and settlements, which include the biggest ever HIPAA penalty. Anthem Inc paid $16 million settlement for the 78.8 million-record data breach that happened in 2015.

Noonan likewise assisted in producing the Right of Access Enforcement Initiative, without which guidance the individuals’ right of access to their healthcare records won’t be issued and the very first financial penalty for Right of Access failures won’t be settled with Bayfront Health St Petersburg.

Noonan also helped in the issuance of Health Apps and in the request for data through public responses on the way the HIPAA Privacy Rule ought to be changed to encourage synchronized, value-based medical care.

Smartwatch Data Act Released to Protect Privacy of Consumer Health Data

Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada) introduced the Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act. The new law will make sure that no health information obtained through health apps, fitness trackers and smartwatches will be sold or shared without the consent of the consumer.

The Health Insurance Portability and Accountability Act (HIPAA) is applicable to all health information that HIPAA-covered entities and their business associates collect, store, keep, or transmit. Health apps, fitness trackers and wearable devices collect, store and transmit the same health information, which could be shared or sold without authorization. Consumers do not have control over the persons that could access their health information. The new law seeks to deal with that privacy issue.

The bill forbids transmitting, selling, sharing, or accessing any non-anonymized consumer health data or other personally identifiable health data that is collected, documented, or obtained from individual consumer devices to domestic data brokers, other local or foreign except if with consumer’s consent.

Consumer devices refer to equipment, applications or software programs, or mechanism with the principal feature or capability to collect, keep, or transfer consumer health data.

The Smartwatch Data Act covers data regarding the health standing of a person, personal biometric data, and kinesthetic data obtained directly by means of sensors or manually inputted by consumers into apps. The Smartwatch Data Act will handle all health information obtained by using apps, trackers and wearable devices as protected health information (PHI).

There have been demands for HIPAA to extend its coverage to application developers and wearable device companies that collect, hold, maintain, process, or transfer consumer health data. The Smartwatch Data Act is not a HIPAA extension to cover these businesses, rather the law applies to the information itself. The bill calls on the HHS’ Office for Civil Rights, the primary enforcer of HIPAA compliance to also enforce the Smartwatch Data Act. Noncompliance with the Smartwatch Data Act will have the same penalties as those for HIPAA violations.

The law was presented after the news about Google’s partnership with Ascension, the second biggest healthcare provider in the U.S., that gave Google access to 50 million Americans’ health data. That collaboration brought up several questions regarding the privacy of health data.

HIPAA law covers the data passed by Ascension to Google, but it does not cover fitness tracker data at this time. Google expects to partner with fitness tracker company Fitbit in 2020 and there is concern about the way Google is going to use personal health information obtained by means of Fitbit devices. The Smartwatch Data Act can help make sure that consumers have a say on the use of their health data.

Speakap Receives HIPAA Seal of Compliance From Compliancy Group

Speakap, a communication platform provider, announced recently that it has been certified as Health Insurance Portability and Accountability Act (HIPAA) compliant by Compliancy Group.

Speakap created a communications platform that allows healthcare companies to easily and effectively communicate with their frontline personnel, even when they have no quick access to computer systems. By using a mobile app, healthcare companies can keep in touch with deskless workers and converse with all the employees by means of a desktop version of the application. Businesses from a broad array of industries use the app; however, before the healthcare industry can use this communications solution, Speakap must ensure the full compliance of its platform, policies, and procedures with HIPAA Rules.

If using the platform to communicate ePHI, HIPAA categorizes Speakap as a business associate. Hence, Speakap needs to incorporate physical, technical and administrative safeguards into its solution and it must fulfill the requirements under HIPAA.

To make sure of the company’s full compliance, Speakap sought the help of Compliancy Group’s compliance coaches. In addition, the use of The Guard, the exclusive software solution of Compliancy Group, helped Speakap to successfully complete the 6-stage risk analysis and risk remediation process of Compliancy Group.

According to the Compliancy Group’s HIPAA specialists, Speakap’s good faith efforts successfully satisfied HIPAA compliance, and so the HIPAA Seal of Compliance has been granted. The HIPAA Seal of Compliance is a proof that Speakap has implemented safety measures, policies, and procedures and has designed an efficient HIPAA compliance program that meet the regulatory standards as required in the HIPAA Security Rule, HIPAA Privacy Rule, HIPAA Omnibus Rule, HIPAA Breach Notification Rule, and the HITECH Act.

Speakap CEO, Erwin Van Der Vlist stated that Speakap is committed to offer reliable and safe solutions that adhere to the high standards of HIPAA. The HIPAA compliant platform of Speakap gives the highest levels of trust and peace of mind to its clients. Its platforms are supported by exceptional measures that give industry-leading solutions.

EnTech Receives HIPAA Seal of Compliance Award

Compliancy Group confirmed EnTech, a managed IT service provider in Fort Myers, FL, as compliant with the Health Insurance Portability and Accountability Act (HIPAA) Rules.

For over 20 years, Entech has been helping companies in Southwest Florida get the most out of information technology by providing managed IT and integration The company also provides strategic technology consultancy services to assist businesses to decide on the appropriate IT architectures to match their needs.

When providing healthcare organizations with those services, EnTech needs to adhere to the HIPAA Rules. The company should put in place suitable safety measures to ascertain the integrity, confidentiality, and availability of electronic protected health information (ePHI). Employees must be mindful of their responsibilities with regard to HIPAA and ePHI.

The HIPAA coaches of the Compliancy Group and its compliance tracking solution known as “The Guard” helped EnTech to successfully finish the 6-Stage Risk Analysis and Remediation Process set by Compliancy Group. With this excellent achievement, the Compliancy Group confirmed the company’s HIPAA compliance and awarded its HIPAA Seal of Compliance. Only companies that have met all the HIPAA Security, Privacy, Breach Notification, and Omnibus Rules requirements are given the award of HIPAA Seal of Compliance to prove that they have a reliable HIPAA compliance program set up.

Entech’s Chief Development Officer, David Spire said that they are very proud that they have acquired this designation, which shows their commitment to their clients and community. With the constantly changing threat landscape, healthcare organizations that directly or indirectly offer medical care these days should take all the required measures to secure all their personal data.

In addition to a signed business associate agreement, Entech’s HIPAA Seal of Compliance gives present and future clients the reassurance of their commitment to keeping the privacy and security of personal information and fulfilling its responsibilities as required by the HIPAA.

Class Action Data Breach Lawsuit Settled by UCLA Health for $7.5 Million

A class action lawsuit filed on behalf of victims of data breach has been settled by UCLA. The lawsuit that was discovered in October 2014 will cost UCLA Health $7.5 million to settle.

Suspicious activity was discovered by UCLA Health on its network back in October 2014. Once detected, UCLA Health contacted the FBI to assist them with the investigation. The forensic investigation revealed that hackers had indeed gained access to its network, although it was believed that at the time they did not succeed in accessing the parts of the network where the medical center stored its patients’ medical information. On May 5, 2015, however, it was confirmed by UCLA that the hackers had in fact gained access to certain sections of the network containing patients’ protected health information and names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers may have been viewed or copied. 4.5 million patients were affected by the breach in total.

Upon the Department of Health and Human Services’ Office for Civil Rights investigation into the breach, they were satisfied with UCLA Health’s breach response and the administrative and technical safeguards that had been put in place after the breach to improve their security.

As a result of this UCLA Health avoided a financial penalty. However, a class action lawsuit was filed on behalf of patients affected by the breach. The complainants alleged UCLA Health failed to inform them about the breach in a timely manner, there had been violations to California’s privacy laws, breach of contract and the failure to protect the privacy of patients by UCLA Health constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015. Although this was, in fact, in line with HIPAA requirements (under 60 days from the discovery that PHI had been compromised) the complainants believed they should have been notified in a more brisk manner, given the fact that it had been 9 months since the breach had occurred.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be given the opportunity to make a claim to recover costs that have been placed upon them in protecting themselves against unauthorized use of their personal and health information. Furthermore, they also have the ability to submit a claim to recover losses suffered due to fraud and identity theft.

A claim of up to $5,000 can be made by patients in order to cover the costs of protecting their identities and even up to $20,000 for any damage or losses that resulted from identity theft and fraud. $2 million of the $7.5 million settlement has been put to the side to cover patients’ claims.  The $5.5 million remaining will be placed into a cybersecurity fund.  This fund will be used to improve cybersecurity defenses at UCLA Health.

May 20, 2019 is the cut-off date for patients to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019. Patients also must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. June 18, 2021 was the deadline for submitting claims for the reimbursement of losses is . The final court hearing on the settlement is set to take place on June 18, 2019.

Potential Huge Breach of Protected Health Information Discovered

Meditab Software Inc., Sacramento, CA-based medical software provider and it’s San Juan, PR-based affiliate, MedPharm Services have been subject of a huge breach of protected health information.

A fax processing service is also provided by Meditab and one of the servers used for processing faxes has been discovered to be leaking data. As a result, it could be accessed over the internet without the need for any authentication.

The unprotected fax server was discovered by SpiderSilk, a Dubai-based cybersecurity firm. The fax server was hosted on a subdomain of MedPharm Services. Furthermore, it housed an Elastisearch database containing fax communications. Those faxes could be accessed by anyone in real time. The database was formed in March 2018 and was home to over 6 million records. Currently, it is uncertain how many of those records contained protected health information.

A recent report on TechCrunch stated that a brief review of the faxes in the database showed they contained highly sensitive information such as names, addresses, dates of birth, Social Security numbers, payment information, insurance information, doctor’s notes, prescription details, diagnoses, lab test results, and medical histories. None of the above information was encrypted.

Meditab Software and MedPharm Services were both founded by Kalpesh Patel, who TechCrunch contacted in relation to the breach. The fax server was taken offline after the companies were alerted about the breach and an investigation was immediately launched to identify the cause of the breach.

In order to determine the extent of the breach, database logs are currently being assessed, which patients have been affected, and whether the database was accessed or downloaded by unauthorized individuals.

Currently, it is unclear just how long the server was left unprotected and how many patients have been affected by the breach. When the number of records in the database are considered, this breach has potential to be among the largest healthcare data breaches in history in the United States.

Healthcare Employees Are Vulnerable to Phishing Attacks, According to Study

The healthcare industry is being heavily targeted by cybercriminals and phishing is one of the most common methods they are using to gain access to healthcare networks and, as a result, sensitive data. The number of successful phishing attacks on healthcare institutions is a serious cause for concern.

OCR identified email as being the main location of breached ePHI at HIMSS19, and the highest risk of data breaches come from phishing attacks.

Is the high number of successful phishing attacks mostly down to the healthcare industry being targeted more than other industry sectors? Or is it as a result of healthcare employees being more susceptible to phishing attacks? A recently published study has provided us with some answers.

A study has recently been conducted by Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team to determine the susceptibility of healthcare employees to phishing attacks.

To conduct the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used vendor solutions or custom-developed tools to send simulated phishing emails to their employees.

The researchers analyzed the data collected from the simulated phishing emails sent to healthcare employees between August 2011 and April 2018. The data set included 95 simulated phishing campaigns which resulted in 2,971,945 simulated phishing emails being sent.

422,062 of these emails (14.2%) were clicked by the employees. The institutional click rate median ranged between 7.4% and 16.7% per campaign. In one of its campaigns, an institutions had a median click rate of 30.7%. Overall, 1 in 7 emails attracted a click across all institutions and all campaigns.

The emails were divided into three categories: Office-related, IT-related and personal. IT-related emails (e.g. password resets, security alerts) turned out to be the most successful, with an institutional click rate median of 18.6%.

No significant association between the year that campaigns were conducted and click rates was found by the researchers. However, they did discover that repeated phishing simulations reduced the chances of employees falling for a later phishing email.

Institutions that ran between 6 and 10 simulated phishing campaigns lowered the odds of a click on a phishing email by 0.511. When more than 10 campaigns were conducted, the odds were reduced by 0.335.

The researchers indicated that the healthcare systems are uniquely vulnerable to phishing attacks, mostly as a result of a high turnover of employees and a constant influx of new employees that may not have had any previous cybersecurity training. High endpoint complexity was also named as a factor that makes healthcare institutions vulnerable to phishing attacks.

From the high click rates, the researchers concluded that phishing is a major cybersecurity risk in healthcare.

Three particular tactics were suggested by the researchers to counter the threat from phishing:

  1. Prevent emails from being delivered to employees through the use of spam filtering technology
  2.  Implement multi-factor authentication to decrease the value of credentials
  3. Improve security awareness through cybersecurity training and phishing simulations.

The report ‘Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions’ was published on JAMA Network Open on March 8, 2019. DOI:10.1001/jamanetworkopen.2019.0393.

25% of Healthcare Organizations Have Suffered a Mobile Security Breach in Past Year

It has been indicated by the Verizon Mobile Security Index 2019 report that 25% of healthcare organizations have experienced a security breach which involved a mobile device in the past 12 months.

Despite all businesses facing similar risks from mobile devices, it appears that healthcare organizations are addressing risks better than most other industry sectors. Out of the eight industry sectors that were surveyed, healthcare experienced the second lowest number of mobile security incidents, just behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably in the past couple of years. Since 2017, 35% of surveyed healthcare organizations claimed they had experienced a mobile security breach in the past 12 months.

Although the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon argue that may not necessarily be what is happening. A suggested explanation is that healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

Out of all the healthcare organizations surveyed, 85% believed that their security defenses were effective. What’s more, 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as 25% of healthcare organizations have suffered a breach involving a mobile device and 80% of those entities were made aware of the breach from a third party.

As mobile devices are used regularly to access or store ePHI, a security incident could easily result in a breach of ePHI. 67% of all healthcare mobile security incidents were considered major breaches. From those breaches, 40% had significant lasting repercussions and, in 40% of cases, it was said to be difficult and expensive to remediate the situation.

67% of mobile device security incidents involved other devices being compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said it resulted in the loss of data. 40% of healthcare organizations that suffered such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised due to a mobile security breach.

The main security risks were seen to be related to how devices were used by employees. 53% of respondents claimed personal use of mobile devices posed a major security risk and 53% said user error was also a significant problem.

Out of all the healthcare organizations that were surveyed, 65% were less confident about their ability to protect mobile devices than other IT systems. Verizon claims that this could be partly explained by the lack of effective security measures in place. An example of this can be seen with just 27% of healthcare organizations using a private mobile network and only 22% having unified endpoint management (UEM) in place.

It was also confirmed from the survey that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said in order to get tasks completed, they sacrificed security. This percentage was only at 32% last year. 81% admitted to using mobile devices to connect to public Wi-Fi, despite the fact that in many cases doing so violates their company’s mobile device security policy.

Hospitals at High Risk of Suffering Devastating Cyberattack, According to Moody’s

The following four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks, a new Moody’s Investors Service Report has revealed.

Those four sectors were discovered to have high risk of being exposed to cyberattacks. The four sectors are all heavily reliant on technology for daily operations, distribution of content, and customer engagement. An ever-increasing digitalization and interconnectedness within each sector and across different sectors means the risk of cyberattacks is also increasing.

In Moody’s report, they assessed vulnerability to a cyberattack and the impact such an attack could have on crucial businesses operations, reputation damage and disclosure of data. Cybersecurity measures that had been deployed to protect the company against cyberattacks were not taken into account for the report, unless mitigants had been applied consistently across each sector (e.g. supply chain diversity). In total, 35 broad industry sectors were assessed for the report and each were given a rating of low-risk, medium-risk, or high-risk.

The health insurance, pharmaceutical, and medical device industries were all placed in the medium-risk category. Hospitals were rated at high-risk, with the main reasons being the sensitive and essential nature of data used by hospitals, the increasing number of vulnerabilities introduced due to connected medical devices, the value of healthcare data to hackers, and the estimated time it would take to recover from an attack as well as the disruption to the business during the mitigation of an attack.

A successful cyberattack can prove costly to mitigate. Entities which have been breached must increase investment in technology and infrastructure,  pay higher insurance premiums, cover the cost of regulatory fines and litigation, increase R&D spending. What’s more these attacks can have serious reputational effects, such as higher customer churn rates and a creditworthiness reduction.

“We view cyber risk as event risk that can have material impact on sectors and individual issuers,” stated Derek Vadala, Moody’s Managing Director. “Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers’ financial profiles and business prospects.”

As the financial impact of a cyberattack can be substantial and long-lasting, it is vital for businesses and organizations in the high-risk sectors to have “robust sources of liquidity” to weather the storm.

While larger hospitals are likely to have more financial resources to assign to mitigating threats and recovering from cyberattacks, they are still not immune to attack. Even with these resources, they can still suffer a significant financial impact, particularly when you consider the fact that many hospitals have not purchased cyber insurance due to the high cost.

Cyberattacks on businesses and organizations in high-risk sectors have the potential to be catastrophic. This ultimately could have an impact on the ability of breached entities to pay back debts. The four high-risk industry sectors mentioned above hold a combined $11.7 trillion in rated debt.

Not only do they result in considerable financial costs and damage to an entity that is attacked, cyberattacks in the high-risk sectors would also likely have a number of ripple effects and a far-reaching impact on other industry sectors.

HIPAA Compliance Clashing with Healthcare Cybersecurity

The College of Healthcare Information Management Executives (CHIME) has recently told Congress that solely complying with HIPAA Rules is not enough to prevent data breaches. CHIME also claims that, in certain cases, HIPAA compliance can result in a lessening of healthcare cybersecurity defences.

President and CEO of CHIME, Russell P. Branzell and CHCIO Chair of the CHIME Board of Trustees Shafiq Rab recently responded to a request for information (RFI) by Congress on ways to tackle rising healthcare costs.

In a letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP) on March 1, 2019, they explained that the use of technology in healthcare helps to reduce costs and can improve efficiency as well as outcomes if used correctly.

It was stated in the letter that “significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.”

In order to improve the level of care that can be provided to patients, the use of technology and data sharing are vital. Despite this, both introduce new risks to the confidentiality, integrity, and availability of healthcare data. While policies are being introduced to encourage the use of technology and improve interoperability, it is also crucial for cybersecurity measures to be put in place to protect patient data. Security requirements must be included alongside any policy recommendations.

Chime also wrote in the letter “as we increase interoperability, additional threats to data integrity will arise. Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes.”

Healthcare organizations that are compliant with HIPAA Rules will have met the minimum standards set by the HHS for healthcare data privacy and security. However, that does not mean that HIPAA-compliant organizations have a good level of protection against cyberattacks. HIPAA is a complex legislation to be compliant with and requires a significant amount of resources. That ultimately means fewer resources are then available to tackle cybersecurity issues the entity may have and to protect themselves against actual cyber threats.

Healthcare providers are dedicating resources in order to meet standards set by the HHS and its Office for Civil Rights (OCR), even though the measures introduced for HIPAA compliance may not address the most serious cyber threats to them. As a result, their ability to protect patient data could be diminished rather than strengthened as a result.

CHIME also believes that enforcement of compliance with HIPAA Rules, such as breach investigations and compliance audits, are unduly punishing. OCR appears to be more focused on dishing out punishment rather than helping healthcare providers recover from a breach, learn from it, and share the lessons learned so other healthcare organizations can also benefit.

Healthcare providers should not be burdened with protecting PHI in areas outside their control. CHIME suggests there should be an introduction of safe harbors “for organizations that demonstrate, and certify, cybersecurity readiness.” This may require amendments to be made to the HITECH Act, as well as a change to the language used for the definition of a breach so it no longer presumes guilt.

CHIME has also called for the HHS to make better guidance available for healthcare providers to help them assess threats that are within their control. They also believe that healthcare providers should not have to claim full responsibility for protecting PHI outside of their domain. CHIME has also suggested that the balance of responsibility for security needs to have a more even split between covered entities and their business associates.

OCR should assess the level of effort that has gone into protecting systems and PHI when considering enforcement actions. Policies should then be pursued that reward healthcare providers for good faith efforts to prevent cyberattacks, such as demonstrating sufficient compliance with NIST’s Cybersecurity Framework (CSF).

Measures such as these will help encourage healthcare providers to invest more of their resources in cybersecurity. This, in turn, will help to prevent more breaches from occurring and allow healthcare providers to avoid the high costs of mitigating those breaches, which will ultimately result in reduced healthcare costs.

New Federal Data Privacy Act Proposed by Nevada Senator

A new bill (the Data Privacy Act) has recently been introduced by Nevada Senator Catherine Cortez Masto, (D-NV). This bill calls for improved privacy protections for consumers, greater accountability and transparency for data collection practices, and the prohibition of discriminatory data practices.

It is currently a requirement for HIPAA-covered entities to obtain consent from patients before using or disclosing their health information for reasons other than the payment for healthcare, provision of healthcare, or for healthcare operations. With this being said, companies not bound by HIPAA Rules do not have the same restrictions in place.

A number of states are considering introducing or have already introduced laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, patchwork of state laws are currently the main providers of protection. As a result of this, privacy protections can vary greatly depending on where the consumer lives.

The bill, The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act, calls for data privacy protections similar to that in place for GDPR to be introduced to limit the collection of personal data, to protect data that is collected, and to prevent personal data from being used to discriminate against individuals.

If the Data Privacy Act is passed, it will see consumers being given more of a say about the types of information that are collected, how this information is used, and with who the information is shared with.

The Data Privacy Act will also call for companies to provide consumers with an option of opting in or out of the collection and sharing of sensitive data, such as genetic information, location data and biometric data.

Consumers have a right to be told what information will be collected, how  the company plans to use the information, and with whom the information will be shared. The company must also create a process that allows consumers to check the accuracy of their data, to request a copy of any information that has been collected, and to be provided with the option of transferring or deleting their data without any negative effects.

Restrictions will also be implemented in terms of the data that can be collected. It will only be permitted for companies to collect data if there is a legitimate business reason for doing so. Additionally, individuals whose data is collected must not be exposed to unreasonable privacy risks. The bill also aims to protect consumers from discriminatory targeted advertising practices based on information they give such as sex, gender, sexual orientation, race, nationality, religious belief, or political affiliation.

It would also be necessary for any company that collects the personal data of more than 3,000 individuals in a calendar year to provide consumers with a notice of their privacy policies that clearly explains how their data will be used.

Furthermore, any business with annual revenues in excess of $25 million will also be required to appoint a Privacy Officer. His/her responsibilities will include tasks such as training staff on data privacy.

The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and financial penalties will be issued to companies who are found not to be in compliance.

The intention of the Data Privacy Act is to improve privacy protections for consumers without placing any unnecessary burden on small businesses.

In a statement released in relation to the new ACT, Senator Cortez Masto said “My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used. I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”

Definition of Personal Information that Requires Breach Notifications Expanded by New Jersey

A bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach occurring has been unanimously passed by the New Jersey Assembly.

Up to now it has been required by New Jersey breach notification laws that businesses and public entities must send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that enables access to the account.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act will see an expansion of the definition of personal information to include usernames and email addresses along with a password or answers to security questions that would allow accounts to be accessed.

This bill (A-3245) was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. A bill which was almost identical (S-52) was passed by the Senate and Assembly in 2018, however it was not signed by the state governor at the time, Chris Christie. It is expected that current state governor Phil Murphy will sign the bill.

The bill closes a gap in current laws which would enable businesses to avoid notifying consumers of breaches of their online information. If online accounts are accessed or compromised, criminals can gain access to a variety of sensitive information that can be used for identity theft and fraud. Consumers have the right to be made aware if an online account can be accessed by someone else as a result of a data breach so they can take steps to secure their accounts.

Once the new bill is passed, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if more than 500,000 individuals have been affected or if the cost of providing notices would cost in excess $250,000. In such events, breach victims should be emailed promptly, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must use a different means to deliver notices. An example of such a method could be providing a notice that is clearly visible when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

A fine of up to $10,000 can be placed on any business or public entity found to have willfully violated state data breach notification laws and up to $20,000 for any subsequent offenses after the first. Furthermore, for individuals who have suffered ascertainable losses as a result of a data breach, there is now also a private right of action available.

Facebook’s Health Data Sharing Practices Investigated by New York State Departments

Sensitive health data is collected by Facebook from third party apps, even if the user has not logged in via Facebook or doesn’t even own a Facebook account according to a recent analysis of Facebook’s data collection practices.

Private information such as heart rate data, blood pressure measurements, menstrual cycle data, and other health metrics are handed over to Facebook, often without the user’s knowing or any specific disclosure that data provided by users or collected directly by apps are shared with the social media platform.

The Wall Street Journal recently conducted an investigation which tested various health-related apps. Although it was known that some of those apps send data to Facebook about when they are used, just how much data sharing that was occurring was not well understood. It was revealed by the report that 11 popular smartphone apps have been handing over sensitive data to Facebook without any apparent consent obtained from users.

On one particular app, Flo Period & Ovulation Tracker, dates of a user’s last period are shared with Facebook and the predicted date when the user is ovulating. Similarly, the Instant Heart Rate: HR Monitor App in the Apple iOS store was discovered to send users’ heart rate information to Facebook right after it is recorded. Neither of these apps or any others that were found to be sharing sensitive data with Facebook appeared to offer users a way of opting out of having their data shared.

The WSJ report notes that while the data sent by these apps may be anonymous, Facebook have a method of matching the information with a particular Facebook user and use the data to target specific ads.

The WSJ made contact with Facebook in relation to the report and received a reply confirming that some of the apps cited in the report appeared to be violating its business terms and that the social media platform does not authorize app developers to share “health, financial information or other categories of sensitive information,” and that the responsibility lies with the app developers to be clear to their users about the information that is being shared. A Facebook spokesperson also spoke to Reuters, saying “we also take steps to detect and remove data that should not be shared with us.”

Investigation of Facebook Instructed by New York Governor

New York State Governor Andrew M. Cuomo issued a press release on Friday, February 22, 2019, stating that he has instructed the Department of Financial Services and the Department of State to investigate how Facebook is acquiring health data and other sensitive information from developers of smartphone apps and the alleged breaches of Facebook’s own business terms and privacy violations.

Cuomo also said that if WSJ’s findings are correct, it amounts to “an outrageous abuse of privacy.”

Cuomo is determined to ensure companies are held responsible for upholding the law and ensuring the sensitive data of smartphone users is kept private and confidential. Personal data should not be shared with other companies without the clear consent of users.