We get to week 3 of #BeCyberSmart NCSAM. We had no idea when we made this plan that OCR would start dropping settlements at the same time. After a pretty quiet year they announced more settlements in September than they ever had in a single month before. Again, we have a lot to review! Reminds me of one of my favorite movie quotes:
“Life moves pretty fast. If you don’t stop and look around once in a while, you could miss it.” Ferris Bueller
In this episode:
OCR Drops More + NCSAM Week 3 Healthcare – Ep 276
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA[05:11]
HIPAA Say What!?!
NCSAM Week 3: Securing Internet-Connected Devices In Healthcare[12:36] In case you need a great example for what can be done with a hacked device, check out this information on how a coffee maker was hacked recently. When coffee makers are demanding a ransom, you know IoT is screwed
Just to see a clip of the results of the attack check out this video of it going nuts. Coffee Maker hacked demanding ransom.
When we got an article about it from our Knock Me Down and Steal My Teeth friend, Beth, I realized it was perfect to share with this week’s theme. It also carries over the final week’s theme about connected devices.
When someone tells you some device can’t do anything that matters much even when it connects to the network share this video with them. Just the fact that the hot plate turns on and water keeps pouring out at the same time should make anyone in healthcare think twice about all those devices they see around them. The article made a very good point after taking us through all the nerdy details.
Additionally, this case also demonstrates one of the most concerning issues with modern IoT devices: “The lifespan of a typical fridge is 17 years, how long do you think vendors will support software for its smart functionality?” Sure, you can still use it even if it’s not getting updates anymore, but with the pace of IoT explosion and bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack and DDoS.
OCR keeps making announcements[20:13] Here are the latest resolution agreements announced by OCR in the last month. All of these may be announced now but the dates on the agreements are from earlier in the year.
Resolution with a BA
HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals This one is with CHSPSC LLC, a BA that provides a “variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee”. Basically, you’re looking at a version of an MSP that is owned by the health system to provide services to all the different entities.
The incident occurred back in April 2014. It isn’t pretty when the story starts with the FBI contacting them to alert them that they had traced a APT group from China, known as APT18, to their network and data. It isn’t clear what happened but according to the resolution the hackers were in the network and even exfiltrating data until August 2014. “The hackers used compromised administrative credentials to remotely access CHSPSC’s information system through its virtual private network.” The attackers were able to exfiltrate PHI for 6,121,158 individuals.
APT18’s intrusion affected 237 covered entities. That is a lot of entities. Something similar can happen to other MSPs so take note here folks.
OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.
“The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino.
Another 2-year CAP is included here. https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf But this one has something very unique. It begins with something different than just a SRA like we expect to see in these cases.
Corrective Action Obligations
CHSPSC agrees to the following:
1. Within sixty (60) days of the Effective Date, CHSPSC shall develop, and the CR shall submit to HHS, a written description of CHSPSC’s plan to monitor internally its compliance with this CAP (“Internal Monitoring Plan”). CHSPSC shall forward the proposed Internal Monitoring Plan to HHS for HHS’s review and approval. HHS will inform CHSPSC in writing, through the CR, as to whether HHS approves or disapproves of the proposed Internal Monitoring Plan.
It is interesting to see this first. It reminds me of the way we have our systems set up to start with the definition of the program and how it will be managed before you start implementing bigger things. It includes the standard approval loop by OCR plus a point that even if they needed to update it for some reason they need approval from OCR.
Next they have the SRA requirement. This is one of those with the new specific details about what must be included in the SRA data collection:
that incorporates all electronic equipment, data systems, programs and applications owned, controlled or managed by CHSPSC that contain, store, transmit or receive ePHI. For purposes of clarity, the Risk Analysis will exclude all electronic equipment, data systems, programs and applications that contain, store, transmit or receive ePHI solely at CHS Affiliates, but will include any interfaces, applications, and protocols from the CHS Affiliates to CHSPSC through which ePHI is transmitted from the CHS Affiliates to CHSPSC. As part of this process, CHSPSC shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI that are owned and managed by CHSPSC, including data centers, shared service centers, and the Corporate offices, which will then be incorporated in its Risk Analysis.
Resolution with a payer[39:56]
This case involves Premera Blue Cross, the largest health plan in the Pacific Northwest in Washington and Alaska, related to a breach affecting over 10.4 million people that happened back in 2014/2015.
Hackers used a phishing email to install malware that gave them access to Premera’s systems in May 2014 and the infiltration went undetected for nearly nine months until January 2015. This is another example of an advanced persistent threat or APT.
OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.
The 2-year CAP in the agreement isn’t surprising after the systemic noncompliance statement. Risk Analysis, Risk Management, Policies and Procedures, Training, etc.
We will hear more about this one. In fact, Anthem just settled what may be it’s last lawsuit dealing
Another access to records case[47:21] The latest one is another case: OCR Settles Eighth Investigation in HIPAA Right of Access Initiative.
On April 25, 2018, OCR received a complaint from a mother alleging that beginning in January 2018, she made multiple requests to SJHMC for a copy of her son’s medical records, as his personal representative. SJHMC provided some of the requested records, but despite the mother’s follow up requests in March, April, and May 2018, SJHMC did not provide all of the requested records. OCR initiated an investigation and determined that SJHMC’s actions were a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, SJHMC sent all of the requested medical records to the mother on December 19, 2019, more than 22 months after her initial request.
“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously. OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.
The CAP in this one, though, says they must take care of not only access rights updates but all of HIPAA in their policies and procedures.
SJHMC shall develop, maintain and revise, as necessary, its written access policies and procedures to comply with the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”). SJHMC’s policies and procedures shall address, but not be limited to, the Covered Conduct specified in paragraph I.2. of the Agreement.
They are fed up with this issue. Now is the time to get your right of access policies and procedures in order. Audit the process and make sure you are in line with the rules.
Another week down for Cybersecurity Awareness month. Even more news out of OCR, too!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM