Tag Archives: health information

OCR Releases Improved HIPAA Security Risk Assessment Tool

Under the HIPAA Security Rule, a covered entity or business associate must perform risk assessments to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Failing to conduct risk assessments is a common basis for significant fines.

Risk assessments, however, can be a taunting task, particularly for smaller organizations with limited resources. In an effort to help organizations perform risk assessments and comply with the HIPAA Security Rule, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool.

The SRA Tool is designed for small to medium sized health care practices (up to 10 health care providers) and business associates to help them identify ePHI risks and vulnerabilities. Continue reading OCR Releases Improved HIPAA Security Risk Assessment Tool

Threat Alert: FTP Servers Targeted for Health Information

The FBI released a threat alert highlighting cyber criminals who are targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode. The purpose of the attacks is to access protected health information and personally identifiable information to blackmail or extort medical and dental facilities.

Threat Details

According to researchers at the University of Michigan – FTP: The Forgotten Cloud – over 1 million FTP servers were configured to allow anonymous access. FTP is a protocol widely used to transfer data between network hosts.

Anonymous FTP servers allow a user to authenticate using a common username – i.e. “anonymous” or “ftp” – without a password, or by using a generic password or email address. Cyber criminals are searching for FTP servers in anonymous mode that contain sensitive health and personal information. The idea is to leverage the information against business owners through blackmail or extortion.

FTP servers in anonymous mode can also be used to allow “write” access to store malicious tools or launch targeted cyber attacks.


The FBI encourages medical and dental healthcare entities to consult with their IT personnel. Request that they check networks for FTP servers running in anonymous mode.

If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive health and personal information is not stored on the server.

For further advice or recommendations, reach out to our team of V-CISOs at cyberteam@eplaceinc.com.

HIPAA Guidance: Are You Giving Patients Access to Their Information?

The Office for Civil Rights (OCR) released a guidance that clarifies the provision under the HIPAA Privacy Rule giving individuals a right to access their protected health information. OCR has found that individuals often face resistance when trying to access their health information from healthcare entities under HIPAA.

Under the HIPAA Privacy Rule, individuals have the right to access medical and health information from covered entities and business associates. The information covered includes, but isn’t limited to, medical records, billing and payment records, insurance information, clinical laboratory test reports, and x-rays.

There are a couple of exceptions that aren’t subject to individual access under the HIPAA Privacy Rule:

  • Psychotherapy notes are not required to be released when maintained separately from the medical records.
  • Information collected in preparation for a legal proceeding are not required to be released.

The healthcare entity is required to respond to the individual’s request no later than 30 calendar days after receiving the request. A fee may also be applied to the individual for a copy of their records.