Tag Archives: training

Key Takeaways from the New and Improved HIPAA Breach Reporting Tool

Several issues were raised in the past about the Office for Civil Rights’ (OCR) website commonly referred to as the “Wall of Shame.” In response, OCR announced the updated version of their rebranded HIPAA Breach Reporting Tool (HBRT).

The old Wall of Shame and new HIPAA Breach Reporting Tool both publish information received from OCR on reported breaches affecting 500+ individuals. However, the Wall of Shame carried an undeserving negative connotation when organizations were publicly and indefinitely listed on the website.

HIPAA Breach Reporting Tool

OCR noted in their announcement, “The HBRT provides transparency to the public and organizations covered by HIPAA and helps highlight the importance of safeguards to protect the privacy and security of sensitive health care information.”

Information posted on the site includes:

  1. Name of the reporting entity
  2. Number of individuals affected by the data breach
  3. Type of data breach (e.g. hacking/IT incident, unauthorized access, etc.)
  4. Location of the breached information (e.g. laptop, paper records, etc.)

Features of the updated HBRT include:

  • Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
  • New breach archive that includes information about how breaches were resolved
  • Improved navigation to additional breach information
  • Tips for consumers

OCR plans to continue expanding and improving the website’s features and functionality based on industry feedback.

Healthcare Breach Trends

The HIPAA Breach Reporting Tool recently recorded a new milestone: The OCR has surpassed 2,000 breaches reported affecting 500+ individuals since the HBRT’s inception in September 2009.

There has also been a recent shift in the types of breaches reported. We are seeing a departure from the issue of lost or stolen unencrypted devices containing protected health information. According to the HBRT, the last 24 months have seen a rapid increase in hacking/IT incidents.

The big takeaway: Phishing is a tried and true way to gain access to healthcare facilities.

OCR Calls for More Phishing Awareness

To address phishing, OCR placed emphasis on the importance of phishing awareness in its latest cybersecurity newsletter update.

The OCR newsletter article points to a KPMG study that documents an increase in HIPAA violations and cybersecurity attacks impacting PHI over the past two years. The call to action is training the workforce to detect and properly respond to cyber-attacks and phishing scams.

OCR states, “Training on data security for workforce members is not only essential for protecting an organization against cyber-attacks, it is also required by the HIPAA Security Rule.”

There are several key factors healthcare organizations should consider regarding their approach to data security training:

Frequency of training and updates:

    • How often to train workforce members on security issues
    • How often to send security updates to their workforce members

Relevant and emerging threats:

    • Communicate new and emerging cybersecurity threats to workforce members, such as new social engineering tricks and malware or ransomware variants

Training format:

    • What type of training to provide to workforce members on security issues
    • i.e. computer-based, classroom, monthly newsletters, posters, email alerts, etc.

Training Documentation:

    • How to document training to workforce members, including dates and types of training, training materials, and evidence of participation

Data Security Training Courses

Your organization likely has access to our collection of data security training courses as part of your cyber insurance policy.

The data security training courses provide organizations with training materials for the workforce in several key areas: Introduction to data breaches, Data security basics, Social engineering & Phishing, Safeguarding information, and HIPAA Privacy & Security Rules.

One important aspect of the training courses is the documentation features. The learning management system in place allows your organization to leverage training reports once workforce members have completed the assigned training courses.

OCR notes the importance of documentation in the newsletter, “Any investigator or auditor will ask for documentation, as required by the HIPAA Rules, to ensure compliance with the requirements of the Rules.”

To learn more about how you can leverage the data security training courses in your organization, reach out to our team at cyberteam@eplaceinc.com.

HHS Releases Training Module for HIPAA’s Right of Access

The Department of Health and Human Services (HHS) recently addressed the concerns of many healthcare providers regarding patient access to health information. Their newly released training module and reportImproving the Health Records Request Process for Patients – provides clarity and guidance around the issue.

Under HIPAA, patients have the right to access their health records. However, healthcare providers are often hesitant to comply due to concerns of insecure communication and the potential for a data breach.

Patient Challenges

HHS is attempting to solve several key issues for patients trying to access their health records. Common problems noted include:

  • Slow responses from healthcare providers
  • Inconsistent information from administrative staff about obtaining records
  • Inaccessibility of complete or accurate requested records

Taking Action

According to the HHS report, healthcare providers have the opportunity to improve their process for record requests and thus reduce the burden on themselves and patients.

Creating a streamlined, transparent, and electronic records request process may include:

  • Allowing patients to easily request and receive their records from their patient portal
  • Setting up an electronic records request system outside of the patient portal
  • Creating a user-friendly, plain language online request process
  • Using e-verification to quickly confirm the record requestor’s identity
  • Including a status bar or progress tracker so consumers can see where they are in the request process – for example, indicate when the request is received, when their records are being retrieved, and when they’re ready for delivery
  • Making sure consumers know that they can request their records in different formats (i.e. PDF or CD) and different delivery options, (i.e. email or sent to a third party)
  • Encouraging use of patient portals by promoting features like online appointment scheduling, secure messaging and prescription refills

[VS1]Duplicative of one above

Happy Data Privacy Day!

Happy Data Privacy Day!

Respecting privacy, safeguarding data, and enabling trust is the theme for Data Privacy Day, an international effort held annually on January 28 to create awareness about the importance of privacy and protecting personal information.

To mark Data Privacy Day, ePlace highlights five steps that you can dramatically reduce your cyber risks:

1. Conduct a Risk Assessment. Identifying and classifying your data is the first step in protecting your “crown jewels.” A risk assessment will help to identify potential data security threats and vulnerabilities that need to be mitigated.

2. Implement a Continuous Employee Training Program. Employee negligence and human error are the number one cause of data breaches. Educate employees regarding policies, procedures, and best practices regarding the appropriate use of networks, systems, and applications, as well as lessons learned from security incidents.

3. Prepare for Data Security Incidents. In the event of a security incident, preparation is the key to a successful response. Invest the time and resources to build a strong team, prepare your plan, and continuously test and improve the plan so resources are used wisely when the inevitable happens.

4. Review and Update Data Security Policies. Creating appropriate corporate policies, along with employee training and diligent enforcement, can mitigate the risk of cyber incidents. Policies should be tailored for your privacy and data security risks and aligned with your incident response plan. Review and update policies regularly (at least annually) and after every data security incident.

5. Strengthen Contracts With Vendors. Vendors cause or contribute to a significant number of data breaches. Invest the time to carefully draft and review service and vendor agreements to ensure they effectively address data security and incident response considerations.

ePlace provides resources and professional support in each of these areas as well as a wide range of privacy and data security issues (i.e. technical questions about your security architecture, information about social engineering attacks). You can reach our privacy and data security professionals at 800-387-4468.

HIPAA Settlement: Phishing Email Causes Breach

In what is the sixth HIPAA resolution agreement of 2015, the University of Washington Medicine (UWM) has settled allegations with the Office for Civil Rights (OCR) for failing to implement policies and procedures to prevent, detect, contain, and correct security violations.

The OCR started investigating after receiving notice of a breach affecting about 90,000 individuals. The investigation revealed that protected health information was inappropriately accessed after an employee downloaded an email attachment that contained malware.

The malware subsequently compromised the organization’s IT system and two groups of patient data. For 76,000 patients, information exposed included names, medical record numbers, and dates of service. For the other 15,000 patients, names, medical records numbers, contact information, dates of birth, Social Security numbers, and Medicare numbers were compromised.

The OCR found that UWM didn’t ensure that its affiliated entities were properly conducting risk assessments and responding to potential risks and vulnerabilities in their environments.

The settlement includes a $750,000 penalty, a corrective action plan, and annual reports on HIPAA compliance. The corrective action plan again brings up the importance of conducting a robust risk analysis.

OCR Director Jocelyn Samuels said, “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address risks and vulnerabilities to patient data.”

Key Takeaways

The first area of significance from this settlement comes from the fact that once again, a data breach is stemming from a classic phishing attack. Social engineering is still one of the top threats to the privacy and security of sensitive information. Social engineering awareness and training is essential in preventing a malware infections from phishing emails.

Another note for healthcare organizations, the OCR expects subsidiaries and affiliates to be held accountable for complying with the HIPAA Security Rule and ensure security safeguards are in place to protect ePHI.

To learn more about employee data security training available to you through ePlace Solutions, please feel free to reach out to our team at (559)577-1248 or droberts@eplaceinc.com.

SEC Cybersecurity Examinations: What You Need To Know

The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) released a Risk Alert to announce the second round of cybersecurity examinations as a part of its 2015 Examination Priorities.

These examinations follow up a previous round in which 100 broker-dealers and investment advisers were interviewed and documents reviewed. Observations from those examinations were published in February 2015. This subsequent round of examinations will focus more on testing broker-dealers’ and investment advisers’ implementation of firm procedures and controls.

While the examiners might include additional areas of risk, the upcoming round of OCIE examinations will focus and review the following areas:

Governance and Risk Assessment

  • Whether firms are evaluating cybersecurity risks
  • Whether firms’ controls and risk assessment processes are tailored to their business
  • The level of communication and involvement of senior management / board of directors

Access Rights and Controls

  • How firms control access to systems and data using credentials, authentication, and authorization

Data Loss Prevention

  • How firms monitor the content transferred outside the firm through email or uploads
  • How firms monitor for potentially unauthorized data transfers
  • How firms verify the authenticity of a customer request to transfer funds

Vendor Management

  • Vendor management controls and practices with due diligence, oversight of vendors, and contract terms
  • How vendor relationships are viewed as a part of the risk assessment process
  • How firms determine the appropriate level of due diligence to conduct on a vendor

Training

  • How training is tailored to specific job functions
  • How training is designed to promote responsible employee and vendor behavior
  • How procedures for responding to cyber incidents are integrated into personnel and vendor training

Incident Response

  • Whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible incidents

Secrets Behind the Anthem and White House Attacks

The Anthem and White House attacks that took place in the latter half of 2014 saw 79 million individuals fall victim to compromised personal information and unauthorized access to President Obama’s email correspondence. While many would assume these attacks were launched using complex attack methods, the reality is just the opposite.

The attackers took advantage of simple, off-the-shelf malware commercially available from cybercrime black markets.  Both attacks relied on phishing emails designed to trick the user into installing the malware.

In the Anthem attack, the malware was hiding behind a fake Citrix installer that played video of the Citrix installation while it was really compromising the PC in the background. In the White House breach, the malware launched when users clicked on a video showing chimpanzees dancing.

Key Takeaways:

Attackers continue to use techniques that work – specifically the tried and true phishing attacks. Even high-profile, sophisticated organizations are susceptible to these common attack types. A key defense often overlooked is employee education and training.

ePlace Solutions is hosting a webinar on defense against social engineering, free of charge, September 30th at 10:30 AM PT / 1:30 PM ET. Click here to register; and share with others in your organization!

Even Encrypted Emails Can Fail…

beacon health logoBeacon Health System, located in South Bend, Indiana, has started notifying 220,000 patients of a breach of their protected health information (PHI). The compromise was the result of phishing attacks on the company’s employees dating back to November 2013 giving hackers access to email accounts containing patient data.

The majority of accessible data includes patient name, doctor name, and internal patient ID number. Other various sensitive data accessible includes Social Security number, date of birth, driver’s license number, diagnosis, and treatment.

Beacon Health’s forensic team discovered the unauthorized access of employee email account on March 26, 2015. On May 1, 2015 the team determined the accounts contained PHI and reported the incident to the U.S. Department of Health and Human Services, the FBI, and various state regulators. The last unauthorized access was on January 26, 2015. Individuals who became patients after that date were not affected by the breach.

Healthcare Targeted

Healthcare providers are increasingly becoming major targets for attackers. Their digital environments are complex and contain more vulnerabilities for attackers to exploit. But attackers are still using the golden standard practice of phishing.

Attackers continue to use fake emails to trick recipients into clicking links to fake websites that collect their account credentials or opening attachments that infect their computer with a virus to steal the credentials.

This incident is another reminder in a string of healthcare breaches this year that healthcare organizations need to increase training about phishing threats and enforce strict email policies. Other considerations should include using multi-factor authentication, encrypted email, and avoiding PHI in email messages.

Safeguarding PHI

Healthcare organizations have increasingly jumped on the encryption bandwagon to secure email communications. While this is an important technical safeguard, it doesn’t guarantee security. In cases such as the Beacon Health incident, when employees release their account credentials, the safety of encryption is gone. Attackers can access the unencrypted messages within the account.

Another safeguard gaining traction is multi-factor authentication. This requires users to not only provide a username and password combination to login, but also another one-time code that’s sent to the individual. This adds additional layers for attackers to get through to compromise an account.

But in the end, the best practice would be refraining from sending PHI in email communications altogether. This ensures that even if an attacker is able to bypass the safeguards in place they wouldn’t compromise critical data assets.

HIPAA Settlement for Improper Disposal of Medical Records

Cornell Prescription Pharmacy, a single-location pharmacy that provides in-store and prescription services, agreed to a settlement with the Office for Civil Rights for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The settlement provides that Cornell pay $125,000 and adopt a corrective plan to fix the holes in its HIPAA compliance program.

The incident in question involved the disposal of documents containing protected health information of 1,610 patients in an unlocked, open container on the organization’s premises. The documents were not properly destroyed or shredded, and an investigation revealed that Cornell failed to implement any HIPAA required policies and procedures. Cornell also failed to provide required training on such policies and procedures to its workforce.

The corrective action plan requires Cornell to implement a set of policies and procedures in compliance with the HIPAA Privacy Rule, and to provide the required staff training on those policies and procedures.

Additional Resources:

  • Link to the Resolution Agreement
  • Link to FAQs from the OCR related to disposal of PHI under HIPAA

FFIEC Focuses on Cybersecurity – Overview

The Federal Financial Institutions Examination Council (FFIEC) provided an overview of its cybersecurity priorities for the remainder of 2015. The priorities include work in the following areas:

  • Cybersecurity Self-Assessment tool – The FFIEC plans to issue a self-assessment tool this year to assist institutions in evaluating their inherent cybersecurity risk and their risk management capabilities.
  • Incident Analysis – FFIEC members will enhance their processes for gathering, analyzing, and sharing information with each other during cyber incidents.
  • Crisis Management – The FFIEC will align, update, and test emergency protocols to respond to system-wide cyber incidents in coordination with public-private partnerships.
  • Training – The FFIEC will develop training programs for the staff of its members on evolving cyber threats and vulnerabilities.
  • Policy Development – The FFIEC will update and supplement its Information Technology Examination Handbook to reflect rapidly evolving cyber threats and vulnerabilities with a focus on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and incident management and resilience.
  • Technology Service Provider Strategy – The FFIEC’s members will expand their focus on technology service providers’ ability to respond to growing cyber threats and vulnerabilities.
  • Collaboration with Law Enforcement and Intelligence Agencies – The FFIEC will build upon existing relationships with law enforcement and intelligence agencies to share information on the growing cybersecurity threats and response techniques.

The FFIEC has also published several resources to help financial institutions improve their cybersecurity, including additional information regarding the cybersecurity assessment conducted in 2014.

Security Awareness Guidance from PCI Security Standards Council

The PCI Security Standards Council announced a new guidance document, Best Practices for Implementing a Security Awareness Program. The Guidance provides recommendations for educating staff on protecting sensitive payment information. Training content topic recommendations for specific roles include: all personnel, management, cashier/accounting staff, procurement team, and IT administrators and developers.

The guidance includes two appendices: A sample mapping of PCI DSS Requirements to different roles, materials and metrics, for documenting how PCI DSS requirements could be incorporated into their training program frameworks, and a sample checklist for recording how a security program is being managed.