[ Tuesday, May 24, 2016 ]


Symantic's Tactical Cyber Security Checklist: this is good advice and easy to do.

Jeff [11:05 AM]


Good News for Data Breach Defendants: a Pennsylvania appeals court has upheld a trial court's determination that the class action route is inappropriate for litigation regarding data breaches.  The claims are too individual, particularly where damages are so uncertain and hard to define.  

Jeff [9:56 AM]

[ Monday, May 23, 2016 ]


Often mentioned possibility comes to fruition: Kansas Heart Hospital got hit by a ransomware attack last week and paid the ransom to get their data back.  The hackers returned for a second bite, but this time the hospital is not paying.  Presumably "baby got backups."

Actually, this is not a re-encryption, but rather a refusal to give up the full decryption in response to the payment of the ransom

I've heard of this as a possibility, but this is the first time I've heard of a healthcare provider getting hit with a second ransom demand.  In every other incident I'm aware of, the hackers did provide the encryption key.  Of course, in some instances, not all of the data is recoverable; the process of encryption might overflow usable memory, so that the decrypted data is corrupted or incomplete, so even if the hackers give the correct key (or all the correct keys), it's possible some data would be lost. In this case, it sounds like the hackers intended to go for a second bite.

This is the example, though, that should make you think long and hard about paying the ransom, even if it's relatively small.

Jeff [1:27 PM]

[ Wednesday, April 27, 2016 ]


FAQ: WTF? Sorry, @HHSOCR, this FAQ is a thousand times wrong.  NOTHING in HIPAA prevents a covered entity from allowing a media company from accessing PHI, as long as the use or disclosure in connection with that access is permitted by HIPAA.  And nothing at all prohibits a covered entity (or a media company working on its behalf) from disclosing truly de-identified PHI (which, by definition, IS NOT PHI!!).

You can argue about whether it's truly de-identified; that's a fair argument.  But there is no such blanket prohibition in HIPAA to support the statements in the FAQ.

Of course, you could draft a regulation to just that.  But that requires actually following the law and the Administrative Procedures Act, publishing a proposed regulation, soliciting, receiving, and considering public comment, and publishing a final regulation.  Sure, it's more work than firing off an FAQ.  But it's the law.  It's the way law is made.

Executive fiat is anathema to the American concept of government.  Stop it.

Jeff [3:15 PM]


NY Med Fine: Earlier this month I noted that a NY court had thrown out half of a lawsuit brought by Mark Chanko's family against ABC, NY Presbyterian Hospital and some ER physicians over the reality TV show NY Med.  The show filmed Mr. Chanko when he was brought to the NY Pres ER after being hit by a garbage truck while crossing the street.  Mr. Chanko died from the injuries he received, and much of his patient encounter was filmed and broadcast as part of the series, including a through-a-closed-door shot of the doctors notifying Mr. Chanko's family of his death.

It wasn't until months later when Mr. Chanko's widow was watching TV that she actually saw the episode and was able to recognize that the dying man was her husband.  Obviously, she was traumatized, and eventually sued the hospital, the doctors, and ABC.  In early April, a NY court ruled that he case against ABC should be thrown out: they are not a covered entity under HIPAA.  However, the case was allowed to proceed against the hospital and the physicians.

OCR has now fined NY Presbyterian $2.2 million for violating HIPAA in allowing ABC to film the show without obtaining patient consent from all patients who are involved.  There are at least three telling components of the OCR press release that seem to have had an impact on the fine, particularly the size of it: first, OCR makes a big deal over the fact that the hospital did not get authorization.  Clearly, getting authorization is a good idea, but it's not technically necessary if other steps are taken (such as de-identification).  Secondly, the hospital gave "unfettered access" to the TV crew.  While de-identification might prevent the ultimate disclosure (broadcasting the TV show) from being a HIPAA breach, there's still the issue of whether the TV crew's extensive access violated the "minimum necessary" rule.  Whatever the adjective applies to, "unfettered" is probably beyond the minimum necessary.  Finally, there is the unavoidable bad fact, referenced in OCR's report, that some medical professionals urged the film crew to stop filming, but they didn't.  While that's no proof of a HIPAA violation, it is an awful optic (in addition to being terrible bad taste and decisionmaking).

I have had the opportunity to work with several hospitals who had reality televisions shows produced through their facilities or otherwise were involved in recording patient care, and in those cases we always got authorization from patients prior to filming (or certainly prior to using the video, if the person in the video wasn't the originally intended subject of the film), but that might've been after the NY Med production occurred.

The hospital and the producers pixilated Mr. Chanko's face, and presumably none of the other 17 specific identifiers (such as name, social security number, address, etc. that must be removed for data to be considered "de-identified," and thus no longer PHI, under HIPAA) were present on the video.  Well, except perhaps for the final one: "any other unique identifying number, characteristic or code."  Even if they met the 18 identifier test, there's still another catch-all for de-identification: "The covered entity [must] not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information." OCR doesn't mention it, but I'm assuming NY Pres claimed de-identification but OCR disagreed.

In my opinion, assuming the pixilation was good, I think OCR is wrong in considering this to be a HIPAA breach, because there's no PHI involved.  Clearly 17 of the 18 datapoints needed for de-identification were removed, and there was no identifying number or code in the video, so that leaves the possibility that some identifying characteristic was left behind.  I think that saying the rest of the video contained other "characteristics" is such a stretch that it invalidates any de-identification under the 18-item safe harbor.  The other catch-all requires the covered entity to have ACTUAL knowledge that there's identifying information left behind.  I'm fairly confident that if NY Presbyterian ACTUALLY KNEW that Mr. Chanko could be identified by the video, they would not have let it go, and OCR's press release does not indicate any finding of actual knowledge of identifiability.

I do think that, if the TV crews really had unfettered access, the minimum necessary rule might've been violated.  But I don't see a $2.2 million fine for that.

And I just can't argue with the fact that a medical professional told the crew to stop filming and they didn't.  For that (and for the lack of forethought that let them do this project without actual affirmative patient consent and authorization), NY Pres probably deserves a black eye.  I'm not sure they deserve a $2,200,000 fine.

Jeff [12:27 PM]

[ Friday, April 22, 2016 ]


WOW!  Lots (and I mean lots, or I'm just lucky) of physicians, dentists, hospitals, vendors, and others seem to be getting notices from OCR today indicating that they are on the audit list for the Phase II audits.  Is today "match day" or is this just a huge coincidence?

Jeff [6:01 PM]

[ Thursday, April 21, 2016 ]


Raleigh Orthopaedic Update: @PogoWasRight was on the case back in 2013 when it originally happened.  Sure enough, the BA was crooked and instead of converting the films to digital, dissolved the films for their silver content.  Don't know if there was any improper disclosure, though -- if the vendor simply melted the films down, there would be no further disclosure.  Still a stinging result for the practice -- they were victimized by a scam artist and lost all their x-rays, and then had a big HIPAA fine on top of it all.  It's not clear to me that having a BAA would've prevented the incident at all.

Raleigh Orthopaedic: Anyone know any more about this than what OCR is saying?  Their press release only says that they failed to have a BAA in place.  It does not say that the business associate stole the data, improperly disclosed it, or anything.  No indication of any harm at all, just failure to sign the BA?  Seems extreme to fine someone $750,000 for that. . . .

Jeff [1:55 PM]


Ransomware: Are hospitals upping their defenses?  I hope so.

Jeff [10:09 AM]

[ Wednesday, April 20, 2016 ]


According to Report on Patient Privacy, 64% of healthcare companies have cyberinsurance.  But most breaches cost less than the deductible.  Well, that's what insurance is for, folks: not the daily costs, but the big one.  

Jeff [8:24 AM]


Raleigh Orthopaedic Clinic: Lack of a BAA results in a $750,000 fine.

Hat tip: the inestimable Dissent Doe (@PogoWasRight)

Jeff [8:10 AM]

[ Tuesday, April 19, 2016 ]


US-CERT Ransomware Alert:  The United States Computer Emergency Readiness Team at the US Department of Homeland Security has issued an Alert about ransomware.  Best takeaways seem to be things I've been saying all along: backups (good, fresh, tested, and remote); patching; virus protection; access restriction; phishing protection (training to not click on links).  One thing I've been preaching that they don't touch: restricting internet-facing computers and reducing open ports.

I'll admit to two additional tips I haven't been harping on that are very worthwhile.  The first is application whitelisting.  This is a program where only approved applications may run on the network or on connected servers and computers.  This can prevent a lot of potential problems, not just ransomware.  When a bad program infects your system and tries to start encrypting files, the program won't be on the whitelist, so the operating system won't let it run.  Of course, we can anticipate that hackers will adapt their encryption programs to run within commonly whitelisted programs, or write them to mirror such programs so they can appear to be whitelisted, but it will certainly prevent some, and is a good response in the here and now.

The second tip, which I've seen elsewhere, is to prohibit (or at least limit) the running of macros.  You know I'm not a "1's and 0's" guy so I'm not sure how this works, but many viruses can hide in macros, so that a PDF or Word document can be the carrier of the virus.  While may people know not to click on links to unknown websites or open .zip or .exe files, many think that Word and PDF files must be harmless.  However, any file with a macro might be a virus carrier.

Finally, I could complain about how slow US-CERT is ("when seconds matter, help is only minutes away"), since we've been fighting ransomware like a wildfire for months.  But at least they have responded, and I've got to admit that I got something out of it (app whitelisting) that I'll use in the future.

Jeff [10:26 AM]

[ Monday, April 18, 2016 ]


Cloud computing and HIPAA: can you be HIPAA compliant it you use the cloud?  Of course you can.  You can also violate HIPAA by using the Cloud.  It's a tool; how you use it determines whether you're complying with your objectives.  

Jeff [5:33 PM]

[ Friday, April 15, 2016 ]


More Ransomware: Five thoughts that you can tease out of recent articles like this one for dealing with cybersecurity threats:

  1. Old Software.  If possible, stop using old outdated software.  Sometimes you can't help it, because it's the only software that works for what you do, you can't afford to move to a new platform, etc., but if you can update your software, do so.  If you're using Windows XP, you deserve what you get (sorry, but that's the cold hard truth).
  2. Patches.  Whether you're using new or old software, keep your patches updated.  All software has vulnerabilities, since the developers can't think of every possible weakness; that's why Zero Day exploits exist.  Having a vulnerability isn't bad unless it's exploited, and most vulnerabilities won't be exploited on any given day.  But over an unlimited number of days, every vulnerability will be, so you've got to limit the days the vulnerability is open.  Bad patch management is a consistent feature of every ransomware incident I've been involved in.
  3. Connectivity.  Limit connectivity whenever possible.  You can't run your business if your systems can't talk to each other and to the outside world.  The safest website in the world is one nobody can access; it's also the most worthless.  So you need some connectivity; you need some internet-facing computers.  But the more "doors" you have to the outside world, the more you need to protect, and the more that can be exploited.  If you don't think you'll need that door, lock it.  If you're sure you won't need it, brick it over (sort of like the concept of epoxying USB ports to keep employees from plugging in infected flash drives).
  4. Backups.  Have good, usable backups.  This means two things.  First, you need to be generating backup copies of your important data as often as you can, or at least have the ability to recreate any changes made since the last backup.  This may require re-keying data, so consider that when calculating recovery time.  Also, consider retaining older versions of backups, to account for the possibility that the backup you've just made contains compromised data; for example, if an encryption program is already running and you don't know it, you could make a backup copy of encrypted data, which you could then save over the last good version of your data.  Storage is cheap, so if you're doing daily backups, you should also keep a version from the prior week's end, a copy from the prior month's end, etc.  Secondly, make sure those backups are virtually inaccessible.  Again, in recent ransomware cases I'm aware of, the programs look for data files with names like .bac, .bak, or that include the word backup in them.  They will encrypt your backups if they can get to them, so make sure they can't.  If you have the data backed up, even if your files get encrypted, you can recover without paying any ransom by wiping your system clean and re-installing the backup data.
  5. Training.  As Morgan Wright said at your presentation yesterday, training is like bathing, it's not a one-and-done proposition.  But balance it: don't let "alarm fatigue" inflitrate your training efforts and reduce their effectiveness, but train often enough that your staff knows what the problems are, what the current threat vectors are, and what they should be on the lookout for.  

Something to think about. 

Jeff [11:41 AM]

[ Thursday, April 14, 2016 ]


Ransomware: Most hospitals have been hit in some way or another.

Jeff [3:13 PM]

[ Tuesday, April 12, 2016 ]


Florida Department of Health Breach: The medical information of over 1000 patients at seven Department of Health clinics in Palm Beach County were compromised, but it's unclear how.  Since it was the FBI that notified the Department of Health, it's entirely possible that they don't yet know what happened or how the data got out there.  

Jeff [10:25 AM]

[ Friday, April 08, 2016 ]


OCR's Second Round of Audits: what might they look like?  A look at the Audit Protocols should give you a pretty good idea of the specific questions they're going to ask.  Be forewarned, there are a lot of questions.

Jeff [5:20 PM]

[ Thursday, April 07, 2016 ]


mHealth: for app developers, there's always a question of whether your app is a medical device that needs FDA approval, whether it's subject to HIPAA, or whether other laws apply.  The FTC has set up this handy tool to help you figure out what land mines you need to avoid.

Of course, try not to cross the "creepy" line.

Jeff [1:54 PM]


Ransomware: more hospitals getting hit, in Indiana and more in California.  It is hitting critical mass, some say.

Jeff [1:46 PM]


MedStar: More on the MedStar hack (pardon me, I'm still catching up).

Jeff [1:25 PM]


NY Med Lawsuit: These are conflicting headlines, one noting the suit being thrown out (as against ABC) and the other noting that the suit can go on (against the doctor and hospital).  Ultimately, it's a question of whether the doctor and hospital released individually identifiable health information when a segment of a reality show included a dying patient who was never identified and whose face was blurred out.  The family of the deceased patient never signed a consent.  But they were also the ones that connected the dots and figured out it was their family member who was the dying patient, and by bringing the suit, effectively publicized the patient's information.  Tough call.

Jeff [12:00 PM]

[ Friday, April 01, 2016 ]


Non-HIPAA entities dealing with PHI: Interesting article in the NY Times on entities that deal in health information but aren't covered by HIPAA.  It illustrates a couple of things: (i) health data comes from all over, and if it comes from a non-HIPAA-covered-entity source (directly or through a business associate), it's not subject to HIPAA.  (ii) There are lots of entities that get data that is health related but comes from some non-healthcare source (your Fitbit, your grocery store, your gym) that really should not be subject to HIPAA restrictions.  (iii) There are lots of ways that data can be used, amalgamated, analyzed, etc., and no regulatory scheme is going to secure all of them.  

Jeff [5:35 PM]

[ Tuesday, March 29, 2016 ]


Ransomware? We don't know yet, but the FBI is investigating some sort of cyberattack on MedStar Health, which has frozen some data systems and caused the facilities to revert to paper records.

Jeff [10:20 AM]

[ Monday, March 28, 2016 ]


Ransomeware: Must a provider report a ransomware hack as a HIPAA breach?  That's a question that's making the rounds with some of my friends in the privacy space, and there certainly is some disagreement on the matter.  Personally, I'd say every breach must be treated on its own facts, a breach risk analysis must be done, and the various factors considered.   But I believe it is absolutely possible to determine that there is no more than a low risk of compromise (remember, that's really an undefined and undefinable term in this context) if there was not exfiltration of the data.

Apparently Rep. Ted Lieu of California agrees, because he's proposing legislation to require provider to give notice to patients if they've been subject to a ransomware attack.  If it were required to be reported, there'd be no need to change the law, right?

Jeff [2:02 PM]

[ Thursday, March 24, 2016 ]


Phase 2 Audits will impact BAAs: that's Modern Healthcare's take.  Maybe; in my experience BAAs are generally in pretty good shape.  Obviously, there is a broad and wide diversity of BAAs, from the super-simple "just the facts" recitation of the regulatory requirements to the "show me your safeguards" agreements, where the covered entity gets deep into its vendors' operational minutia.  But for the most part, except for cases where there's no BAA at all, generally the BAAs that are out there are sufficient.

And for what it's worth, I'm not a big fan of the second type of agreement.  Covered entities can't turn a blind eye to whether they can trust a vendor, but safeguards are scalable, and it's not the covered entity's position to make a determination about what safeguards are appropriate for a BA.  Additionally, if it takes on that obligation and either doesn't look closely or doesn't see an insufficient safeguard, the covered entity could be liable for the breach caused by that insufficiency.

Jeff [9:49 AM]

[ Wednesday, March 23, 2016 ]


Ransomware: The FTC is now on the case. If the healthcare industry has not taken the Hollywood Presbyterian and other hacks as a serious wake-up call, one of the next victims might not only have to deal with the costs related to the breach itself, but may well end up having to defend itself from an FTC action.  

Jeff [4:14 PM]


Phase 2 Audits: 8 steps to get ready.  Even if you're not targeted, these are all good ideas.

Jeff [1:42 PM]


More Ransomware: Methodist Hospital in Kentucky is the latest to be hit.  

Jeff [10:58 AM]


Threat Awareness: While you're checking and rechecking your perimeter to keep CryptoLocker pirates out, don't forget: Cyber threats are often insiders.  

Jeff [8:47 AM]


Ransomware: Two more LA hospitals hit by ransomware hacks.  

Jeff [8:39 AM]

[ Monday, March 21, 2016 ]


HIPAA Audits, Round 2: according to an email I received from HHS, OCR has actually started the Phase II audits.  Apparently they have sent emails to targets seeking contact information, and are starting the information-gathering process.  The odds of getting picked are very slim, but you'll really wish you did a better job with your risk analysis and other HIPAA tasks if you do.

If anyone got picked and wants to share, please email me.  I'd love to know how it's going, and to pass along information (anonymously, of course) if you'll let me.

Jeff [8:01 PM]

[ Thursday, March 17, 2016 ]


Feinstein Institute Breach Nets $3.9 Million Fine: The hit just keep on coming.  A laptop containing PHI on 13,000 patients is stolen from an employee's car.  Encrypted, no fine; but it's unencrypted, so $3,900,000 to OCR's coffers.  Insufficient policies governing who could take laptops out, too.  

Jeff [9:59 PM]


Accretive Follow-Up: North Memorial Fined $1,550,000.  What happens when your business associate has a bad HIPAA boo-boo?  If you've done what you should have done, then usually you'll be fine, but if you haven't, you can get fined, and big.

North Memorial Health Care paid Accretive to assist it with its revenue cycle management.  Mainly, Accretive was known as being pretty aggressive in working very closely with hospital clients to get payments, mainly focusing on the patients' responsibility rather than the insurer, to the point of trying to work out payment plans while the patients were still in the hospital or ER.  While there really should be no problem with a provider of healthcare services, or any other services for that matter (surely hospitals and doctors don't have to work for free, do they?), trying aggressively to get those payments can look bad, and that put Accretive, and some of their clients, into the crosshairs of some state attorneys general.

Matters were made geometrically worse when an Accretive staffer had an unencrypted laptop stolen.

North Memorial was an Accretive client.  Normally, North Memorial would not necessarily be fined for its business associate's bad behavior, but the problem here is that Accretive's breach caused North Memorial to come under OCR scrutiny, and unrelated issues (well, unrelated to the actual breach incident/stolen laptop) came to light.  Specifically, North Memorial didn't have a BAA with Accretive, which is a pretty obvious HIPAA failure.  But worse, North Memorial did not have a risk assessment.  That is a catastrophic HIPAA failure.

Net Result: $1,550,000 fine.  That's serious money, folks.  

Jeff [2:57 PM]

[ Wednesday, March 16, 2016 ]


Top 5 Healthcare Cybersecurity Issues, and examples of each.

Jeff [1:27 PM]


Ransomware, Eh?  Canadian hospital hit with ransomware, but damage limited to 4 computers.  Apparently full backups available, so no major problems caused.  Were they lucky, have they had good cyber hygiene (backups, disconnectivity, etc.) in place, or did they harden their systems following the Hollywood-Presbyterian fiasco?  Inquiring minds want to know; let me know if you know.

Jeff [1:15 PM]

[ Tuesday, March 15, 2016 ]


Wellness Programs: When do employer wellness programs run into HIPAA issues?  It depends on how the program is set up and where it gets its information.  

Jeff [2:40 PM]


Lawyers and HIPAA: if you're an attorney trying to figure out what your own responsibilities are regarding HIPAA (especially your clients are covered entities, or your adversaries are), here's a good presentation on your obligations.  The speaker knows his stuff.  Good looking, too.

Jeff [9:19 AM]


Off Topic: Texas Hospitals and Concealed or Open Weapons:   This isn't a HIPAA issue, but here's a good article on the Texas open-carry and concealed-carry laws, and how hospitals can prohibit visitors and employees from bringing weapons onto their grounds if they so wish.

Jeff [8:58 AM]

[ Friday, March 11, 2016 ]


Mobile Health Apps: Lawmakers on both sides of the aisle are unhappy with HHS' slow response to explain how HIPAA impacts mobile health apps, from Fitbit-type wearables to AirStrip-type medical information communication tools.   

Jeff [1:35 PM]

[ Thursday, March 10, 2016 ]


Data Breaches in Healthcare: one in three is a big number.  

Jeff [11:40 PM]

[ Tuesday, March 08, 2016 ]


Is the Wall of Shame obsolete?  Some say so.  I disagree.  I know privacy officers whose concerns increase dramatically when the number of individuals involved in an incident approaches 500.  Much of that is because an immediate report to OCR (as opposed to an annual report) will automatically bring an OCR investigation.  But they're also afraid of being posted on the Wall.  Also, many of us look at the Wall to see if an entity has a posting, for example during due diligence.  Does the wall not cause increased privacy  diligence?  Maybe, but that's because (i) virtually all HIPAA-covered entities already are very diligent by nature where privacy is concerned, and (ii) it is the other HIPAA punishments OCR can dish out that cause the diligence.  What the wall does instead is allow the outside world to know a little about what OCR already knows -- who the big players are, what types of breaches are prevalent, etc.

Jeff [8:30 AM]

[ Monday, March 07, 2016 ]


More Part 2: If you are a Part 2 provider, you may want to update your consent form based on the new rules; at least that part of the new rules is likely to survive any comments.

The big change in Part 2 doesn't revise the current requirement that no disclosure can be made without specific patient authorization; rather, it allows the consent form to generally describe other providers to whom the information may be disclosed, presumably to allow integrated providers to share the information for treatment and other legitimate purposes.  However, the patient may be able to obtain a list of all disclosures to those individuals and entities who received the information pursuant to the general description of the recipient.

Jeff [10:37 AM]


Part 2 Changes Coming: If you're reading a HIPAA blog, you know about 45 CFR, especially Parts 160 and 164.  But if you're in the substance abuse field, you probably also know about "Part 2."

"Part 2" refers to 42 (not 45) CFR Part 2.  Those are special privacy rules applicable to federally-supported substance abuse treatment centers.  If you were at my PESI presentations in Houston or San Antonio last Thursday and Friday, you would have heard about the Part 2 rules and how, since they are more strict than HIPAA, they are not preempted by HIPAA.  Basically, Part 2 is a strict prohibition on releasing substance abuse treatment records, even more strict than HIPAA: virtually no releases are allowed without a specific authorization from the patient.

This strictness can sometimes be too much, apparently.  It also doesn't reflect the interconnectedness of health care services these days.  So HHS is proposing that Part 2 be amended to allow transfers of substance abuse record data among participants in an integrated care model.

The proposed rules are here; you can comment by clicking the box in the upper left corner.

Jeff [10:16 AM]

[ Thursday, March 03, 2016 ]


Walmart: A coding error meant that two people logging into the Walmart system at the same time might have been able to see each other's PHI (name and prescription history, but no SSN or credit card info).  Can't tell if they know that it happened or just that it could have, but only about 5,000 people are affected, and the bad code was only out there for 72 hours.  Not a hack, they say, just an incident 

Jeff [7:18 AM]

[ Tuesday, March 01, 2016 ]


BJC Over-reports.  BJC Healthcare in St. Louis sent an email containing patient names, dates of birth, and Medicare numbers to another healthcare provider.  No actual medical information, and apparently no social security numbers.  Sent to another healthcare provider.  The other provider was the addressee of the email.  The other provider was supposed to get the information.  There is no evidence at all that the information was viewed or accessed by any improper person.

But the email was not encrypted.

It's theoretically possible that someone viewed the information in the nanoseconds it was traveling through the internet.  It's theoretically possible that someone put a sniffer program on the server that the email happened to pass through on its way from BJC to the intended proper recipient.  It's theoretically possible that monkeys will fly out of my butt.

This is not a reportable event.  This is not a reportable breach.  This is NOT EVEN A BREACH.  It may be a breach of BJC's HIPAA policies and procedures, and the email sender should be sanctioned.  But reporting this to the public is dumb, in the way that all cries of "wolf" are dumb.

First ACC, now this.  

Jeff [9:22 AM]


Tips for Dealing With (and Hopefully Avoiding) Ransomeware: I could quibble with a lot of this article from Jones Day (for example, almost all healthcare providers will have to give notice to the individual and the government if a single person's unsecured PHI is breached; the 500 number just changes the when and how of notifying the government, and also requires media notice), but the recommendations at the end are pretty solid.

But they're missing what would be #2 on my list: review and limit your internet interconnectivity.  You have to be connected, so being an island isn't really an option.  But the more you can isolate your most sensitive data, whether by limiting overall connections, keeping those connections under constant watch for unusual activity, or some other strategy,  the better off you'll be.  

Add on filters, firewalls, and good virus protection programs (consider multiple virus protection programs to get a combination best of breed).  Train your staff, including by testing them occasionally, so they'll know how to avoid phishing attacks.  And definitely have an incident response team locked and loaded.  Bad things are going to happen, and you should know the answer to the questions "What do I do now?" and "Who do I call?"

Jeff [8:30 AM]

[ Monday, February 29, 2016 ]


LA Department of Health: More ransomware, this time at the LA County Department of Health Services.  LA has said they won't pay the ransom; presumably they have good backups. . . .

Be careful, folks, some of these are state-sponsored attacks, so they'll be persistent.

Jeff [2:29 PM]

[ Thursday, February 25, 2016 ]


Jason Pierre-Paul: On July 4 of last year, NY Giants defensive end Jason Pierre-Paul suffered a fireworks accident and lost his right index finger.  Adam Schefter, an NFL reporter for ESPN, tweeted a picture of Pierre-Paul's medical records showing the finger had been amputated.  I tweeted about it here, questioning how Schefter got the medical records, which likely only came to him by virtue of a HIPAA breach (unless Pierre-Paul gave them to Schefter directly).  I also noted Peyton Manning's HIPAA issues, and my all-time favorite HIPAA quote: "I don't know what HIPAA stands for, but I believe in it and I practice it."

Now, Pierre-Paul has sued Adam Schefter and ESPN for breaching his privacy by publishing his medical records.  Several very interesting points: First, the damages claim is $15,000.  Seems like he'd ask for more; I sure would.  Although the hospital has already paid a settlement in the matter, which might be credited against the damages he got (if anything) from ESPN.  Second, it's a suit under Florida law, not HIPAA, which makes sense, since neither ESPN nor Schefter are covered entities under HIPAA, and it's unclear whether the Florida statute will work against anyone other than healthcare workers.  Third, while the medical record itself might be confidential, it's possible that the underlying information might not be.  The NFL requires teams to report on the health of players on a weekly basis during the season, including stating whether the player is ready to play, questionable, doubtful, or out for next week's game (compare with the NFL, where teams say little if anything, and often lie: during the 1999 Stanley Cup finals, Brett Hull had a sprained MCL and 2 torn groin muscles, but was described as having "flu-like symptoms").  Finally, why now?  It's mainly water under the bridge, the hospital already settled, and it's only $15,000.  

Jeff [3:08 PM]

[ Wednesday, February 24, 2016 ]


Encryption: There's still a long way to go on encrypting healthcare data, says the (extremely photogenic, by the way) California AG.  She's right, but this article goes straight to Anthem as an example of the hack targeting unencrypted data.  It did, but the hack was a very successful phishing attack against the IT department, and the hackers obtained administrator credentials, so even if every drop of data was encrypted, the hackers had the decryption keys.  (To her credit, AG Harris only mentions Anthem when listing the largest hacks and does not single them out regarding encryption.)

To some extent that doesn't matter: the health industry really should adopt widespread encryption at a much higher rate, for the simple reason that if you have an accidental breach or employee error (which still account for a much higher rate of incidents than anything else), you can simply avoid the reporting requirements, and the public spectacle, potential lawsuits, and fines, if the lost data is encrypted.  

Jeff [2:12 PM]


Bleg: Looking for an affordable physician/patient portal provider that can scale down to very small-size, low traffic practice (e.g., solo concierge doctor). Also looking for any other physician website resources (developers, hosts, etc.).  Any recommendations?  Email them to me: jdrummond - at - jw- dot - com.

Jeff [10:23 AM]


It's Easy to Hack a Hospital: Way too easy.  I don't think it's likely that someone would hack an oncology pump, but the fact that it can happen isn't good.  Of course there's plenty of blame to spread around -- why are oncology pumps so connectable?  It's not necessary, and there needs to be some effort by developers to limit connectivity.

Hat tip: Justin Shafer

Jeff [1:04 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template