HIPAA Blog

[ Wednesday, January 06, 2021 ]

 

 As I noted in early December, I had back surgery, and was out for a couple of weeks.  Follow that up with the Christmas and New Years holidays, making for a couple of 3-day weeks, plus the fact that I've been less than optimal physically due to the back pain that precipitated the surgery, and I've fallen behind in my blogging duties.  I'll try to catch up this month, and here's my first installment of "what I shoulda told you a couple of months ago."  And don't worry, I'll report on the NPRM soon enough; suffice it to say, it's small potatoes, but if it becomes final, you'll have some paperwork to do.

Aetna Settles 3 breaches from 2017 for $1,000,000: These included (i) PHI-containing web services that were internet accessible without passwords or credentials; (ii) a mailing to HIV patients using window envelopes that allowed the words "HIV medication" to show through the window, and (iii) another mailing to research participants with the name and logo of the research study on the envelope.  The resolution agreement and action plan, which includes an implementation report and 2 annual reports, are here.  

Ransomware and other security incidents are on the rise, and disproportionately affecting healthcare entities: The FBI specifically warned of a wave of cyber-attacks specifically directed at the healthcare industry.  It's Russians using Ryuk.  And the potential for such an attack being lethal was made clear in September when a German hospital suffered a hacking incident and a patient died as a result.  All of this came out about the same time as new news of the particular vulnerability of IOT-connected medical devices.  As far as we know, other than in movies and spy novels, nobody's hacked the pacemaker or insulin pump of a corporate executive or politician and demanded ransom, but it's clearly possible.

PACS server vulnerabilities: I already discussed the PACS system issue, but if you want to read some inside baseball on this, here's a researcher discussing how he was able to access petabytes of x-ray, MRI, and CT images, without hacking, over the internet.  It's not for the faint of heart -- he showed that not only could you view images and steal data, you could upload fake images to these PACS systems.  Hat tip: Joel Lytle.

City of New Haven (CT) fined for failure to terminate former employee's access to PHI: The city's health department, which operates a clinic, didn't remove a former employee's credentials to access its medical records, and the employee snooped into about 500 files before being discovered.  The PHI included STD test results (lovely).  The city had not done a risk analysis (of course), and under the resolution agreement paid a fine of over $200,000. 

That's enough for now, more later.


Jeff [8:34 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template