Beginning this month, EHR 2.0 will be making available the contents of our monthly newsletter on our website articles section/blog. This post gives an overview of headlines covered over the past year, organized by category, still impacting healthcare and IT professionals. Be sure you are subscribed to our mailing list to receive monthly compliance news and security alerts or sign up by scrolling down to the end of the homepage.
Tips & Guidance
NIST Cybersecurity Framework
NIST Releases Update to Framework for Improving Critical Infrastructure Cybersecurity. Previous edition published in February 2014, has now incorporated feedback from conferences and prior requests.
NIST 2016 Annual Report on NIST/ITL Cybersecurity Program
Summary of standards, guidelines, tests, and metrics for the protection of non-national security federal information systems.
NIST Recommendations for Safe Copy-and-Pasting
Copy & pasting in the EHR can lead to errors and inconsistent data entry. NIST document, Examining the ‘Copy and Paste’ Function in the Use of Electronic Health Records, lays out guidelines based on integrity and reliability. AHIMA had also discussed Copy & Paste Auditing and Appropriate Use.
FTC Business Guide for Digital Copier Security
Information security assessment, policy, and procedures should cover printer/scanner/copier devices, as per FTC Guidance.
HHS Guidance for Information Sharing with the Opioid Crisis
Upon declaring a public health emergency, HHS has posted HIPAA guidance for sharing information with a patient’s relatives in certain emergency situations, under conditions to prevent or lessen a serious threat to health or safety.
2017 HIMSS Cybersecurity Survey
The HIMSS report evaluates the percentage of health information security professionals following various security measures. This also covered some of their concerns, including medical device safety, cloud security, and insider threats.
Primary Care Physicians Spending Over Half Their Workday On EHR Tasks
Annals of Family Medicine carried out the study by direct observation and evaluating event logs within the EHR. Their conclusions led to five recommendations for improved efficiency, including proactive planning and team tasking.
82 Percent of Patients Surveyed Made Use of Patient Portal from their Healthcare Provider
According to AHIMA survey of consumer’s perspective on access to personal health information, 90% of users were satisfied or very satisfied. Viewing lab results the most common usage among patients, along with requesting appointments and medication renewals.
Over 70 Percent of Respondents Surveyed Have Shared Access Credentials With Other Staff Members
Healthcare Informatics Research study finds the integrity of unique user ID assignment is not properly maintained within many EMR systems. Practice personnel needs to sign-in using separate individual accounts in order to ensure only given access to appropriate and “minimum necessary” patient information.
Threats & Malware Alerts
All Wi-Fi Devices Potentially At Risk of Key Reinstallation Attack
Even with WPA2 security online traffic could be intercepted by someone in physical range of a wireless network impersonating the network ID. A list of known affected vendors is available at the US-CERT database. If unsure on systems’ status, consider to use only Ethernet/wired-internet or cell-phone service data plan (Wi-Fi disabled).
Health Network Database Hit with New Ransomware
Harak1r1 Ransomware campaign captures data then deletes from the affected system. MongoDB systems were targets of the incident, so anyone using them should review their security checklist and/or apply a similar resource on other architectures. Proper database configurations need to be verified upon installation.
EHR & PM Vendor Allscripts Attacked By Ransomware
SamSam malware is infecting unpatched servers in the healthcare space. Allscripts kept frequent backups which were not affected, allowing eventual recovery.
Ransomware Variant Alert
The latest edition Petya malware uses a delivery method similar to the WannaCrypt outbreak. A master key for the original strain was released yet would not apply for the recent variation.
Virus Unknowingly Distributed By Antivirus Company
Attackers gained access to the Ccleaner distribution site and replaced their installation file with an infected version. Computers with a copy running on Microsoft 32-bit Windows may be infected, and reinstalling the operating system is the safest way to ensure no residual malware.
Security Breach of Australia’s Medicare
Officials working to find the source of unauthorized access to records of everyone in the Australian Medicare system, unidentified offender offering full patient details, for payment of around $30.
Equifax Credit Bureau Data Breach
Breach of credit company affecting an estimated 150 million customers, unpatched servers the likely cause. Outdated server software was also the primary source of infection from the recent Wannacrypt ransomware.
Ridesharing Service Paid Hackers To Delete Data
Offending parties were given payment in the request to not disclose the incident. In the healthcare space, it is required to report any breach, even if there is a reason to believe the hackers deleted the data.
HHS Penalty for Lack of Timely Notification
Settlement serves as a reminder to file notification immediately upon any suspected breach incident. Formal breach assessment should also be performed right away to determine whether reporting is necessary; penalties are more severe if not filed within 60 days.
$5.5 Million HIPAA Settlement Shines Light on the Importance of Audit Controls
A network of care centers was in violation of requirements for reviewing, modifying, and/or terminating users’ right of access, where a former employee’s login credentials had been used to access ePHI over the course of almost a year.
$2.5 Million Settlement Shows that Not Understanding HIPAA Requirements Creates Risk
Laptop stolen from a parked car, OCR investigation found risk analysis and management plan in place were insufficient, or else the threat likely would have identified beforehand.
Overlooking Risks Leads to Breach, $400,000 Settlement
E-mail phishing incident allowed a hacker to access employee accounts, and security risk assessment was not conducted until after the breach had already occurred, phishing one of the most frequent sources of the breach.
Oncology Firm Agrees to $2.3 Million Settlement With OCR
Information breached includes names, social security numbers, diagnoses, and treatment for 2,213,597 individuals, the total amount will cost around $1 per person.
HHS: Five Breaches Add Up to Millions in Settlement Costs for Entity
Breaches occurred around 5 years ago at 5 separate covered entities within the same network. None of the locations had conducted adequate SRA of potential vulnerabilities.
CMS Will Not Order Forfeiture of Incentive Payments From Providers Running eClinicalWorks EHR
DOJ imposed penalties to EHR software vendor eClinicalWorks on grounds of making false claims. Healthcare practices running their software were led to submit inaccurate attestation details, under the impression such features were functional.
OIG Reviewing CMS Incentive Payments to Hospitals and Eligible Providers
Hundreds of Millions in Electronic Health Record Incentive Payments Did Not Comply With Federal Requirements. Included in the OIG Work Plan is the investigation of hospitals, where they may pursue recovering a portion of the improper payouts.
New Features Added to HHS HIPAA Breach Reporting Tool
HHS and OCR have revised the HIPAA Breach Reporting Tool (HBRT) for usability. Breach Report page features the latest incidents under investigation, along with archive on how older breaches were resolved.
EHR 2.0 keeps up-to-date with the latest security threats and regulatory requirements facing healthcare organizations and business associates. Our Security Risk Assessment and HIPAA/HITECH Compliance Assurance are continuously updated to reflect the latest circumstances. You are welcome to Request for Quote if at all unsure about your current status, and one of our representatives will be in touch shortly.
Latest posts by EHR 2.0 (see all)
- FDA CFR Part 11 Compliance and Benefits - February 20, 2019
- Data Protection Officer (DPO) and GDPR Compliance - February 11, 2019
- Colorado hospital failed to terminate former employee’s access to ePHI - December 12, 2018