April 28, 2017. On April 24, 2017, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced in a news release a $2.5 settlement in a Resolution Agreement and Corrective Action Plan with CardioNet, a “covered entity that provides patients with wireless ambulatory cardiac monitoring service,” for “impermissible disclosure of unsecured electronic protected health information (ePHI) in reported breaches on January 10, 2012 (1,391 individuals affected) and February 27, 2012 (2,219 individuals affected). OCR initiated an investigation in May 2012 and determined that CardioNet:
April 28, 2017. On April 14, 2017—the Effective Date—the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) settled with Center for Children’s Digestive Health (CCDH), “a small, for-profit health care provider that operates a pediatric subspecialty practice in seven clinic locations across Illinois,” for “impermissibly [disclosing] the [protected health information] of at least 10,728 individuals” to a “third-party vendor that stored inactive paper medical records” “without obtaining [the vendor’s] satisfactory assurances, in the form of a written business associate agreement, [that the vendor] would appropriately safeguard the PHI.
April 17, 2017. On April 12, 2017, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced in a news release entitled: “Overlooking risks leads to breach, $400,000 settlement”, that it had executed a Resolution Agreement and embedded Corrective Action Plan with a nonprofit federally qualified health center (FQHC), Metro Community Provider Network (MCPN) of Denver, CO for failure to:
April 5, 2017. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has issued an April 2017 Cyber Awareness Newsletter entitled: “Man-in-the-Middle Attacks and ‘HTTPS Inspection Products’”. The Newsletter states: “Man-in-the-middle (MITM) attacks occur when a third-party intercepts and potentially alters communication between two different parties, unbeknownst to the two parties. MITM attacks can be used to inject malicious code, intercept sensitive information like protected health information (PHI), expose sensitive information, and modify trust information.”
April 4, 2017. The Workgroup for Electronic Data Interchange (WEDI) has published an Issue Brief entitled: “The Rampant Growth of Cybercrime in Healthcare.” The timing of the WEDI release coincides with the Federal Bureau of Investigation (FBI) Cyber Division release of “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information,” which HIPAA Integrity® has discussed in several of its posts in the past week. Designed for “Education and Awareness Use Only,” the Issue Brief “explores some of the common vulnerabilities of healthcare organizations that are typically exploited by threat adversaries in today’s environment as well as best practices to mitigate these vulnerabilities.”
April 4, 2017. In the past week, HIPAA Integrity® has posted several significant pieces on the importance of implementing and hardening cybersecurity perimeter defenses to deter and mitigate the consequences of the growing incidence of cyberattacks such as phishing and ransomware demands resulting in impermissible access, use, and disclosure of unsecured protected health information (PHI).
April 3, 2017. In a rare but significant move, the Cyber Division of the Federal Bureau of Investigation (FBI) issued on March 22, 2017, a Private Industry Notification to the healthcare industry entitled: “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information,” which is accessible online at: https://info.publicintelligence.net/FBI-PHI-FTP.pdf. This matter, which only began appearing on healthcare industry radar late last week, concerns File Transfer Protocol (FTP) servers containing protected health information (PHI) operating in anonymous mode without password protection, creating an opportunity for hackers to penetrate vulnerable healthcare networks to impermissibly access unsecured PHI. The FBI Notification cites a 2015 University of Michigan study that indicated “over 1 million FTP servers were configured to allow anonymous access, potentially exposing sensitive data stored on the servers.”
March 31, 2017. On March 22, 2017, the Cyber Division of the Federal Bureau of Investigation (FBI) issued a Private Industry Notification entitled: “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information [PHI].” FTP servers mean File Transfer Protocol servers, with “U(FTP) a protocol widely used to transfer data between network hosts.” “The anonymous extension of FTP allows a user to authenticate to the FTP server via common username such as ‘anonymous’ or ‘ftp’ without submitting a password or by submitting a generic password or e-mail address.” Access to such servers containing protected health information (PHI) potentially imperils such information for impermissible use or disclosure.
March 31, 2017. With breaches growing and types expanding, experts at the Claims and Litigation Management Alliance Conference in Nashville, TN yesterday recommended planning ahead for cost-effective breach response and management, according to Gavin Souter in his March 30, 2017, Business Insurance article entitled: “Early breach preparation can save costs as attacks grow.” Robert Parisi of Marsh L.L.C. in New York stated: “’You don’t’ want to start figuring out who to hire—whether it be a lawyer or a forensics investigator—as you are sending the FBI guys out the door and thanking them for telling you about the breach…. Have a plan, work the plan. That seems to be the best way to keep losses to a minimum.’”
March 30, 2017. In its undated update of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53-Revision 5, with the expected title: “Security and Privacy Controls for Federal Information Systems and Organizations,” NIST indicated that it was projected to be published on March 28, 2017, which date also coincided with the Information Security and Privacy Advisory Board (ISPAB) meeting in Washington, DC, at which a presentation was scheduled on Draft SP 800-53-Revision 5.