HIPAA Journal – HHS Delays Enforcement

Highlights from the HIPAA Journal

From the April 20th Newsletter

Due to recent events in relation to COVID-19, the HHS (Department of Health and Human Services) is delaying enforcement of the new interoperability and information sharing rules.

“Now more than ever, patients need secure access to their healthcare data. Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care…Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional 6 months to implement the new requirements.” – Seema Verma, a CMS Administrator

March 2020 Healthcare Data Breach Report

  • March had a 7.69% month-over-month decrease in breaches and a 45.88% reduction in the number of breached records
  • Out of the 36 Healthcare data breaches in the month of March, 19 of those were related to a hacking/IT incident.
  • 50% of breached PHI in March were related directly to email accounts being hacked.

A group of Senators have reached out to the CISA, Department of Homeland Security and U.S. Cyber Command asking for cyber security guidance to be given to the Healthcare sector in relation to the COVID-19 pandemic.

“The letter cites a report from cybersecurity firm FireEye which identified a major campaign being conducted by the Chinese hacking group, APT41, targeting the healthcare sector.”

The FBI has issued a warning to the Healthcare sector regarding COVID-19 related phishing scams.

  • The FBI does recommend that patches should be applied promptly, and all software should be updated to the latest version.
  • Hackers are using the following campaigns:
    • Word documents
    • Visual Basic Scripts
    • 7-zip compressed files
    • JavaScript
    • Microsoft Executables to gain a foothold in healthcare networks.

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) has issued a warning to all organizations using Pulse Secure VPN servers that patching vulnerabilities will not necessarily prevent cyberattacks.

  • CISA issued an alert about a year ago warning organizations to patch a vulnerability (CVE-2019-1151) in Pulse Secure Virtual Private Network appliances due to a high risk of exploitation.

Recent cyber/ransomware attacks related to the Healthcare industry

  • Beaumont Health in Michigan had unauthorized individuals gain access to email accounts of employees that allowed them to gain PHI that was stored in emails and email attachments. 112,000 patients were notified of this breach that their information was potentially exposed.
  • Aurora Medical Center-Bay Area in Wisconsin notified 27,137 patients that their information was potentially exposed regarding a phishing attack.
  • University of Pittsburg Medical Center Altoona had an unauthorized individual gain access to an email account of a physician and can not rule out there was unauthorized PHI access. Up to 13,911 patients may have been affected by this attack.

We understand the unique and challenging aspects of IT in the Healthcare space