gw-gwtdocs-#4398954-v1-himss - significant developments in...
TRANSCRIPT
SignificantDevelopmentsinHealthcare
Presentedby:KarenPainterRandall,Partner,ConnellFoleyLLPStaceyL.Gulick,Partner,GarfunkelWild,P.C.
RecentEnforcementActions
WhatAretheConcerns?(Justareminder)
§ CivilMonetaryPenalties§ CriminalPenalties
§ PrivateRightsofAction(thereisnoprivaterightofactionunderHIPAA,butthecourtshavesaidthatviolationofHIPAAcanbeusedtoproveotherclaimssuchasnegligence)
§ ClassActionSuits§ CostsofanOCRInvestigation
LargestSettlementstoDate(FailuretoTerminateEmployeeAccess)
OnFebruary16,2017, theOCRannouncedthat,asaresultfailingtoremoveaccessuponterminationofanemployee,MemorialHealthcareSystem(MHS) paidtheOCR$5.5million.MHSoperateshospitals,andavarietyofancillaryhealthcarefacilities inFlorida.Inaddition,MHSisaffiliatedwithphysicianofficesthroughanOHCA.MHSreportedtotheOCRthatthePHIof115,143individualshadbeenimpermissiblyaccessedanddisclosed.Thelogincredentialsofaformeremployeeofanaffiliatedphysician’sofficehadbeenusedtoaccesstheePHImaintainedbyMHSonadailybasiswithoutdetectionfromApril2011toApril2012,affecting80,000individuals.TheOCRspecificallynotedthat(1)MHSfailedtoimplementprocedureswithrespecttoreviewing,modifyingand/orterminatingusers’rightofaccess,and(2)failedtoauditcomputersystemactivity,despitehavingidentifiedthisriskonseveralriskanalysesconductedbyMHSfrom2007to2012.
LargestSettlementstoDate
InAugust2016,AdvocateHealthCareNetwork(Advocate)enteredintoasettlementwiththeOCRtopay$5.55millionandadoptacorrectiveactionplan. TheinvestigationoccurredafterAdvocatereportedthreelargebreaches(involvingdifferentoftheAdvocateentities).TheOCRallegedthatAdvocatefailedto:
§ conductanaccurateandthoroughriskanalysisofallofitsfacilities,equipment,applicationsanddatasystems;
§ limitphysicalaccesstoitselectronicinformationsystems;
§ obtainaBAAfromavendorthathadaccesstoPHIresultinginimpermissibledisclosureofePHI;and
§ failedtoreasonablysafeguardtheePHIwhenanAMGworkforcememberleftanunencryptedlaptopinanunlockedvehicle.
LackofTimelyBreachNotification
InJanuary2017,theOCRannouncedthefirstHIPAAsettlementbasedontheuntimelyreportingofasecuritybreach PresenceHealthagreedtopay$475,000andimplementacorrectiveactionplan.TheOCRclaimsthatthissettlementbalancedtheneedtoemphasizetheimportanceoftimelybreachreportingwiththedesirenottodisincentivebreachreportingaltogether.OnJanuary31,2014,PresenceHealthreportedtotheOCRthatonOctober22,2013,PresenceHealthdiscoveredthatoperatingroomschedules,whichcontainedthePHIof836individuals,weremissing.TheOCR’sinvestigationrevealedthatPresenceHealthfailedtonotify,within60daysofdiscoveringthebreach,eachofthe836affectedindividuals,mediaoutlets,andtheOCR.
MalwareOnJune4,2013,OCRreceivednotificationfromUMassregardingaworkstationthatwasinfectedbymalware,whichmayhaveresultedinabreachaffectingapproximately1,670individuals. AsaresultUMassenteredintoasettlementfor$650,000.TheOCRfoundthatUMassfailedto:• IncludeallentitiesthatwouldmeetthedefinitionofaCEorBAinitshybridentitydesignationandimplementpoliciesaccordingly;
• conductanaccurateandthoroughriskanalysis;and• implementappropriatefirewalls.
UnsecuredWirelessNetwork
InJuly2016,Univ.ofMississippiMedicalCenter(“UMMC”)settledwiththeOCRfor$2.75mfollowingabreachinvolving10,000patients.Thebreachinvolvedapassword-protectedlaptopthatwentmissingfromUMMC.OCRidentifiedthatePHIstoredonaUMMCnetworkdrivewasvulnerabletounauthorizedaccessviaUMMC’swirelessnetworkbecauseuserscouldaccessanactivedirectorywithagenericusernameandpassword.
StorageofPHIonCloudServer(withoutBAA)LeadstoSettlement
OregonHealth&ScienceUniversity(OHSU)settledwiththeOCRfor$2.7mandacomprehensivethree-yearcorrectiveactionplan. OCR’sinvestigationbeganaftermultiplebreachreports,includingthreereportsinvolvingunencryptedportabledevices. OCRidentifiedevidenceofwidespreadvulnerabilitieswithinOHSU’sHIPAAcomplianceprogram,includingthestorageofePHIofover3,000individualsonacloud-basedserverwithoutaBAA.
StorageofPHIonCloudServer(withoutBAA)LeadstoSettlement
§ OCRnotedthatOHSUperformedriskanalysesin2003,2005,2006,2008,2010,and2013,buttheseanalysesdidnotcoverallePHIinOHSU’senterprise. Furthermore,whiletheanalysesidentifiedvulnerabilitiesandriskstoePHIlocatedinmanyareasoftheorganization,OHSUdidnotactinatimelymannertoimplementmeasurestoaddressthesedocumentedrisksandvulnerabilities.
§ Forexample,OHSUalsofailedtoimplementamechanismtoencryptanddecryptePHI,despitehavingidentifiedthislackofencryptionasarisk.
BusinessAssociateEntersIntoSettlementforStolenIphone
CatholicHealthCareServicesoftheArchdioceseofPhiladelphia(CHCS)(amanagementandinformationtechnologycompanyforSNFs)enteredintoasettlementagreementwithOCRfor$650,000followingabreachinvolvingthetheftofanunencryptedIphone.Only412individualswereinvolved.
Note:ThisisthefirstOCRsettlementwithabusinessassociate.
OtherSignificantSettlements§ CompleteP.T.settledfor$25,000afterpostingpatienttestimonials,including
fullnamesandfullfaceimages,toitswebsitewithoutobtainingHIPAAauthorizations.
§ TheUniversityofWashingtonMedicinesettledfor$750,000followingabreachcausedwhenanemployeedownloadedanemailattachmentcontainingmalicioussoftware.
§ CornellPrescriptionPharmacysettledfor$125,000followingnotificationbythemediathatthepharmacydisposedofunsecured(i.e.,notshredded)documentsinanunlocked,opencontaineronthepremises.Remindingusthatpaperdocumentsarestillaconcern.
§ RaleighOrthopaedicClinicsettledwithOCRfor$750,000whenitdisclosedinformationof17,300patientstoapotentialbusinesspartner(thatwastransferringfilmstodigitalmedia)withoutfirstexecutingaBAA.
Takeaways§ Themostimportantthingyouneedtodotoprotectyourorganizationistohaveacomprehensiveup-to-dateRiskAnalysisandcorrespondingRiskManagementPlan.
§ NearlyeverysettlementtodatehasinvolvedfailuretohaveacomprehensiveRiskAnalysisandcorrespondingRiskManagementPlan.
§ WhentheOCRwalksthroughthedoor,forANYreason(breach,complaint,audit),thefirstthingitwillrequestistheRiskAnalysis.
Ransomware• WhatisRansomware?– Ransomwarecantakedifferentforms,butinessenceitdeniesaccesstoadeviceorfileuntilaransomhasbeenpaid.
– Notonlycanransomwareencryptthefilesonaworkstation,thesoftwareismartenoughtotravelacrossyournetworkandencryptanyfileslocatedonbothmappedandunmappednetworkdrives.
– Thiscanleadtoacatastrophicsituationwherebyoneinfectedusercanbringadepartmentorentireorganizationtoahalt
Ransomware• Oncethefilesareencrypted,thehackerswilldisplaysomesortofscreenorwebpageexplaininghowtounlockthefiles.
• Payingthe“ransom”invariablyinvolvespayingaformofe-currency(cryptocurrency)suchasBitcoins.
• Oncethehackersverifypayment,theyprovidethe“decryptor”software,andthecomputersstartthearduousprocessofdecryptingallofthefiles.
Ransomware• NewStrainsofRansomware– PopcornTime
• Offersfreedecryptionifyouinfecttwoothersandtheypay.• Stillproofofconcept.
– Koolava(a.k.a.NiceJigsaw)• Offersfreedecryptionifyoulearnhownottobeinfected.• Stillworkinprogressandnothighqualitycode.• Oncethevictimreadstwoarticles,theDecryptMyFilesbuttonbecomesavailable.• Itwilldeleteallfilesifthearticlesarenotread.
Ransomware• NewStrainsofRansomware(cont.)– Goldeneye
• Infectsfiles,theninfectstheharddrive.• Potentiallyforcespayingadoubleransom.• Spreadsasafakejobapplicationemailwitha.pdfattachment.The.pdfpointsthevictimtoaninfectedExcelfile.• Afterfileencryption,themachinerebootsandlookslikeitisdoingafilesystemrepair.Itisactuallyencrypting.• Afterpayingthemoneytodecrypt,logginginmaydemandmoretodecryptthefile.
Ransomware• NewStrainsofRansomware(cont.)– Spora
• Offersanoptionoffutureimmunity(forafee).• NoC&Cserversoblockingoutboundcommunicationdoesnothelp.• Addsthehiddenattributetofilesandfoldersonthedesktop,therootofUSBdrivesandthesystemdrive.Thesefilesandfoldersarenowhiddenbythestandardfolderoptions.• ItnowmakesWindowshortcutswiththesamenameandiconasthehiddenfilesandfolders.
Ransomware• TheHollywoodPresbyterianMedicalCenter– InFebruary2016,theHollywoodPresbyterianMedicalCenterwashitbyaransomwareattackthatknockedthehospital’snetworkoffline.
– Theattachaffectedthefacility’sdailyoperations,asurgentscans,labwork,pharmaceuticalneeds,anddocumentationcouldnotbeaccessed.
– Paid$17,000inBitcoins.
Ransomware• MedStarHealth– InMarch2016,oneofcountry’sleadinghealthcareproviderswithanetworkoftenhospitalsand250outpatientcenterswasaffectedbyaransomwareattack.
– Theorganizationactedquicklyandtookdownallsysteminterfacestopreventthemalwarefromspreading.
– Theransomwassetat45Bitcoins(approx.$19,000)withaten-daydeadline,butMedStarreportedlyabletobringsystembackonlinewithoutpaying
Ransomware• Takeaways– Expertsdisagreeastowhetherornotacompanyshouldpay.Ononehandunlessyouhaveapowerfulcomputerandalotoftimetospendguessingkeys,thereisreallynowaytogetyourdatabackunlessyoupaytheransom.
– However,TheDepartmentofHomelandSecuritytellspeopletonotnegotiatewiththehackersasitwillencouragemoreattacks
– Theverybestdefensetopreventaransomwareattackistohaveabackupthatisnotconnectedtoyourmachineinanyway.
ChangestoSubstanceAbuseRegulations
• March27,2017revisedregulationsunder42CFRPart2wentintoeffect.
• Expandstherequirementsof42CFRPart2to“lawfulholders”ofsubstanceabusetreatmentinformation(e.g.,individualorentitywhohasreceivedtheinformationastheresultsofapart2-compliantpatientconsent(withnoticeofprohibitiononredisclosure)andotherentitiesthatlegallyreceivesuchinformationwithoutconsent).
ChangestoSubstanceAbuseRegulations
• Createsnewrequirementsforsecurityofsubstanceabusetreatmentinformation–consistentwithHIPAA.
• Establishrequirementsfordispositionofrecordsbydiscontinuedprograms.
• RequiresNoticeofPrivacyPracticestoincludecontactinformationtoreportviolationsof42CFRPart2.
ChangestoSubstanceAbuseRegulations
• Expandsthepermitteddesignationsallowedinthe“towhom”Sectionoftheconsentforreleaseofsubstanceabusetreatmentinformation.
• Includesanewrequirementthatconsentformsexplicitlydescribetheinformationtobedisclosed(e.g.,diagnosticinformation,medications,etc.).
• Includesarequirement,thatifgeneraldesignationisused,theprovidermustbeabletoprovidepatientwithalistofindividualstowhomtheinformationwasprovided.
ChangestoSubstanceAbuseRegulations
• Loosenstherequirementsforuseofsubstanceabusetreatmentinformationforresearch– consistentwithHIPAA.
• AllowsACOs toaccesssubstanceabusetreatmentinformationforauditpurposes
Q&A