current day HIPAA Compliance

HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance has always been an issue that plagues companies. In many cases, companies are failing to comply to HIPAA, but no action is being taken because it is either unknown, or it hasn’t become an issue yet. In a recent patient record scorecard released by Ciitizen, they found that while patient record access on the patient side is becoming more and more available, HIPAA compliance is currently at approximately 49%. This means that 51% of all companies included in the scorecard of about 200 companies attained a score of 2/5 stars or lower. This scorecard found that a majority of these companies failed to provide the right to inspect or obtain a copy of their health information upon requesting it.

The bigger issue of this non-compliance comes when a breach occurs within a company that is still not complying to HIPAA. On November 27, 2019, Sentara Hospitals based out of Virginia and North Carolina came to a settlement with the Office for Civil Rights for a sum of $2.175 million for failure to notify the OCR and the patients of a breach of patient information. Sentara sent out approximately 577 billing statements to the incorrect addresses, which included patient names, account numbers, and dates of service. Sentara then proceeded to notify a total of eight individuals of the breach. Among other HIPAA regulatory issues that were found, Sentara settled for the aforementioned amount, as well as a two-year monitoring plan, and the requirement to notify the OCR within 15 days for any potential breach.

Another case back in September of 2019 was with Bayfront Health based in St. Petersburg. Bayfront Health failed to provide a mother with access to the fetal heart monitor records of her unborn child. The first request the mother made was in October 2017, and in August 2018, she made a complaint to the OCR of the lack of access. Under HIPAA, patients are guaranteed access to the records within 30 days and under reasonable fees. Bayfront agreed to a corrective action plan similar to Sentara, as well as a $85,000 penalty.

Overall, HIPAA compliance is a major issue within the healthcare industry, but luckily we are seeing a massive improvement in patient information provision in order to comply with the rules set in place by HIPAA. As we move into 2020 and people become more aware of the importance of cyber security and it’s surrounding regulations, potentially we will see more healthcare providers complying with HIPAA.

Written by: Michael Smith

Sources:
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
https://www.ciitizen.com/new-release-of-the-patient-record-scorecard/
https://www.natlawreview.com/article/hipaa-failure-to-report-breach-costs-hospital-2175-million
https://healthitsecurity.com/news/bayfront-health-to-pay-85k-for-possible-hipaa-right-of-access-violation
https://healthitsecurity.com/news/51-providers-still-failing-to-comply-with-hipaa-right-of-access

Ransomware makes patient records inaccessible

            Virtual Care Provider (VCP) Incorporated is a company for health care facilities to outsource their information technology needs while also maintaining HIPPA compliance. Services include cloud hosting, networking, client support, security, and more. However, over the last month VCP experienced a ransomware attack.

            VCP services a number of clients, including 110 operators of acute care and nursing homes across the United States. This on its own doesn’t seem like a lot, but this translates to approximately 45 states running around 80,000 computers. The attack involved a strain of ransomware called Ryuk, a type that encrypts data to suspend access to its users.  Many times, an exorbitant amount of money is demanded for the return of the encrypted files. In this case, a fourteen-million dollar ransom had been issued, which VCP reports they can’t afford.

            VCP estimates that 20% of their servers have been affected by the attack.  According to Brian Krebs from KrebsOnSecurity, who spoke with VCP CEO Karen Christianson, the attack has affected many of the services they provide, such as email, patient records, billing, payroll, and phone systems. One result of these effects was an inability to either view or modify patient records. Unfortunately, this also applied to acute care facilities, making medication distribution and basic patient care more difficult and time consuming as they can’t order electronically.

            Reportedly, the attack began on November 17, 2019 and is still affecting client information and payroll processing for around 150 employees. At current, VCP is prioritizing the restoration of their Active Directory services, email, eMAR, and EHR applications. They also state that there isn’t currently a time estimate for when the services will be available again, it depends on the number of affected servers.

Written by Brett Segraves

Citations

  1. https://healthitsecurity.com/news/ransomware-attack-on-it-vendor-disrupts-care-at-110-nursing-homes
  2. https://seniorhousingnews.com/2019/11/27/senior-care-providers-scramble-after-14m-ransomware-attack-hits-tech-firm-vcpi/
  3. https://nakedsecurity.sophos.com/2019/11/28/ransomware-attack-freezes-health-records-access-at-110-nursing-homes/
  4. https://www.healthcareitnews.com/news/ransomware-attack-cloud-vendor-freezes-nursing-home-ehr-data

PCI And The Struggle of Actually Remaining Complaint

PCI compliance is a recently emerging standard that provides a structured and secured framework for handling customer data such as credit card numbers and other payment information. For businesses to collect data online or process credit card transactions, they must be PCI compliant. However, an alarming trend has started to emerge among businesses lately because according to study done by Verizon, for the second year in a row, PCI compliance among these businesses has dropped. In fact, just a third of all global firms are PCI compliant. Which means there is strong possibility that the third-party businesses you are dealing with are not actually certified to handle your data or credit card information. This number is a sharp decrease from the previous year where 53% of these international businesses were PCI certified.

                The lack of certified businesses is alarming for several reasons. For one, there is a greater chance that your data is being handled improperly by this business, putting your own information at risk. Another reason is that if two-thirds of these businesses are not going to continue to be PCI certified, it does little to encourage the remaining third who spend the money to remain certified, which could lead to even more of these businesses deciding to not be PCI certified. However, just because businesses are not PCI certified does not necessarily mean it is solely their fault. Getting PCI certified is incredibility hard to do in the first place and most businesses struggle with remaining PCI certified after obtaining the certification in the first place.

                In order to get PCI certified, a business must pass 12 broad requirements, 78 base requirements, and then over 400 test procedures. With all these hoops to jump through, it’s no wonder most businesses have recently been deciding to let their PCI compliance lapse. In some cases, the cost and time of getting PCI certified would be more expensive than just dealing with the fallout from a cyber-security breach in the first place. In fact, the punishments for not being PCI complaint are not that steep. Depending on the volume of transactions, the volume of clients, and the level of PCI that the company can be on, fines can range from $5000 to $100,000. These amounts are amounts that big companies can makeup without any problem. Overall, the PCI system is a great idea and good attempt at applying a standard for handling customer data online and their credit card information, but there are too many hoops for businesses to jump through which often winds up discouraging its implementation in the corporate world.

Written By Will Harle

Citations

  1. https://www.securityinfowatch.com/cybersecurity/article/21112226/why-pci-compliance-has-become-a-critical-issue
  2. https://www.digitaltransactions.net/pci-compliance-drops-for-the-second-year-in-a-row-verizon-reports/
  3. https://www.infosecurity-magazine.com/news/just-a-third-of-global-firms-are/
  4. https://www.mymoid.com/pci-non-compliance-consequences/

California Consumer Privacy Act – Privacy laws come to the United States

Adding to the growing list of standards bodies with which companies must comply to do business, the California Consumer Privacy Act (CCPA) will go into affect on January 1st 2020 (that’s less than a month away) and will likely begin enforcement by July 1st, 2020 at the latest. The focus of the bill is on consumers’ rights to controlling how their information is used and whether or not it is stored, very similar to the goals of Europe’s GDPR.

Who has to comply?

This piece of legislature will apply to any company that does business in California which collects consumers personal information and meets one of the following: The company has an annual gross revenue of $25 million, the company makes at least half of its profit from selling consumer personal information, or handles at least 50,000 consumers’ personal information. In other words, it applies to pretty much every moderately successful site in existence. There are exceptions to this, mostly for those types of data already covered by existing standards or legislature such as HIPAA data.

Some view this as an overreach by the California government and harmful to interstate commerce. Whether or not you agree with that sentiment, you can at least agree that this is a bold move by California, and it was certainly intended to cause the expansion of this policy into other parts of the United States, potentially federally. In fact, several states have already moved to create similar legislature of their own, some being more aggressive than the CCPA.

Companies found in violation are subject to fines, and consumers may have the right to pursue civil suits against companies if they are harmed by misuse of their data.

Consumer Rights Under CCPA

Under the CCPA, consumers have the right to receive notice as to what information companies will be collecting on them. This means we are all probably going to get bombarded with emails again, as was the case with GDPR. The CCPA also requires companies to include this information in their privacy, as well as the user’s rights under CCPA and how the users can exercise these rights.

This is probably going to happen again with the CCPA, prepare yourselves.

Additionally, consumers have the right to access and delete the data collected on them, the process for how to do so mus be outlined in the privacy policy. Access requests can be made twice a year, and must be fulfilled within 45 days. The data must be delivered in a format that is easily transferable and understandable for the consumer, this can be done physically or digitally. The ability of the user to delete their data is to allow for the consumer’s right to be forgotten. In concept, this sounds simple, but in practice of course the data will probably have been duplicated and distributed in various ways, so it will likely prove impossible to truly delete the data completely.

Consumers have the right to choose to opt-out of programs where their data may be sold to third party entities at any time, and those under the age of thirteen cannot have their information sold unless they opt-in with parental consent. This is a big deal, and will probably have drastic effects on the business models of companies targeted by the clause including companies which make at least 50% of their gross annual income from the sale of personal information. The bill does allow for different pricing in the case that a user should exercise this right.

Importantly, companies cannot discriminate against users who exercise any of these rights, with the exception of the financial incentive for opting into the data sharing programs. This means that a site cannot deny access to any service based on whether a user has deleted their data or requested it, or opted-out of data sharing.

Conclusion

It is great to see that the United States is beginning to catch up to Europe in the field of protecting its citizens’ privacy from abuse by the private sector. I think that this step is necessary if privacy is to exist in any form moving forward as companies wish to collect more and more data so that they can better target our preferences. It will not solve the privacy problem our society is facing by itself, but it is an important step towards taking back some control of our individual privacy as consumers.

It is important not to let our privacy disappear completely.

It is important to note, however, that this is yet another set of regulations and standards that companies must follow on top of the myriad of other standards they must meet such as PCI, HIPAA, et al. If each state puts forth their own version of this law, this only gets further complicated and strenuous for companies. While standardizing practices is a good thing for protecting consumers, it is important that we do not overwhelm companies with heaps of regulations and standards, as putting too daunting of a gate up often inspires those who are confronted with it to seek another way around it. Surveys have shown that compliance to some standards has been on a slight decline due to the overwhelming amount that must be followed. We must take great care to make fair policy to which adherence is not too great a burden.

We should be careful not to demand so much as to
discourage companies from complying to our standards.

Written by,
Daniel Szafran

Apologies for the low-tier memes, I didn’t want to brew up my own at 4AM

Sources and Further Reading

IRMI Summary of CCPA
Comparison of CCPA and GDPR
Copycat CCPA bills
Consumer Rights under CCPA
Concerns on effects to Interstate Commerce
Too Many Regulatory Standards
CCPA Business Checklist