The CyberPHIx Roundup: Industry News & Trends, 3/4/20

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Recent third-party vendor ransomware events impacting healthcare providers
  • Insider threats and cases of unauthorized access to patient information and related criminal charges; discussion of approaches for monitoring for insider threats
  • Major themes from the last year of OCR fines and settlements and projections for the rest of this year for OCR enforcement

Brian Selfridge: [00:00:08] Good day and welcome to the CyberPHIx healthcare security roundup. Your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices specifically for the healthcare industry. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading healthcare security, privacy, and compliance leaders at or on your favorite podcast hosting platform. Just search for CyberPHIx and you can find it. 


Brian Selfridge: [00:00:33] So let's dive into this week's episode. So first off, I'd like to start with a story that is becoming all too familiar, a theme, unfortunately, around ransomware. However, we're going to talk about third-party risk and third-party ransomware. So there was a New York-based healthcare provider called Personal Touch Home Care that notified 157,000 patients this past week that their information may have been exposed in a ransomware attack targeting their third-party business associate called Crossroads Technology. Now, Crossroads provides cloud-hosted services for the covered entity. We're not exactly sure what they do for them. It wasn't crystal clear, but they were hosting patient information, including Social Security numbers and health insurance information, and the like. So this case, in particular, brings to mind the nuance breach from last year or the year before last year I think, where the nuance transcription services company that's used by most health systems across the country had a ransomware attack that impacted multiple covered entities. And we've seen even lawsuits come out after the fact with that one and with others, where covered entities are levying lawsuits against business associates that have had ransomware attacks. In this case, the ransomware went over the VPN. This is the nuance thing. And traverse the network and then infected systems on the covered entity side. But you also have cases like this personal touch home care. Just this past week, where it wasn't a matter of the ransomware infecting, but the business associate breached the actual patient information. So we're seeing a trend of these ransomware attacks having sort of multi-ripple effects down the line to covered entities. 


Brian Selfridge: [00:02:17] And third-party risk management is going to continue to be the most prominent focus area for healthcare entities for the next several years in my view. OCR still really paying attention to third-party risk, as well as just business associate compliance in general. This is business associate inventories and risk management and the like. So expect to see more ransomware. Expect to see more third-party risk-related risks, including ransomware, including other breaches. So found that one to be particularly interesting this week. 


Brian Selfridge: [00:02:44] I also want to talk about a case this week around an insider threat phenomenon that has been going on forever. And I think anybody that's been working in the healthcare provider space or otherwise can count on their hands and toes and more, in some cases, instances where unauthorized access is happening within the internal organization to patient information. In this case, there was a former employee of ACM Global Laboratories, which is part of Rochester Regional Health, where they ended up getting criminally cited for being accused of accessing the medical records of a patient without authorizations on hundreds of occasions, trying to find out information that could be used in a child custody battle. 


Brian Selfridge: [00:03:30] So the city of Rochester is not having a great year, by the way. They had The University of Rochester Medical Center was fined three million dollars in November this past year of 2019 by OCR for HIPAA violations related to unencrypted laptops, USBs, failure to conduct an adequate enterprise risk analysis, which is very common, and several other control deficiencies. And we'll talk about OCR stuff again in a minute. But back to this case of the employee accessing records for their own benefit and becoming criminal. I actually had a similar case when I was a security officer for the health system years ago, where we became aware of a workforce member that had accessed records inappropriately. And the only way that was discovered was in court, where the individual provided information that could have only been identified through accessing the patient record itself. So it's sort of a backward trail, where you see the courts getting involved in a domestic case, in this case as well, similar to the one for ACM Global Laboratories of Rochester. So these are all too often happening. And that was sort of one of the first ones I've seen years ago. And then I've since seen countless other cases that have a similar flavor. You know, an ex-spouse or a custody battle is very common for these inappropriate accesses. 


Brian Selfridge: [00:04:52] So if you don't already have access to one of the cool, privacy, auditing, software capabilities that are out there now. This space has gotten so much better over the years. So you have software like Protenus, Iactric, FairWarning, just to name a few that really have pretty clever technologies that can plug into your electronic health record and other systems and identify when people are snooping around and be able to automate some of that grunt work of digging through a lot of logs. But OCR is very tuned in to this, as are many healthcare entities on an increasing basis. So make sure you have some auditing process in place that can discover this stuff or using some of the security tools that come out is also a great, great way to get ahead of that. 


Brian Selfridge: [00:05:36] And the last area that I want to focus on today is just around sort of looking back on the OCR investigation and audit trends from this past year without going case by case. I think there are some very, very clear themes that continue to be cropping up with the settlement agreements and the investigations that we've seen that have become public. And I want to just highlight a few themes because there are still some misconceptions around this stuff that I continue to run into in conversations with clients. So I just wanted to make sure everybody's talking the same language here. 


Brian Selfridge: [00:06:09] So some big themes are certainly making sure that the enterprise risk analysis required by the HIPAA security rule is conducted in a thorough and comprehensive way. So anywhere that patient information exists, making sure that that information is included in the scope for the enterprise risk analysis, making sure you're identifying the threats, the vulnerabilities, the likelihood of impact, all that good stuff that OCR has been talking about for years. So just to differentiate between looking at HIPAA more as a sort of checklist kind of approach, one item on that checklist is doing enterprise risk analysis, looking for patient information, driving corrective action plans, and tracking risk registers and corrective action plans coming out of it. So I still see some confusion around that from time to time. Really important to get that risk analysis done correctly. As we saw with the case with the University of Rochester, as we've seen with just really almost most of the settlements over the last couple of years have had that included as an element. We're still seeing a lot of addressable controls, like encryption of laptops, USBs, mobile devices, the same old story there. I won't go too deep into it. We talked about business associate management earlier with the case with the personal touch homecare and their cloud provider. But that business associate inventory and business associate risk management is still a top-cited concern for OCR, an area that they've been delving into. So I want to pay attention to that. 


Brian Selfridge: [00:07:37] I've also seen a number of issues with timely breach reporting and resolution. So according to the breach notification rules, there are specific timelines around getting those notifications out to OCR. So I want to make sure you're paying attention to those. We've seen several cases related to that. And then, of course, other HIPAA security rule violations and implementation issues, both technical, procedural, administrative things often going back multiple years. The OCR comes in, they'll do their audit based on whatever breach was reported, whatever reason they showed up. But it's really about looking back at whether the organization was doing the right things from a HIPAA security rule perspective for multi-years prior, going back six-plus years most of the time. And just as a reminder, you don't get a whole lot of time to prep for this stuff when the OCR comes investigating. Yet traditionally, you get 10 days to respond to their initial inquiry, where you've got to produce documentation, you got to produce all this good stuff. So if you haven't done those mock OCR audits or if you don't have a crystal clear plan of how well you'd be able to respond to provide the information to an OCR audit and whether or not you've got all those control areas covered or not, the mock OCR audits can really help with that. And just as a side note, you know, we work with OCR as a HIPAA expert witness firm capacity. So we've seen an uptick in communication from them, you know, within the last several months. And, you know, we expect to see more cases coming soon, unfortunately. And you can look at the OCR breach wall of shame. You can look at the list of settlements that continue to pop several a month and expect to see that trend continuing. So lots more coming on all of that. I thought some of those cases might be interesting to you. 


Brian Selfridge: [00:09:32] But we'll wrap it up for now, and we'll catch you up on some more news in the weeks to come. So really appreciate you checking in with us. And we would love to hear from you if you have any questions or comments. Feel free to reach out to us at CyberPHIx,  [email protected]. So long, and thanks for everything you do to keep our healthcare systems and organizations safe.