Category: HIPAA News

It has been indicated by the Verizon Mobile Security Index 2019 report that 25% of healthcare organizations have experienced a security breach which involved a mobile device in the past 12 months.

Despite all businesses facing similar risks from mobile devices, it appears that healthcare organizations are addressing risks better than most other industry sectors. Out of the eight industry sectors that were surveyed, healthcare experienced the second lowest number of mobile security incidents, just behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably in the past couple of years. Since 2017, 35% of surveyed healthcare organizations claimed they had experienced a mobile security breach in the past 12 months.

Although the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon argue that may not necessarily be what is happening. A suggested explanation is that healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

Out of all the healthcare organizations surveyed, 85% believed that their security defenses were effective. What’s more, 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as 25% of healthcare organizations have suffered a breach involving a mobile device and 80% of those entities were made aware of the breach from a third party.

As mobile devices are used regularly to access or store ePHI, a security incident could easily result in a breach of ePHI. 67% of all healthcare mobile security incidents were considered major breaches. From those breaches, 40% had significant lasting repercussions and, in 40% of cases, it was said to be difficult and expensive to remediate the situation.

67% of mobile device security incidents involved other devices being compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said it resulted in the loss of data. 40% of healthcare organizations that suffered such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised due to a mobile security breach.

The main security risks were seen to be related to how devices were used by employees. 53% of respondents claimed personal use of mobile devices posed a major security risk and 53% said user error was also a significant problem.

Out of all the healthcare organizations that were surveyed, 65% were less confident about their ability to protect mobile devices than other IT systems. Verizon claims that this could be partly explained by the lack of effective security measures in place. An example of this can be seen with just 27% of healthcare organizations using a private mobile network and only 22% having unified endpoint management (UEM) in place.

It was also confirmed from the survey that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said in order to get tasks completed, they sacrificed security. This percentage was only at 32% last year. 81% admitted to using mobile devices to connect to public Wi-Fi, despite the fact that in many cases doing so violates their company’s mobile device security policy.

The following four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks, a new Moody’s Investors Service Report has revealed.

Those four sectors were discovered to have high risk of being exposed to cyberattacks. The four sectors are all heavily reliant on technology for daily operations, distribution of content, and customer engagement. An ever-increasing digitalization and interconnectedness within each sector and across different sectors means the risk of cyberattacks is also increasing.

In Moody’s report, they assessed vulnerability to a cyberattack and the impact such an attack could have on crucial businesses operations, reputation damage and disclosure of data. Cybersecurity measures that had been deployed to protect the company against cyberattacks were not taken into account for the report, unless mitigants had been applied consistently across each sector (e.g. supply chain diversity). In total, 35 broad industry sectors were assessed for the report and each were given a rating of low-risk, medium-risk, or high-risk.

The health insurance, pharmaceutical, and medical device industries were all placed in the medium-risk category. Hospitals were rated at high-risk, with the main reasons being the sensitive and essential nature of data used by hospitals, the increasing number of vulnerabilities introduced due to connected medical devices, the value of healthcare data to hackers, and the estimated time it would take to recover from an attack as well as the disruption to the business during the mitigation of an attack.

A successful cyberattack can prove costly to mitigate. Entities which have been breached must increase investment in technology and infrastructure,  pay higher insurance premiums, cover the cost of regulatory fines and litigation, increase R&D spending. What’s more these attacks can have serious reputational effects, such as higher customer churn rates and a creditworthiness reduction.

“We view cyber risk as event risk that can have material impact on sectors and individual issuers,” stated Derek Vadala, Moody’s Managing Director. “Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers’ financial profiles and business prospects.”

As the financial impact of a cyberattack can be substantial and long-lasting, it is vital for businesses and organizations in the high-risk sectors to have “robust sources of liquidity” to weather the storm.

While larger hospitals are likely to have more financial resources to assign to mitigating threats and recovering from cyberattacks, they are still not immune to attack. Even with these resources, they can still suffer a significant financial impact, particularly when you consider the fact that many hospitals have not purchased cyber insurance due to the high cost.

Cyberattacks on businesses and organizations in high-risk sectors have the potential to be catastrophic. This ultimately could have an impact on the ability of breached entities to pay back debts. The four high-risk industry sectors mentioned above hold a combined $11.7 trillion in rated debt.

Not only do they result in considerable financial costs and damage to an entity that is attacked, cyberattacks in the high-risk sectors would also likely have a number of ripple effects and a far-reaching impact on other industry sectors.

A new bill (the Data Privacy Act) has recently been introduced by Nevada Senator Catherine Cortez Masto, (D-NV). This bill calls for improved privacy protections for consumers, greater accountability and transparency for data collection practices, and the prohibition of discriminatory data practices.

It is currently a requirement for HIPAA-covered entities to obtain consent from patients before using or disclosing their health information for reasons other than the payment for healthcare, provision of healthcare, or for healthcare operations. With this being said, companies not bound by HIPAA Rules do not have the same restrictions in place.

A number of states are considering introducing or have already introduced laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, patchwork of state laws are currently the main providers of protection. As a result of this, privacy protections can vary greatly depending on where the consumer lives.

The bill, The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act, calls for data privacy protections similar to that in place for GDPR to be introduced to limit the collection of personal data, to protect data that is collected, and to prevent personal data from being used to discriminate against individuals.

If the Data Privacy Act is passed, it will see consumers being given more of a say about the types of information that are collected, how this information is used, and with who the information is shared with.

The Data Privacy Act will also call for companies to provide consumers with an option of opting in or out of the collection and sharing of sensitive data, such as genetic information, location data and biometric data.

Consumers have a right to be told what information will be collected, how  the company plans to use the information, and with whom the information will be shared. The company must also create a process that allows consumers to check the accuracy of their data, to request a copy of any information that has been collected, and to be provided with the option of transferring or deleting their data without any negative effects.

Restrictions will also be implemented in terms of the data that can be collected. It will only be permitted for companies to collect data if there is a legitimate business reason for doing so. Additionally, individuals whose data is collected must not be exposed to unreasonable privacy risks. The bill also aims to protect consumers from discriminatory targeted advertising practices based on information they give such as sex, gender, sexual orientation, race, nationality, religious belief, or political affiliation.

It would also be necessary for any company that collects the personal data of more than 3,000 individuals in a calendar year to provide consumers with a notice of their privacy policies that clearly explains how their data will be used.

Furthermore, any business with annual revenues in excess of $25 million will also be required to appoint a Privacy Officer. His/her responsibilities will include tasks such as training staff on data privacy.

The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and financial penalties will be issued to companies who are found not to be in compliance.

The intention of the Data Privacy Act is to improve privacy protections for consumers without placing any unnecessary burden on small businesses.

In a statement released in relation to the new ACT, Senator Cortez Masto said “My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used. I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”

A bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach occurring has been unanimously passed by the New Jersey Assembly.

Up to now it has been required by New Jersey breach notification laws that businesses and public entities must send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that enables access to the account.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act will see an expansion of the definition of personal information to include usernames and email addresses along with a password or answers to security questions that would allow accounts to be accessed.

This bill (A-3245) was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. A bill which was almost identical (S-52) was passed by the Senate and Assembly in 2018, however it was not signed by the state governor at the time, Chris Christie. It is expected that current state governor Phil Murphy will sign the bill.

The bill closes a gap in current laws which would enable businesses to avoid notifying consumers of breaches of their online information. If online accounts are accessed or compromised, criminals can gain access to a variety of sensitive information that can be used for identity theft and fraud. Consumers have the right to be made aware if an online account can be accessed by someone else as a result of a data breach so they can take steps to secure their accounts.

Once the new bill is passed, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if more than 500,000 individuals have been affected or if the cost of providing notices would cost in excess $250,000. In such events, breach victims should be emailed promptly, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must use a different means to deliver notices. An example of such a method could be providing a notice that is clearly visible when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

A fine of up to $10,000 can be placed on any business or public entity found to have willfully violated state data breach notification laws and up to $20,000 for any subsequent offenses after the first. Furthermore, for individuals who have suffered ascertainable losses as a result of a data breach, there is now also a private right of action available.

Sensitive health data is collected by Facebook from third party apps, even if the user has not logged in via Facebook or doesn’t even own a Facebook account according to a recent analysis of Facebook’s data collection practices.

Private information such as heart rate data, blood pressure measurements, menstrual cycle data, and other health metrics are handed over to Facebook, often without the user’s knowing or any specific disclosure that data provided by users or collected directly by apps are shared with the social media platform.

The Wall Street Journal recently conducted an investigation which tested various health-related apps. Although it was known that some of those apps send data to Facebook about when they are used, just how much data sharing that was occurring was not well understood. It was revealed by the report that 11 popular smartphone apps have been handing over sensitive data to Facebook without any apparent consent obtained from users.

On one particular app, Flo Period & Ovulation Tracker, dates of a user’s last period are shared with Facebook and the predicted date when the user is ovulating. Similarly, the Instant Heart Rate: HR Monitor App in the Apple iOS store was discovered to send users’ heart rate information to Facebook right after it is recorded. Neither of these apps or any others that were found to be sharing sensitive data with Facebook appeared to offer users a way of opting out of having their data shared.

The WSJ report notes that while the data sent by these apps may be anonymous, Facebook have a method of matching the information with a particular Facebook user and use the data to target specific ads.

The WSJ made contact with Facebook in relation to the report and received a reply confirming that some of the apps cited in the report appeared to be violating its business terms and that the social media platform does not authorize app developers to share “health, financial information or other categories of sensitive information,” and that the responsibility lies with the app developers to be clear to their users about the information that is being shared. A Facebook spokesperson also spoke to Reuters, saying “we also take steps to detect and remove data that should not be shared with us.”

Investigation of Facebook Instructed by New York Governor

New York State Governor Andrew M. Cuomo issued a press release on Friday, February 22, 2019, stating that he has instructed the Department of Financial Services and the Department of State to investigate how Facebook is acquiring health data and other sensitive information from developers of smartphone apps and the alleged breaches of Facebook’s own business terms and privacy violations.

Cuomo also said that if WSJ’s findings are correct, it amounts to “an outrageous abuse of privacy.”

Cuomo is determined to ensure companies are held responsible for upholding the law and ensuring the sensitive data of smartphone users is kept private and confidential. Personal data should not be shared with other companies without the clear consent of users.