gw-gwtdocs-#4398954-v1-himss - significant developments in...
TRANSCRIPT
![Page 1: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/1.jpg)
SignificantDevelopmentsinHealthcare
Presentedby:KarenPainterRandall,Partner,ConnellFoleyLLPStaceyL.Gulick,Partner,GarfunkelWild,P.C.
![Page 2: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/2.jpg)
RecentEnforcementActions
![Page 3: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/3.jpg)
WhatAretheConcerns?(Justareminder)
§ CivilMonetaryPenalties§ CriminalPenalties
§ PrivateRightsofAction(thereisnoprivaterightofactionunderHIPAA,butthecourtshavesaidthatviolationofHIPAAcanbeusedtoproveotherclaimssuchasnegligence)
§ ClassActionSuits§ CostsofanOCRInvestigation
![Page 4: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/4.jpg)
LargestSettlementstoDate(FailuretoTerminateEmployeeAccess)
OnFebruary16,2017, theOCRannouncedthat,asaresultfailingtoremoveaccessuponterminationofanemployee,MemorialHealthcareSystem(MHS) paidtheOCR$5.5million.MHSoperateshospitals,andavarietyofancillaryhealthcarefacilities inFlorida.Inaddition,MHSisaffiliatedwithphysicianofficesthroughanOHCA.MHSreportedtotheOCRthatthePHIof115,143individualshadbeenimpermissiblyaccessedanddisclosed.Thelogincredentialsofaformeremployeeofanaffiliatedphysician’sofficehadbeenusedtoaccesstheePHImaintainedbyMHSonadailybasiswithoutdetectionfromApril2011toApril2012,affecting80,000individuals.TheOCRspecificallynotedthat(1)MHSfailedtoimplementprocedureswithrespecttoreviewing,modifyingand/orterminatingusers’rightofaccess,and(2)failedtoauditcomputersystemactivity,despitehavingidentifiedthisriskonseveralriskanalysesconductedbyMHSfrom2007to2012.
![Page 5: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/5.jpg)
LargestSettlementstoDate
InAugust2016,AdvocateHealthCareNetwork(Advocate)enteredintoasettlementwiththeOCRtopay$5.55millionandadoptacorrectiveactionplan. TheinvestigationoccurredafterAdvocatereportedthreelargebreaches(involvingdifferentoftheAdvocateentities).TheOCRallegedthatAdvocatefailedto:
§ conductanaccurateandthoroughriskanalysisofallofitsfacilities,equipment,applicationsanddatasystems;
§ limitphysicalaccesstoitselectronicinformationsystems;
§ obtainaBAAfromavendorthathadaccesstoPHIresultinginimpermissibledisclosureofePHI;and
§ failedtoreasonablysafeguardtheePHIwhenanAMGworkforcememberleftanunencryptedlaptopinanunlockedvehicle.
![Page 6: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/6.jpg)
LackofTimelyBreachNotification
InJanuary2017,theOCRannouncedthefirstHIPAAsettlementbasedontheuntimelyreportingofasecuritybreach PresenceHealthagreedtopay$475,000andimplementacorrectiveactionplan.TheOCRclaimsthatthissettlementbalancedtheneedtoemphasizetheimportanceoftimelybreachreportingwiththedesirenottodisincentivebreachreportingaltogether.OnJanuary31,2014,PresenceHealthreportedtotheOCRthatonOctober22,2013,PresenceHealthdiscoveredthatoperatingroomschedules,whichcontainedthePHIof836individuals,weremissing.TheOCR’sinvestigationrevealedthatPresenceHealthfailedtonotify,within60daysofdiscoveringthebreach,eachofthe836affectedindividuals,mediaoutlets,andtheOCR.
![Page 7: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/7.jpg)
MalwareOnJune4,2013,OCRreceivednotificationfromUMassregardingaworkstationthatwasinfectedbymalware,whichmayhaveresultedinabreachaffectingapproximately1,670individuals. AsaresultUMassenteredintoasettlementfor$650,000.TheOCRfoundthatUMassfailedto:• IncludeallentitiesthatwouldmeetthedefinitionofaCEorBAinitshybridentitydesignationandimplementpoliciesaccordingly;
• conductanaccurateandthoroughriskanalysis;and• implementappropriatefirewalls.
![Page 8: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/8.jpg)
UnsecuredWirelessNetwork
InJuly2016,Univ.ofMississippiMedicalCenter(“UMMC”)settledwiththeOCRfor$2.75mfollowingabreachinvolving10,000patients.Thebreachinvolvedapassword-protectedlaptopthatwentmissingfromUMMC.OCRidentifiedthatePHIstoredonaUMMCnetworkdrivewasvulnerabletounauthorizedaccessviaUMMC’swirelessnetworkbecauseuserscouldaccessanactivedirectorywithagenericusernameandpassword.
![Page 9: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/9.jpg)
StorageofPHIonCloudServer(withoutBAA)LeadstoSettlement
OregonHealth&ScienceUniversity(OHSU)settledwiththeOCRfor$2.7mandacomprehensivethree-yearcorrectiveactionplan. OCR’sinvestigationbeganaftermultiplebreachreports,includingthreereportsinvolvingunencryptedportabledevices. OCRidentifiedevidenceofwidespreadvulnerabilitieswithinOHSU’sHIPAAcomplianceprogram,includingthestorageofePHIofover3,000individualsonacloud-basedserverwithoutaBAA.
![Page 10: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/10.jpg)
StorageofPHIonCloudServer(withoutBAA)LeadstoSettlement
§ OCRnotedthatOHSUperformedriskanalysesin2003,2005,2006,2008,2010,and2013,buttheseanalysesdidnotcoverallePHIinOHSU’senterprise. Furthermore,whiletheanalysesidentifiedvulnerabilitiesandriskstoePHIlocatedinmanyareasoftheorganization,OHSUdidnotactinatimelymannertoimplementmeasurestoaddressthesedocumentedrisksandvulnerabilities.
§ Forexample,OHSUalsofailedtoimplementamechanismtoencryptanddecryptePHI,despitehavingidentifiedthislackofencryptionasarisk.
![Page 11: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/11.jpg)
BusinessAssociateEntersIntoSettlementforStolenIphone
CatholicHealthCareServicesoftheArchdioceseofPhiladelphia(CHCS)(amanagementandinformationtechnologycompanyforSNFs)enteredintoasettlementagreementwithOCRfor$650,000followingabreachinvolvingthetheftofanunencryptedIphone.Only412individualswereinvolved.
Note:ThisisthefirstOCRsettlementwithabusinessassociate.
![Page 12: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/12.jpg)
OtherSignificantSettlements§ CompleteP.T.settledfor$25,000afterpostingpatienttestimonials,including
fullnamesandfullfaceimages,toitswebsitewithoutobtainingHIPAAauthorizations.
§ TheUniversityofWashingtonMedicinesettledfor$750,000followingabreachcausedwhenanemployeedownloadedanemailattachmentcontainingmalicioussoftware.
§ CornellPrescriptionPharmacysettledfor$125,000followingnotificationbythemediathatthepharmacydisposedofunsecured(i.e.,notshredded)documentsinanunlocked,opencontaineronthepremises.Remindingusthatpaperdocumentsarestillaconcern.
§ RaleighOrthopaedicClinicsettledwithOCRfor$750,000whenitdisclosedinformationof17,300patientstoapotentialbusinesspartner(thatwastransferringfilmstodigitalmedia)withoutfirstexecutingaBAA.
![Page 13: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/13.jpg)
Takeaways§ Themostimportantthingyouneedtodotoprotectyourorganizationistohaveacomprehensiveup-to-dateRiskAnalysisandcorrespondingRiskManagementPlan.
§ NearlyeverysettlementtodatehasinvolvedfailuretohaveacomprehensiveRiskAnalysisandcorrespondingRiskManagementPlan.
§ WhentheOCRwalksthroughthedoor,forANYreason(breach,complaint,audit),thefirstthingitwillrequestistheRiskAnalysis.
![Page 14: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/14.jpg)
Ransomware• WhatisRansomware?– Ransomwarecantakedifferentforms,butinessenceitdeniesaccesstoadeviceorfileuntilaransomhasbeenpaid.
– Notonlycanransomwareencryptthefilesonaworkstation,thesoftwareismartenoughtotravelacrossyournetworkandencryptanyfileslocatedonbothmappedandunmappednetworkdrives.
– Thiscanleadtoacatastrophicsituationwherebyoneinfectedusercanbringadepartmentorentireorganizationtoahalt
![Page 15: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/15.jpg)
Ransomware• Oncethefilesareencrypted,thehackerswilldisplaysomesortofscreenorwebpageexplaininghowtounlockthefiles.
• Payingthe“ransom”invariablyinvolvespayingaformofe-currency(cryptocurrency)suchasBitcoins.
• Oncethehackersverifypayment,theyprovidethe“decryptor”software,andthecomputersstartthearduousprocessofdecryptingallofthefiles.
![Page 16: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/16.jpg)
Ransomware• NewStrainsofRansomware– PopcornTime
• Offersfreedecryptionifyouinfecttwoothersandtheypay.• Stillproofofconcept.
– Koolava(a.k.a.NiceJigsaw)• Offersfreedecryptionifyoulearnhownottobeinfected.• Stillworkinprogressandnothighqualitycode.• Oncethevictimreadstwoarticles,theDecryptMyFilesbuttonbecomesavailable.• Itwilldeleteallfilesifthearticlesarenotread.
![Page 17: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/17.jpg)
Ransomware• NewStrainsofRansomware(cont.)– Goldeneye
• Infectsfiles,theninfectstheharddrive.• Potentiallyforcespayingadoubleransom.• Spreadsasafakejobapplicationemailwitha.pdfattachment.The.pdfpointsthevictimtoaninfectedExcelfile.• Afterfileencryption,themachinerebootsandlookslikeitisdoingafilesystemrepair.Itisactuallyencrypting.• Afterpayingthemoneytodecrypt,logginginmaydemandmoretodecryptthefile.
![Page 18: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/18.jpg)
Ransomware• NewStrainsofRansomware(cont.)– Spora
• Offersanoptionoffutureimmunity(forafee).• NoC&Cserversoblockingoutboundcommunicationdoesnothelp.• Addsthehiddenattributetofilesandfoldersonthedesktop,therootofUSBdrivesandthesystemdrive.Thesefilesandfoldersarenowhiddenbythestandardfolderoptions.• ItnowmakesWindowshortcutswiththesamenameandiconasthehiddenfilesandfolders.
![Page 19: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/19.jpg)
Ransomware• TheHollywoodPresbyterianMedicalCenter– InFebruary2016,theHollywoodPresbyterianMedicalCenterwashitbyaransomwareattackthatknockedthehospital’snetworkoffline.
– Theattachaffectedthefacility’sdailyoperations,asurgentscans,labwork,pharmaceuticalneeds,anddocumentationcouldnotbeaccessed.
– Paid$17,000inBitcoins.
![Page 20: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/20.jpg)
Ransomware• MedStarHealth– InMarch2016,oneofcountry’sleadinghealthcareproviderswithanetworkoftenhospitalsand250outpatientcenterswasaffectedbyaransomwareattack.
– Theorganizationactedquicklyandtookdownallsysteminterfacestopreventthemalwarefromspreading.
– Theransomwassetat45Bitcoins(approx.$19,000)withaten-daydeadline,butMedStarreportedlyabletobringsystembackonlinewithoutpaying
![Page 21: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/21.jpg)
Ransomware• Takeaways– Expertsdisagreeastowhetherornotacompanyshouldpay.Ononehandunlessyouhaveapowerfulcomputerandalotoftimetospendguessingkeys,thereisreallynowaytogetyourdatabackunlessyoupaytheransom.
– However,TheDepartmentofHomelandSecuritytellspeopletonotnegotiatewiththehackersasitwillencouragemoreattacks
– Theverybestdefensetopreventaransomwareattackistohaveabackupthatisnotconnectedtoyourmachineinanyway.
![Page 22: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/22.jpg)
ChangestoSubstanceAbuseRegulations
• March27,2017revisedregulationsunder42CFRPart2wentintoeffect.
• Expandstherequirementsof42CFRPart2to“lawfulholders”ofsubstanceabusetreatmentinformation(e.g.,individualorentitywhohasreceivedtheinformationastheresultsofapart2-compliantpatientconsent(withnoticeofprohibitiononredisclosure)andotherentitiesthatlegallyreceivesuchinformationwithoutconsent).
![Page 23: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/23.jpg)
ChangestoSubstanceAbuseRegulations
• Createsnewrequirementsforsecurityofsubstanceabusetreatmentinformation–consistentwithHIPAA.
• Establishrequirementsfordispositionofrecordsbydiscontinuedprograms.
• RequiresNoticeofPrivacyPracticestoincludecontactinformationtoreportviolationsof42CFRPart2.
![Page 24: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/24.jpg)
ChangestoSubstanceAbuseRegulations
• Expandsthepermitteddesignationsallowedinthe“towhom”Sectionoftheconsentforreleaseofsubstanceabusetreatmentinformation.
• Includesanewrequirementthatconsentformsexplicitlydescribetheinformationtobedisclosed(e.g.,diagnosticinformation,medications,etc.).
• Includesarequirement,thatifgeneraldesignationisused,theprovidermustbeabletoprovidepatientwithalistofindividualstowhomtheinformationwasprovided.
![Page 25: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/25.jpg)
ChangestoSubstanceAbuseRegulations
• Loosenstherequirementsforuseofsubstanceabusetreatmentinformationforresearch– consistentwithHIPAA.
• AllowsACOs toaccesssubstanceabusetreatmentinformationforauditpurposes
![Page 26: GW-GWTDOCS-#4398954-v1-HIMSS - Significant Developments in ...nys.himsschapter.org/sites/himsschapter/files/GW... · Storage of PHI on Cloud Server (without BAA) Leads to Settlement](https://reader033.vdocuments.mx/reader033/viewer/2022051916/6007a2a8b94d97171d677bd3/html5/thumbnails/26.jpg)
Q&A