Posts Tagged: HIPAA

Healthcare Ransomware Attack of Mailing Service Exposes Over 20,000 Records

healthcare ransomware

Healthcare entities have a regulatory obligation to protect protected health information (PHI). Compliance also extends to healthcare partners that handle PHI. Unfortunately, cybercriminals are targeting these partners as well as healthcare organizations. A recent healthcare ransomware attack exposed over 20,000 patient records. The hackers seized a mailing service provider’s data using Ryuk ransomware. On January 19, 2021, the company published a press release on the incident

What Happened?

In May 2019, hackers infected the mailing service provider’s servers with Ryuk ransomware. Ryuk is the work of an eCrime group know as Wizard Spider. Hackers designed it to infiltrate enterprise environments. It works by identifying and encrypting network drives and resources. It also disables the backups. The primary method of infection is through phishing attempts. Emails include an infected document. Upon opening it, the hackers are in and begin to collect admin credentials and move critical assets.     

The mail printing service received a ransom request from hackers. They demanded money to unlock the servers. Any data on the servers was now unusable. The company did not pay the ransom. They also said they didn’t find evidence of access to customer files. However, they cannot with full certainty say there was not a breach, hence the notification to patients.

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) did investigate to determine if there were any HIPAA violations. The OCR announced there were no violations and closed the case. 

Healthcare Ransomware Attack Puts Lens on Business Associates

When any security breach occurs, there are always lessons to learn. The importance of this case is that it wasn’t the healthcare organization attacked—it was a business associate. Any relationships between healthcare entities and vendors that involve PHI access require a HIPAA business associate agreement (BAA).

This agreement means that the vendor will follow HIPAA compliance in handling sensitive information and safeguarding it. That’s a minimum, but you should go beyond that when you choose vendors. Ask these questions:

  • What are your encryption methods? 
  • Do you encrypt at both rest and transit?
  • Does your staff participate in annual HIPAA compliance training?
  • Have you ever had a breach?
  • Do you backup all data?
  • Who is your data center partner?

You should make these questions part of your process of selecting partners. 

What Answers Should You Expect?

With these questions, there are right and wrong answers. Encryption will be a big part, especially confirming that encryption occurs at transit and rest. You also need to have a feel for their cybersecurity posture. What proactive measures do they have in place to thwart, identify, and defend against cyberattacks?

Hackers are only becoming more sophisticated. These layers of security are really going to happen on the data center and cloud side. That’s where the data is, so you need to get the specifics on their co-location partner. 

Further, backups and redundancy are critical. In many healthcare ransomware incidents, organizations lose data forever if victims don’t pay. Last year, this happened to a Colorado hospital, wiping out five years of patient medical records on their legacy EHR. 

A Secure, Compliant Partner for Healthcare

We never like to report on breaches and ransomware. Unfortunately, these things occur in abundance, and the healthcare industry is a top target. We are proud to say we’ve never experienced a breach. Nor have we ever violated HIPAA standards. After over two decades and tens of thousands of healthcare data projects, we understand what it means to be secure and compliant.

Learn more about our data security and HIPAA compliance protocols. 

OCR Submits Proposed HIPAA Changes for 2021

hipaa changes

The Department of Health & Human Services Office for Civil Rights (OCR) proposed modifications to the HIPAA Privacy Rule. The OCR drafted these HIPAA changes to improve patient data access, caregiver engagement, and care coordination. OCR sees some aspects of the current law as inhibitors to value-based care. Those inhibitors, OCR says, create unnecessary burdens around communication and coordination. 

In this post, we’ll review the proposed changes and what they mean for healthcare data. 

What Are the Proposed HIPAA Changes?

The 357-page document packs in lots of language, so let’s break it down to the following main points:

  • Clarification around patient data access rights, including the right to inspect a patient’s medical records in-person. 
  • Shortening of the mandated medical records request response from 30 to 15 days while also reducing the patient identity verification process and defining the format a patient can receive his or her medical records and transparency regarding fees for such.
  • Third-party access changes requiring providers to enable a more seamless funneling of medical records to other providers or parties at the patient’s request. 
  • Removal of “minimum necessary” provisions to strengthen care coordination, enabling disparate providers to have broader access to patient files. 
  • Covered entity sharing of patient health information with non-clinical third parties, including social services or community-based services, making it easier to address social determinants of health (SDOH). 

In short, the OCR wants to eliminate regulatory barriers that often disrupt healthcare data exchange. Those in charge believe the existing provisions create “unnecessary burdens.” 

HIPAA Changes in Line with Interoperability Rule

The rhetoric and reasoning behind HIPAA changes sound familiar. It’s the same message the HHS and CMS sent with the interoperability rule earlier this year. Those rules were patient access focused and defined better paths to accessibility. Interoperability and accessibility have long been the bane of healthcare data. These changes, if confirmed, could make more in-roads to this problem. 

The Impact on the Healthcare Ecosystem

hipaa changes care coordination

Ultimately, it appears these modifications to HIPAA could improve the patient experience and care. Should they become rule, providers will need to adjust how they provide information to patients, accelerating timelines, and informing patients of formats and costs. 

For the healthcare system, holistically, it should improve data sharing. Without regulatory speedbumps, providers could have the information they need sooner. This access could mean the patient receives the right care at the right time. It could also reduce duplicative testing or treatments, which are a huge cost burden that is avoidable.

Challenges, even with new rules, persist in data sharing to third parties or other providers. While meeting the regulatory requirements causes delays, other things do as well. Often patient record exchange doesn’t happen timely because of bandwidth issues or lack of ownership. Healthcare IT teams and clinicians have responsibility here, and formal processes may not exist. Healthcare organizations often partner with data management companies like InfoWerks to develop secure, compliant data sharing processes. 

Next Steps

The next step for the proposed changes is the period for public comments from stakeholders. We’ll monitor the process and bring you updates on the finalization of HIPAA changes and what they mean to you.

What is a HIPAA Compliant Data Conversion?

hipaa compliant data conversion

As a healthcare organization, you’re well aware of HIPAA and its mandates regarding protected healthcare information (PHI). You likely have processes in place to ensure compliance when sharing, moving, or storing PHI data. But what about when you convert data from one platform to another? The process must be a HIPAA compliant data conversion.

What makes a data conversion HIPAA compliant? Let’s find out.

The HIPAA Security Rule

The HIPAA Security Rule establishes standards to protect the creation, reception, use, or maintenance of PHI. Three mechanisms must be in place to do this: appropriate administrative, physical, and technical safeguards. To meet those standards in a data conversion, you, your data conversion provider, and software vendor must take certain actions.

HIPAA Compliant Data Conversion Considerations

Before you begin your data conversion, there are several considerations for you and your partners to ensure compliance.

HIPAA Business Association Agreement

According to the U.S. Department of Health and Human Services (HHS), any individual or entity that accesses PHI on your behalf is a business associate. Thus, you’ll need a HIPAA Business Associate Agreement (BAA) with all parties. The access data includes electronic transmissions. If providers you’re considering working with don’t begin conversations about a BAA, this could be a red flag.


hipaa compliant data conversion data encryption

HIPAA does not explicitly state the use of encryption in PHI transfer. Rather, the HIPAA Security Rule states it must be secure. Encryption is not a requirement but an “addressable” implementation. Addressable means that you must act if a risk assessment reveals its necessity.

Even without specific language, encryption fulfills the technical safeguards requirement. However, not all encryption is the same. HIPAA doesn’t define the type of encryption, so it’s open to interpretation.  

The National Institute of Standards and Technology (NIST) recommends using Advanced Encryption Standard (AES) at 128-, 192-, or 256-bit encryption. The number expresses the key length used for encryption and decryption. AES 256-bit is the strongest type of encryption

Also, keep in mind that the encryption must be end to end, not just active during transmission.

Two-Factor Authentication

When your BAA partners access your PHI, they should employ two-factor authorization. This adds another layer of security. Access will require more than just a password. An additional pin or piece of information is necessary to retrieve the data.

HIPAA Awareness and Training

It’s a good idea to make sure your partners know more about HIPAA than just sending you the BAA. Ideally, they’ll have compliance experts on staff that monitor the operations of your data conversion. It’s also a best practice for their employees to participate in yearly HIPAA compliance training.

Data Center Certifications

Your data conversion provider uses colocation data centers to store data in its cloud. Everything’s in the cloud now, no longer in physical servers on-site. However, you need to know about the certifications and security protocols of the data center. Ideally, the certifications will be more robust than just HIPAA compliant, such as HITRUST CSF, SOC 1, 2, & Type 2, and NIST 800-53. Enquire about this during an initial discussion.

Data Breaches and HIPAA Violations

Data breaches in healthcare are, unfortunately, an ongoing concern. Even with HIPAA compliant practices, an incident can still occur. It’s a good idea to ask about any previous data breaches and if they were the result of a HIPAA violation.

Have Questions about a HIPAA Compliant Data Conversion?

If you still have questions regarding a HIPAA compliant data conversion, you can contact our experts. Also, check out the data security protocols we have in place, which go above and beyond HIPAA requirements.