HIPAA law was made to protect your health data. But increasing data breaches often raise questions. Learn what HIPAA regulations mean to your privacy.

HIPAA stands for Health Insurance Portability and Accountability Act. Back in 1996, the ever-charming president Bill Clinton signed the papers to enact HIPAA law. The law aims to protect patient’s right to privacy through a secured electronic transmission and storage of health data.

It won’t be an exaggeration if we say the HIPAA regulations came into existence at the right time. In fact, this was the same time patient information began to take a leap from papers to computers.

Before we dig deeper to reveal the current status of HIPAA law, it is of paramount importance that we first learn what it means. After reading this article, you will have insight of HIPAA law, related rules, and what you can do to keep your data safe. Read the rest of this post.

Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).

Why?  Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.

Go back in time 10-15 years.  Every doctor’s office and small business had one or more FAX machines for sending documents and pictures back and forth.  It was essential technology that became ingrained into business processes through constant, repetitive use.  Everyone knows how to use a FAX machine, even the most technologically challenged staff member.

Fast forward to now:

1. Fax Machines have changed.  They are now all-in-one devices that scan, print, copy, send files to your computer, and more.  The “FAX” ability is now just a minor extra feature.
2. HIPAA has arrived and evolved.  It used to be that sending patient (ePHI) data via FAX was the norm.  Now, it is perilous to send such private data over regular FAX lines, as it is easy for that process to break down and violate HIPAA.  E.g. see this $2.5 million dollar law suite resulting from 1 fax message.
3. Everyone has a computer or tablet. Most doctors and staff members have access to email, a HIPAA-secured computer or tablet, and familiarity with how to use them … and have been trained on best practices via the required HIPAA security training that everyone has to have now-a-days.
4. Paperless offices. Workplaces have or are evolving to become paperless — everything is stored electronically.  Regular FAXes are often disdained in favor or email; when regular FAXes do arrive, they are often scanned to electronic files and then destroyed.
5. Low resolution. Faxes are low-resolution.  They are slow and they do not contain a great amount of detail.  They are not great for sending anything graphical.

Read the rest of this post.

For more information, see:

• Hospital faxed a patient’s HIV-positive status to his workplace — he’s now suing for $2.5 million
• Is a FAXing really HIPAA-compliant?
• HIPAA Faxing: How To Send and Receive FAXes in a Secure and Compliant Way

Read the rest of this post.

Building a safer email ecosystem with DMARC

In our previous post, we described two techniques for authenticating an email sender:

• Sender Policy Framework (SPF), IETF RFC 7208, which verifies if the sending MTA is indeed authorized to send mail on behalf of a domain; and
• DomainKeys Identified Mail (DKIM), IETF RFC 6376, where a domain shows “ownership” of a mail it sends by signing portions of it so that critical aspects cannot be forged by intermediaries.

Like most technologies, these are just individual weapons in the arsenal for fighting phishing and spam. Weapons, like all tools, need to be properly used if they are to be effective. Unfortunately, as we described in the earlier post, both SPF and DKIM are deployed in a manner that reduces their usefulness. With SPF, the validation policy set by the sender is often chosen in a manner that leaves handling authentication failures at the discretion of the recipient. DKIM, on the other hand, does not even have an explicit policy directive set by the sender. Moreover, in a heterogeneous mail environment, some perfectly legitimate MTAs might not be capable of signing messages.

Thus, receivers in actual deployments tend to “soft fail” any SPF and/or DKIM validation failures as there are reasonable situations when legitimate mail can fail such checks. A common example is forwarded mail (which fails SPF), or mail sent via a mailing list (which fails DKIM). Mail providers consider it better to deliver most mail (even if some are fake or spammy) rather than risk dropping legitimate mail. Thus, neither of these techniques individually or combined provide clear guidance to receivers, and the resulting actions can be inconsistent. Read the rest of this post.

Update: Equifax’s lawyers have since updated their language on the use of Equifax services as it relates to being able to participate in a class action law suit.  While New York Attorney General Eric Schneiderman said the forced arbitration terms of service are “unenforceable” and should be removed, Equifax has added language to its “FAQs for Consumers” that the arbitration clause in the “Terms of Use” does not apply to “the cybersecurity incident.”

Read the rest of this post.

In today’s reality, nation-states and their criminal partners can disrupt commerce and defenses in the free world from the safety and comfort of their computer desks. Their prime targets are not top-secret space weapons but everyday businesses and business systems, and healthcare organizations are just as vulnerable as any other industry. Hospitals, smaller providers, health plans, and business associates can all become targets of cyber-espionage, so it is up to every business decision-maker to understand the threats.

Cyber-espionage against businesses is safer, easier and often more effective than targeting governments. Industrialized nations compete for world dominance in economic markets, so cyber-espionage is being used against businesses to gain competitive advantage.

Read the rest of this post.

Our latest “Ask Erik” question involves understanding what email headers save about secure message transport … especially when they list MAPI or HTTPS instead of TLS.

Read the rest of this post.

Recent reports on cyber-security threats in the healthcare sector by Verizon, Symantec and Ponemon consistently make several observations:

• Email-borne malware is on the rise, with such malware delivered via spam or phishing;
• Small-to-medium sized businesses (from all sectors) have the highest rate of email-delivered malware;
• Most breaches are caused by negligent employees or contractors.

These conclusions are hardly surprising as email is now an increasingly common part of communications with protected health information (PHI) frequently exchanged amongst employees and patients within a practice, between medical providers, and medical providers and their business associates. The concern for the healthcare industry is the potential violation of the HIPAA privacy rule caused by email-related (and other) breaches, leading to disruptions from loss of data, compliance audits and possibly hefty fines.

We wrote about obvious measures medical providers can take to avoid HIPAA non-compliance in email exchanges such as opt-out email security. That addresses only one aspect of the threat landscape, though – the protection of PHI in email exchanges. Another aspect is more sinister, as it deals with external, malignant actors. These actors use various spoofing techniques to trick patients or employees of a medical practice to react incautiously, often impulsively, to emails supposedly coming from valid sources. These often lead to identity theft, where the damage is more far reaching as the information given up is more long-lived and more widely used and cannot just be erased like revoking a misused credit card. Read the rest of this post.

Read the rest of this post.

Read the rest of this post.