" breach Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘breach’

The HIPAA Breach Notification Rule: What it Really Means to Providers and Insurers

Friday, September 15th, 2017

For many providers and insurers, the Breach Notification Rule is still a puzzle waiting for a solution. Partly, this is due to the fact that the rule is complex in itself, and requires attention to every detail. As a matter of fact, we cannot expect to be at our best when someone has stolen our sensitive information.

Do you understand the HIPAA breach notification rule?

To address this problem in the wake of rising health data breaches, we have compiled an easy-to-understand guide to the Breach Notification Rule. Let’s begin the journey with a quick overview of the Breach Notification Rule and its purpose.

Read the rest of this post »

HIPAA FAX Breach: Why health care should finally stop faxing

Monday, September 11th, 2017

For more information, see:

Read the rest of this post »

The Equifax Breach: What you need to know

Friday, September 8th, 2017

Update: Equifax’s lawyers have since updated their language on the use of Equifax services as it relates to being able to participate in a class action law suit.  While New York Attorney General Eric Schneiderman said the forced arbitration terms of service are “unenforceable” and should be removed, Equifax has added language to its “FAQs for Consumers” that the arbitration clause in the “Terms of Use” does not apply to “the cybersecurity incident.”

Read the rest of this post »

HIPAA Compliance and Emails: A View from the Trenches

Monday, August 28th, 2017

We have scoured the internet for real-life examples on the use of emails in medical scenarios, the better to be able to convince our readers of the points we have made in past posts about the perils and pitfalls of using unsecured emails for communications. Email is one of the oldest (some even refer to it as “legacy”) tools in our always-connected, digital world. However, its use between patients and their medical providers and amongst doctors and their business associates can be fraught with issues that may violate the provisions of the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA privacy rules require covered entities and their business associates to protect patients’ health information from unauthorized disclosure. The HIPAA security rules do not mandate specific technologies or prohibit others. In fact, HIPAA

“…allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.

An imperfect understanding of patients’ privacy concerns, lack of proficiency in using computers or access to them, misguided policies on usage – all these play a part in HIPAA privacy breaches. The consequences of such breaches can be quite burdensome for the medical provider.

HIPAA-compliant email

In a previous post, we provided some data on HIPAA-related complaints filed with the US Health and Human Services’ (HHS) Office of Civil Rights (OCR). There were 350 breaches of unprotected health information involving 500 or more individuals reported in the last two years to the HHS and under investigation by OCR. 75 of these had their origin in email, with half this number involved in unauthorized access or disclosure.

Medical providers often forget (or might even be unaware of) “reasonable safeguardsthat can easily be implemented to prevent emails from leaking information that patients might consider as compromising their privacy. By analyzing some real life examples of how email is used (well, actually misused) in practice, we hope this post can convince you of reasonable safeguards that can make email a useful and efficient part of your workflow while conforming to HIPAA.

Read the rest of this post »

Opt-out email security: A step towards better HIPAA Privacy Rule compliance

Tuesday, August 22nd, 2017

Breaches of electronic Personal Health Information (ePHI) from email communications amongst HIPAA covered entities, their business associates, and health care consumers reveals a common pattern. Patient records are often emailed unencrypted (see here, here and here), or sent to unintended recipients (examples here and here).  Poor email practices might also cause bulk emails (e.g., health newsletters, office closing notices etc.) to be sent without masking the names/emails of the recipients (see here). All of these can be breaches of HIPAA.

Email Breach

Email breaches continuously leak ePHI from healthcare

While not as prominently exposed by the media as hacking incidents, where large numbers of records can be compromised in a single attack, HIPAA violations owing to poor email practices proceed at steady rate. However, the consequences can be as just as problematic for the healthcare provider, despite the smaller number of exposed individuals. The insidious drip-drip-drip leakage of ePHI via improper email usage is often harder to handle and the sort of ePHI exposed can be subtle.

Read the rest of this post »

3 Things You Can Do Now to Protect Against the Latest Hacker Attacks

Tuesday, June 13th, 2017

It seems like major hacks are always in the news. Whether it is the vicious WannaCry ransomware that swept across the world or the constant stories about Russian hacks, we are being bombarded by increasingly devastating online threats. If you want to help prevent your organization from becoming the next in a long line of victims, you really need to start paying attention to your cyber security efforts.

A solid defense requires a comprehensive security policy that measures your assets against their risks and adapts as these things change. While an overall plan is important, there are several things you can do right now to bolster your security and help prevent the latest attacks:

Hacking Protection

Read the rest of this post »

Oh S*#@! You’ve Been Breached: What Should You Do?

Wednesday, June 7th, 2017

When it comes to cyber security, nothing is 100%. No matter how advanced your defenses are, hackers can find a way around them if they have enough time, money and resources. Because breaches can affect any business, it is important that you are prepared for worst case scenarios ahead of time. The right planning will help minimize damages to your business and help it to get back on its feet sooner.

Breach

Read the rest of this post »

How to breach your HIPAA-compliant email in 5 minutes while getting coffee

Thursday, June 9th, 2016

Who knew that a quick cup of coffee could lead to the report of a HIPAA beach to the Secretary of Health and Human Services … and a bad day, overall.

Here is what happened:

Read the rest of this post »

Are you Minimizing your Risk by using the Next Generation of Opt In Email Encryption?

Friday, September 11th, 2015

We have long held that leaving it to each sender/employee to properly enable encryption for each sensitive message (a.k.a “Opt In Encryption”) is too risky.  Why? Any mistake or oversight immediately equals a breach and liability.

Instead, LuxSci has always promoted use of “Opt Out Encryption,” in which the account default is to encrypt everything unless the sender specifically indicates that the message is not sensitive.  The risk with Opt Out Encryption is very much smaller than with Opt In.  (See Opt-In Email Encryption is too Risky for HIPAA Compliance).

The problem is: many companies use Opt In Encryption because it is convenient when sending messages without sensitive information — you just send these messages “as usual,”  without forethought.  These companies are trading large risks in return for conveniences.

LuxSci has solved the “Opt In vs. Opt Out” conundrum with its SecureLine Email Encryption Service.  You could say that SecureLine enables the “Next Generation” of Opt In Email Encryption — combining both usability and security.

Read the rest of this post »

HIPAA and Heartbleed … Are you automatically in breach?

Tuesday, April 15th, 2014

Under the HIPAA Privacy Rule, a breach is defined as:

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

Based on this definition, merely having been vulnerable to a security exploit (e.g. Heartbleed) does not constitute a beach and does not trigger breach notification law.

So — just because you used a system that was vulnerable to Heartbleed, does not mean that a breach occurred or that any type of reporting is needed.  Imagine if it did … practically everyone would have to report and that would overwhelm Health and Human Services!

Read the rest of this post »