Audit Controls Underlined in $5.5M OCR HIPAA Settlement

Memorial Healthcare Systems recently agreed to an OCR HIPAA settlement, with a lack of audit controls cited as a key factor in the decision.

Florida-based Memorial Healthcare Systems (MHS) recently agreed to a $5.5 million OCR HIPAA settlement, stemming from incidents that were reported in 2012. OCR stated that a lack of audit controls was a major factor in the determined settlement.

A PHI data breach was first reported to OCR on April 12, 2012, where MHS employees inappropriately accessed patient information, including names, dates of birth, and Social Security numbers. An additional report was sent a few months later after MHS found that further impermissible access had occurred.

In the second incident, 105,646 individuals had their information accessed. Furthermore, some information was then sold to file fraudulent tax returns.

An HHS investigation found that 80,000 individuals’ PHI was disclosed when MHS gave a former employee of an affiliated physician practice access to the data from April 1, 2011, to April 27, 2012.

Additionally, “MHS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports,” from January 1, 2011 to June 1, 2012. In that same time frame, MHS also did not implement necessary policies and procedures to “establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.”

“Further, organizations must implement audit controls and review audit logs regularly, as this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches but to prevent them before they happen.”

Per the HHS corrective action plan, MHS must complete a risk analysis and risk management plan, which includes adhering to the following:

• All identified risks and vulnerabilities identified at MHS related to enterprise-wide PHI security
• Evidence that MHS has implemented and maintains a risk management plan to address such risks and vulnerabilities or dates of expected implementation
• Evidence of implementation or evidence of efforts towards implementation of security measures or other safeguards identified in the risk management plan to address identified risk and vulnerabilities.
• MHS policies and procedures related to information system activity must also be updated. This includes the regular review of audit logs, access reports, and security incident tracking reports.
• Protocols for access to MHS’s e-PHI by affiliated physicians, their practices, and their employees also need to be revised. MHS policies and procedures related to overall risk analysis and management must be updated as well.

The updated policies and procedures need to be properly distributed to all MHS workforce members, including business associates and affiliated physician practice members.

MHS internal monitoring, external assessments, and internal reporting must also be revised, according to HHS. A key part of this is to ensure that all workforce members with ePHI access are adhering to HIPAA regulations.

Audit controls have already been a key OCR focus this year, as the agency discussed the necessity of audit controls in its January cybersecurity newsletter.

OCR explained that reviewing and securing audit trails, while also ensuring the proper tools to collect, monitor, and review those audit trails are in place are key audit control considerations for covered entities and business associates.

When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities, OCR wrote in a newsletter.

10. Premier Healthcare, LLC

Premier Healthcare reported a potential healthcare data breach in March, affecting 205,748 individuals, according to OCR- the US Office for Civil Rights (OCR) | HHS.gov

https://www.hhs.gov/ocr/

HHS ensures that people have equal access and opportunities to participate in certain health care and human services programs without unlawful discrimination.

A laptop was stolen from Premier’s billing department, but was returned to the provider in the mail “on or about March 7, 2016.” An investigation determined that the laptop had not been powered on since it went missing on December 31, 2015.

Premier also explained in its online statement that there was no evidence showing that the information on the laptop was inappropriately accessed.

9. Central Ohio Urology Group, Inc.

Central Ohio Urology Group (COUG) reported in October that an unauthorized individual posted files and documents to an online drive accessible on the Internet on August 2, 2016.

The information of 300,000 patients, employees, and individuals who paid for medical services was reportedly affected.

While the information was removed from the drive within hours, names, addresses, telephone number(s), emails, dates of birth, Social Security numbers, driver’s license-state identification numbers, patient identification numbers, medical and health plan information, account information, diagnoses or treatment information, health insurance information and identifiers, and employment-related information may have been exposed. All they left out was “the kitchen Sink”!

8. California Correctional Health Care Services

California Correctional Health Care Services had 400,000 individuals affected by a possible data breach in April, according to OCR.

PHI may have been exposed for patients in the California Department of Corrections and Rehabilitation who were incarcerated between 1996 and 2014 when an unencrypted work laptop was stolen from an employee’s personal vehicle. However, California Correctional Healthcare Services said that the device was password-protected.

Appropriate actions were immediately implemented and shall continue to occur, said Director of Communications and Legislation. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.

7. Radiology Regional Center, PA

Florida-based Radiology Regional Center reported in February 2016 that patient information may have been exposed after some paper records were found on a street on December 19, 2015. Approximately 483,000 individuals were affected, OCR reported.

A small quantity of records fell onto the street while being transported by Lee County Solid Waste Division, Radiology Regional explained. That company is also responsible for the disposal of Radiology patient records.

As a result of our numerous searches, they believe that virtually all of the records were retrieved.   To ensure an incident like this does not happen again, they have taken steps to change how paper records are transported and destroyed.

6. Peachtree Orthopaedic Clinic

Peachtree Orthopaedic Clinic reported to OCR in November that 531,000 individuals may have been impacted by a cybersecurity attack it experienced on September 22, 2016.

Patient names, home addresses, email addresses, and dates of birth were “potentially taken” in the unauthorized access, Peachtree said in its online statement. Patient treatment codes, prescription records, or Social Security numbers may also have been taken in some cases.

Individuals who were patients prior to July 2014 “may be affected,” while there were also a “small number of cases” where individuals who were patients after that time may also have been impacted.

5. Bon Secours Health System Incorporated

South Carolina’s Bon Secours Health System, Inc. reported in August 2016 that 651,971 were likely affected by a data breach stemming from a vendor error.

The vendor, R-C Healthcare Management, inadvertently made patient files available online as it attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016-just 4 days.

While medical records were not made accessible, patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, Social Security numbers, and in some instances, bank account information may have been exposed.

4. Valley Anesthesiology and Pain Consultants

Valley Anesthesiology and Pain Consultants (VAPC) notified OCR in August 2016 that 882,590 individuals may have been impacted by unauthorized access on one of its computer systems.

The initial hacking may have occurred on March 30, 2016, but VAPC became aware of the incident on June 13, 2016.

Patient data, provider information, and certain employee information may have been exposed, according to VAPC. Those whose Social Security numbers or Medicare numbers were involved were offered free credit monitoring and identity protection services.

3. 21st Century Oncology

A 21st Century Oncology database was inappropriately accessed by an unauthorized third party toward the end of 2015, potentially exposing information of 2,213,597 individuals.

21st Century notified OCR in March 2016, claiming in an online statement that the delay occurred because the FBI had requested a delay in notification so there would be no interference in its investigation.

The intruder may have accessed the database on October 3, 2015, possibly compromising patient names, Social Security numbers, physicians’ names, diagnosis and treatment information, and insurance information.

“We continue to work closely with the FBI on its investigation of the intrusion into our system” 21st Century explained. “In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.”

2. Newkirk Products, Inc.

Newkirk Products, Inc. issues healthcare ID cards for health insurance plans, and announced in August 2016 that it had experienced a cybersecurity attack. OCR lists 3,466,120 individuals as potentially having had their information affected.

On July 6, 2016, Newkirk discovered that a server containing member information was accessed without authorization, and Newkirk shut down the server, started an investigation into the incident. They hired a third party forensic investigator to determine the extent of the unauthorized access and whether the personal information of its clients’ members may have been accessed. Newkirk also notified federal law enforcement.

At the initial announcement, Newkirk stated that no health plan systems were accessed or affected in any way. However, potentially accessed information included some combination of member names, mailing addresses, type of plan, member and group ID numbers, names of dependents enrolled in the plan, primary care providers, and in some cases, dates of birth, premium invoice information and Medicaid ID numbers.

1. 1. Banner Health

The largest reported data breach in the healthcare sector for 2016 was Banner Health, with 3.62 million individuals impacted by a cybersecurity attack that occurred over the summer.

Banner discovered the issue on July 13, 2016, but a third-party forensics investigation found that the initial attack occurred on June 17, 2016-almost a month later!

There were “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets” affected in the attack, according to Banner.

Patients, members and beneficiaries, and food and beverage outlet customers may have all had certain information exposed.

The food and beverage outlet breach was discovered on July 7, 2016, while payment cards used at 27 different Banner Health locations from June 23, 2016 to July 7, 2016 may have been affected. Arkansas, Arizona, Colorado, and Wyoming all have possibly affected locations.

The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems, explained Banner.

However, the list would be incomplete, if we did not include the following hacks in 2016:

• CIA discloses Russia intervened with U.S. Election,
• And the spectacular $81 million Bangladesh cyber heist.

Not to be “out gunned”, the Yahoo hack, which saw a billion customers have their credentials stolen.

It has been a long time since Yahoo has been number one in any market, but in September 2016, it “achieved” a new distinction: the single largest public data breach in human history.

In summary, the numbers are astonishing, with tectonic shift-like potential implications for companies and organizations of all kinds: 500 million+ accounts affected, 4.8 billion dollar Verizon acquisition of Yahoo now clearly in jeopardy.

Two years from incident’s estimated starting point to Yahoo’s detection and public disclosure of the breach.

Nearly doubled 2016’s already history-making publicly acknowledged data breach record count.

The bad guys had a busy year in 2016, and I think that it is safe to say, 2017 will be worse.

• Web Services are intrinsically distributed and are platform and language agnostic.
• Web Services can be chained with dependencies on other 3^rd party Web Services that can change without notice.
• Web Services ownership is shared across various stakeholders.
• Web Services client developers typically only have access to interfaces (WSDLs) and lack access to code.

In this paper, we will investigate testing techniques and their application to Web Services.  We will use a simple sample Web service to illustrate each of these techniques and the relative strengths and weaknesses of such techniques.  Finally, a novel approach that extends Gray Box’s reach into realm of White Box testing by leveraging the rich information provided in the WSDL file will be described.