SignificantDevelopmentsinHealthcare

Presentedby:KarenPainterRandall,Partner,ConnellFoleyLLPStaceyL.Gulick,Partner,GarfunkelWild,P.C.

RecentEnforcementActions

WhatAretheConcerns?(Justareminder)

§ CivilMonetaryPenalties§ CriminalPenalties

§ PrivateRightsofAction(thereisnoprivaterightofactionunderHIPAA,butthecourtshavesaidthatviolationofHIPAAcanbeusedtoproveotherclaimssuchasnegligence)

§ ClassActionSuits§ CostsofanOCRInvestigation

LargestSettlementstoDate(FailuretoTerminateEmployeeAccess)

OnFebruary16,2017, theOCRannouncedthat,asaresultfailingtoremoveaccessuponterminationofanemployee,MemorialHealthcareSystem(MHS) paidtheOCR$5.5million.MHSoperateshospitals,andavarietyofancillaryhealthcarefacilities inFlorida.Inaddition,MHSisaffiliatedwithphysicianofficesthroughanOHCA.MHSreportedtotheOCRthatthePHIof115,143individualshadbeenimpermissiblyaccessedanddisclosed.Thelogincredentialsofaformeremployeeofanaffiliatedphysician’sofficehadbeenusedtoaccesstheePHImaintainedbyMHSonadailybasiswithoutdetectionfromApril2011toApril2012,affecting80,000individuals.TheOCRspecificallynotedthat(1)MHSfailedtoimplementprocedureswithrespecttoreviewing,modifyingand/orterminatingusers’rightofaccess,and(2)failedtoauditcomputersystemactivity,despitehavingidentifiedthisriskonseveralriskanalysesconductedbyMHSfrom2007to2012.

LargestSettlementstoDate

InAugust2016,AdvocateHealthCareNetwork(Advocate)enteredintoasettlementwiththeOCRtopay$5.55millionandadoptacorrectiveactionplan. TheinvestigationoccurredafterAdvocatereportedthreelargebreaches(involvingdifferentoftheAdvocateentities).TheOCRallegedthatAdvocatefailedto:

§ conductanaccurateandthoroughriskanalysisofallofitsfacilities,equipment,applicationsanddatasystems;

§ limitphysicalaccesstoitselectronicinformationsystems;

§ obtainaBAAfromavendorthathadaccesstoPHIresultinginimpermissibledisclosureofePHI;and

§ failedtoreasonablysafeguardtheePHIwhenanAMGworkforcememberleftanunencryptedlaptopinanunlockedvehicle.

LackofTimelyBreachNotification

InJanuary2017,theOCRannouncedthefirstHIPAAsettlementbasedontheuntimelyreportingofasecuritybreach PresenceHealthagreedtopay$475,000andimplementacorrectiveactionplan.TheOCRclaimsthatthissettlementbalancedtheneedtoemphasizetheimportanceoftimelybreachreportingwiththedesirenottodisincentivebreachreportingaltogether.OnJanuary31,2014,PresenceHealthreportedtotheOCRthatonOctober22,2013,PresenceHealthdiscoveredthatoperatingroomschedules,whichcontainedthePHIof836individuals,weremissing.TheOCR’sinvestigationrevealedthatPresenceHealthfailedtonotify,within60daysofdiscoveringthebreach,eachofthe836affectedindividuals,mediaoutlets,andtheOCR.

MalwareOnJune4,2013,OCRreceivednotificationfromUMassregardingaworkstationthatwasinfectedbymalware,whichmayhaveresultedinabreachaffectingapproximately1,670individuals. AsaresultUMassenteredintoasettlementfor$650,000.TheOCRfoundthatUMassfailedto:• IncludeallentitiesthatwouldmeetthedefinitionofaCEorBAinitshybridentitydesignationandimplementpoliciesaccordingly;

• conductanaccurateandthoroughriskanalysis;and• implementappropriatefirewalls.

UnsecuredWirelessNetwork

InJuly2016,Univ.ofMississippiMedicalCenter(“UMMC”)settledwiththeOCRfor$2.75mfollowingabreachinvolving10,000patients.Thebreachinvolvedapassword-protectedlaptopthatwentmissingfromUMMC.OCRidentifiedthatePHIstoredonaUMMCnetworkdrivewasvulnerabletounauthorizedaccessviaUMMC’swirelessnetworkbecauseuserscouldaccessanactivedirectorywithagenericusernameandpassword.

StorageofPHIonCloudServer(withoutBAA)LeadstoSettlement

OregonHealth&ScienceUniversity(OHSU)settledwiththeOCRfor$2.7mandacomprehensivethree-yearcorrectiveactionplan. OCR’sinvestigationbeganaftermultiplebreachreports,includingthreereportsinvolvingunencryptedportabledevices. OCRidentifiedevidenceofwidespreadvulnerabilitieswithinOHSU’sHIPAAcomplianceprogram,includingthestorageofePHIofover3,000individualsonacloud-basedserverwithoutaBAA.

StorageofPHIonCloudServer(withoutBAA)LeadstoSettlement

§ OCRnotedthatOHSUperformedriskanalysesin2003,2005,2006,2008,2010,and2013,buttheseanalysesdidnotcoverallePHIinOHSU’senterprise. Furthermore,whiletheanalysesidentifiedvulnerabilitiesandriskstoePHIlocatedinmanyareasoftheorganization,OHSUdidnotactinatimelymannertoimplementmeasurestoaddressthesedocumentedrisksandvulnerabilities.

§ Forexample,OHSUalsofailedtoimplementamechanismtoencryptanddecryptePHI,despitehavingidentifiedthislackofencryptionasarisk.

BusinessAssociateEntersIntoSettlementforStolenIphone

CatholicHealthCareServicesoftheArchdioceseofPhiladelphia(CHCS)(amanagementandinformationtechnologycompanyforSNFs)enteredintoasettlementagreementwithOCRfor$650,000followingabreachinvolvingthetheftofanunencryptedIphone.Only412individualswereinvolved.

Note:ThisisthefirstOCRsettlementwithabusinessassociate.

OtherSignificantSettlements§ CompleteP.T.settledfor$25,000afterpostingpatienttestimonials,including

fullnamesandfullfaceimages,toitswebsitewithoutobtainingHIPAAauthorizations.

§ TheUniversityofWashingtonMedicinesettledfor$750,000followingabreachcausedwhenanemployeedownloadedanemailattachmentcontainingmalicioussoftware.

§ CornellPrescriptionPharmacysettledfor$125,000followingnotificationbythemediathatthepharmacydisposedofunsecured(i.e.,notshredded)documentsinanunlocked,opencontaineronthepremises.Remindingusthatpaperdocumentsarestillaconcern.

§ RaleighOrthopaedicClinicsettledwithOCRfor$750,000whenitdisclosedinformationof17,300patientstoapotentialbusinesspartner(thatwastransferringfilmstodigitalmedia)withoutfirstexecutingaBAA.

Takeaways§ Themostimportantthingyouneedtodotoprotectyourorganizationistohaveacomprehensiveup-to-dateRiskAnalysisandcorrespondingRiskManagementPlan.

§ NearlyeverysettlementtodatehasinvolvedfailuretohaveacomprehensiveRiskAnalysisandcorrespondingRiskManagementPlan.

§ WhentheOCRwalksthroughthedoor,forANYreason(breach,complaint,audit),thefirstthingitwillrequestistheRiskAnalysis.

Ransomware• WhatisRansomware?– Ransomwarecantakedifferentforms,butinessenceitdeniesaccesstoadeviceorfileuntilaransomhasbeenpaid.

– Notonlycanransomwareencryptthefilesonaworkstation,thesoftwareismartenoughtotravelacrossyournetworkandencryptanyfileslocatedonbothmappedandunmappednetworkdrives.

– Thiscanleadtoacatastrophicsituationwherebyoneinfectedusercanbringadepartmentorentireorganizationtoahalt

Ransomware• Oncethefilesareencrypted,thehackerswilldisplaysomesortofscreenorwebpageexplaininghowtounlockthefiles.

• Payingthe“ransom”invariablyinvolvespayingaformofe-currency(cryptocurrency)suchasBitcoins.

• Oncethehackersverifypayment,theyprovidethe“decryptor”software,andthecomputersstartthearduousprocessofdecryptingallofthefiles.

Ransomware• NewStrainsofRansomware– PopcornTime

• Offersfreedecryptionifyouinfecttwoothersandtheypay.• Stillproofofconcept.

– Koolava(a.k.a.NiceJigsaw)• Offersfreedecryptionifyoulearnhownottobeinfected.• Stillworkinprogressandnothighqualitycode.• Oncethevictimreadstwoarticles,theDecryptMyFilesbuttonbecomesavailable.• Itwilldeleteallfilesifthearticlesarenotread.

Ransomware• NewStrainsofRansomware(cont.)– Goldeneye

• Infectsfiles,theninfectstheharddrive.• Potentiallyforcespayingadoubleransom.• Spreadsasafakejobapplicationemailwitha.pdfattachment.The.pdfpointsthevictimtoaninfectedExcelfile.• Afterfileencryption,themachinerebootsandlookslikeitisdoingafilesystemrepair.Itisactuallyencrypting.• Afterpayingthemoneytodecrypt,logginginmaydemandmoretodecryptthefile.

Ransomware• NewStrainsofRansomware(cont.)– Spora

• Offersanoptionoffutureimmunity(forafee).• NoC&Cserversoblockingoutboundcommunicationdoesnothelp.• Addsthehiddenattributetofilesandfoldersonthedesktop,therootofUSBdrivesandthesystemdrive.Thesefilesandfoldersarenowhiddenbythestandardfolderoptions.• ItnowmakesWindowshortcutswiththesamenameandiconasthehiddenfilesandfolders.

Ransomware• TheHollywoodPresbyterianMedicalCenter– InFebruary2016,theHollywoodPresbyterianMedicalCenterwashitbyaransomwareattackthatknockedthehospital’snetworkoffline.

– Theattachaffectedthefacility’sdailyoperations,asurgentscans,labwork,pharmaceuticalneeds,anddocumentationcouldnotbeaccessed.

– Paid$17,000inBitcoins.

Ransomware• MedStarHealth– InMarch2016,oneofcountry’sleadinghealthcareproviderswithanetworkoftenhospitalsand250outpatientcenterswasaffectedbyaransomwareattack.

– Theorganizationactedquicklyandtookdownallsysteminterfacestopreventthemalwarefromspreading.

– Theransomwassetat45Bitcoins(approx.$19,000)withaten-daydeadline,butMedStarreportedlyabletobringsystembackonlinewithoutpaying

Ransomware• Takeaways– Expertsdisagreeastowhetherornotacompanyshouldpay.Ononehandunlessyouhaveapowerfulcomputerandalotoftimetospendguessingkeys,thereisreallynowaytogetyourdatabackunlessyoupaytheransom.

– However,TheDepartmentofHomelandSecuritytellspeopletonotnegotiatewiththehackersasitwillencouragemoreattacks

– Theverybestdefensetopreventaransomwareattackistohaveabackupthatisnotconnectedtoyourmachineinanyway.

ChangestoSubstanceAbuseRegulations

• March27,2017revisedregulationsunder42CFRPart2wentintoeffect.

• Expandstherequirementsof42CFRPart2to“lawfulholders”ofsubstanceabusetreatmentinformation(e.g.,individualorentitywhohasreceivedtheinformationastheresultsofapart2-compliantpatientconsent(withnoticeofprohibitiononredisclosure)andotherentitiesthatlegallyreceivesuchinformationwithoutconsent).

ChangestoSubstanceAbuseRegulations

• Createsnewrequirementsforsecurityofsubstanceabusetreatmentinformation–consistentwithHIPAA.

• Establishrequirementsfordispositionofrecordsbydiscontinuedprograms.

• RequiresNoticeofPrivacyPracticestoincludecontactinformationtoreportviolationsof42CFRPart2.

ChangestoSubstanceAbuseRegulations

• Expandsthepermitteddesignationsallowedinthe“towhom”Sectionoftheconsentforreleaseofsubstanceabusetreatmentinformation.

• Includesanewrequirementthatconsentformsexplicitlydescribetheinformationtobedisclosed(e.g.,diagnosticinformation,medications,etc.).

• Includesarequirement,thatifgeneraldesignationisused,theprovidermustbeabletoprovidepatientwithalistofindividualstowhomtheinformationwasprovided.

ChangestoSubstanceAbuseRegulations

• Loosenstherequirementsforuseofsubstanceabusetreatmentinformationforresearch– consistentwithHIPAA.

• AllowsACOs toaccesssubstanceabusetreatmentinformationforauditpurposes

Q&A