OCR’s Notice of Proposed Rulemaking

OCR’s Notice of Proposed Rulemaking

Wondering about the status of OCR’s Notice of Proposed Rulemaking? OCR announced the proposed rulemaking in December 2020. Although the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period until May 2021.

Read more

OCR’s NPRM to modify HIPAA

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals’ engagement in their healthcare, remove barriers to coordinated care, and decrease regulatory burdens on the healthcare industry, while continuing to protect individuals’ health information privacy interests.

OCR developed many of the proposals in the NPRM in response to public comments received in response to its 2018 Request for Information (RFI) on Modifying the HIPAA Rules to Improve Coordinated Care.

Read more: Understanding and implementing HIPAA rules

The NPRM proposed changes to the Privacy Rule include proposals to:

  • Strengthen individuals’ rights to access their own health information, including electronic information.
  • Improve information sharing for care coordination and case management for individuals.
  • Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
  • Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.
  • Reduce administrative burdens on HIPAA covered healthcare providers and health plans.

The estimated total cost saving from this proposed regulatory reform is $3.2 billion over five years.

Read more: HIPAA Compliant Email: The Definitive Guide [2023 update]

Wondering about the status of OCR’s Notice of Proposed Rulemaking?

On January 21, 2021, the NPRM for the proposed HIPAA privacy rule changes was published in the Federal Register. The deadline for submitting comments on the 357-page proposal was March 22, 2021. Almost everyone interacting with healthcare systems will be affected by the proposed changes to the HIPAA Privacy Rule. In light of the potential impact of the proposed HIPAA changes, the deadline for submitting comments was extended to May 6, 2021. OCR has not yet provided a date for when the Final Rule will be issued, but it is likely to result in HIPAA changes in 2023, although they may not become enforceable until 2024.

Read more: OCR shares guidance on preventing common cyberattacks

A smiling person looking directly at the camera with the Paubox maze wrapped around him.

Paubox takes the stress out of HIPAA compliance and email

Paubox gives over 4,000 healthcare customers peace of mind by securing nearly 70,000,000 emails every month for providers and covered entities. Our technology is HITRUST CSF certified and rated 4.9/5.0 on G2. Trust the industry experts and start using email in your practice easily, securely and in compliance with HIPAA regulations.

The largest medical cyberattack in U.S. history?

The largest medical cyberattack in U.S. history may have occurred last week. CommonSpirit Health is suffering at the hands of a not-yet-identified ransomware group. The number of medical records affected could be as high as 20 million.

Read on to learn more, including why healthcare is under attack and the steps to take if your medical record is leaked.

The largest medical cyberattack in US history?

CommonSpirit Health is the nation’s fourth-largest hospital system with 142 hospitals in 21 states.

CommonSpirit Health’s Statement

Over the course of this past week, we have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created. 

As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care. 

Our facilities are following existing protocols for system outages, which include taking certain systems offline, such as electronic health records. 

In addition, we are taking steps to mitigate the disruption and maintain continuity of care. 

To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement. 

We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process.  

Systems serving Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident. For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.  

Central to our decision-making has been and will continue to be our ability to carry out our mission in a manner that is safe and effective to those we serve. At CommonSpirit Health, we are dedicated to meeting the needs of the communities we serve and are guided by our core set of values, which include integrity, excellence, and collaboration. We are grateful to our staff and  physicians who are doing everything possible to mitigate the impact to our patients and ensure continuity of care.

The CommonSpirit ransomware attack impact area

Subsidiaries of CommonSpirit affected by the attack include CHI Health facilities in Nebraska and Tennessee, MercyOne Des Moines Medical Center, Houston-based St. Luke’s Health and Michigan-based Trinity Health System. As stated above, Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident.

5 reasons why healthcare is a target for ransomware

Healthcare organizations are vulnerable to cyberattacks, even more so than other industries. The reasons why advanced persistent threat (APT) groups actively target covered entities, such as healthcare providers, pharmaceutical companies, and medical research organizations, likely include the following:

  1. Medical records are valuable on the black market and fetch up to $1,000 per record.
  2. Healthcare may be more likely to pay ransoms to get data back because lives hang in the balance.
  3. The attack surface is excessive and often left vulnerable.
  4. Untrained or overworked staff are prone to make errors.
  5. Lax security: A healthcare organization may view cybersecurity as an expense, despite the fact that that expense is small compared to what the organization could lose in the event of a data breach.

Read more: Why is healthcare a juicy target for cybercrime?

How do ransomware attacks happen?

Phishing emails are a common method of delivering ransomware attacks. An attachment is sent in an email as a link that the victim believes is trustworthy. When the victim clicks on that link, the malware in the file begins to download.

Upon entering a system, the malware begins encrypting the victim’s data. The files are then encrypted with an extension which makes them inaccessible. Once this is done, the files cannot be decrypted without a key known only to the attacker. Finally, a message will be displayed to the victim, explaining that the victim’s files are inaccessible and can only be reaccessed by paying a ransom to the attackers.

Read more: What is ransomware and how to protect against it?

Are foreign governments targeting the U.S. healthcare system?

Anne Neuberger, U.S. Deputy National Security Advisor, stressed the growing threat of foreign cyberattacks, citing U.S. government reports that identify specific “preparatory activity” targeting U.S. companies and critical infrastructure.

Further, the U.S. Department of Justice confirms that a North Korean regime-backed programmer is charged with conspiracy and responsible for the destructive Global WannaCry 2.0 ransomware attacks.

“Security needs to be top of mind for every company. Email security is the number one cause of breaches,” Paubox customer Eli Golden, Director of IT at The Jellyvision Lab, explains. “Attackers are getting smarter, and while we train our staff thoroughly with simulated attacks and live sessions, it’s best to have as much protection as possible.”

Read more: The White House warns against possible Russian cyberattacks

Healthcare executives rank ransomware as the #1 threat

A recent survey of 132 healthcare executives found that ransomware was the number one cybersecurity threat – more than data breaches or insider threats – according to the Health Information Sharing and Analysis Center, a nonprofit global cyberthreat forum for the healthcare industry.

Read more: The risks are too high for healthcare leaders not to understand Zero Trust

Take these 7 steps if your medical record is breached

  • File a police report
  • File a report with the FTC
  • Inform your insurer
  • Get copies of your medical record
  • Notify the three credit bureaus
  • Ask for corrections
  • Use strong passwords and 2FA or MFA on your accounts
Steps to take if your medical record is breached
Source: IDStrong

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST-CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are effortlessly easy to implement and use.

In fact, Paubox is securing nearly 70 million HIPAA compliant emails each month for more than 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data and organization HIPAA compliant and secure.

OCR struggles to keep up with rising ransomware cases

OCR stuggles to keep up with rising ransomware cases

According to a recent update from Politico, the Department of Health and Human Services’ Office for Civil Rights (OCR) is facing an overflowing caseload of ransomware incidents and other healthcare cybersecurity threats.  

Melanie Fontes Rainer, OCR acting director, states that investigators are “under incredible resource constraints and incredibly overworked.”

Keep reading to learn more about OCR’s challenges and proposed next steps. Plus, find out how HIPAA compliant email can help covered entities stay one step ahead.

Read more

Why the OCR budget matters to healthcare

The black market values protected health information (PHI) more than other types of personal information. That’s why cyberattacks are common in the healthcare industry.

Ransomware strikes these organizations especially hard since disruptions in care can put patients’ lives in danger. Therefore, they are more likely to comply with ransom demands.

As this threat grows, the OCR cannot provide the support needed to assist healthcare organizations. This is primarily due to inadequate funding and resources provided by Congress.

Because the OCR has a limited budget, it has a smaller investigation team than many local police departments. Consequently, investigators must handle more than 100 cases simultaneously.

Possible solutions on the horizon

In order to address this concern, the Biden administration has requested a 60 percent budget increase in 2023. As a result, the OCR would be able to hire 37 new investigators.

In addition to balancing the agency’s workload, additional resources will give the agency more opportunities to provide guidance.

Additionally, OCR officials believe implementing higher fines will boost enforcement and encourage healthcare organizations to comply with HIPAA requirements.

Healthcare cybersecurity advocates point to other solutions to reduce risks. Investing in better defense systems and workforce development is part of this strategy.

AHA‘s national adviser for cybersecurity and risk, John Riggi, has called for federal support to train staff to improve security. And Intermountain Healthcare‘s chief information security officer urges the Centers for Medicare & Medicaid Services to develop payment models that directly fund cybersecurity programs.

Secured email is secured healthcare

Covered entities can avoid falling victim to ransomware and other security threats by putting the right protections in place from the start. And with email serving as a leading threat vector for cybercrime, a stronger email security strategy is a must. That’s where a HIPAA compliant email provider comes in. 

Designed to integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules.

This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

In addition to healthcare email encryption, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block ransomware and other attacks from even reaching the inbox in the first place.

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are designed to be effortlessly easy to implement and use.

In fact, Paubox is securing 70,000,000 HIPAA compliant emails each month for over 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data, organization and patients safe.

Not having email DLP leads to 90,000 patient records breached

Email DLP - Paubox

In April 2015, the New York City Health & Hospitals Corporation’s (HHC) Jacobi Medical Center reported 90,060 patient records were breached when an employee emailed the records to her personal email account. In addition, she also cc’d her new employer. The email was sent shortly before the employee left HHC Jacobi Medical Center to work for another healthcare provider.
Continue reading “Not having email DLP leads to 90,000 patient records breached”

Email DLP can monitor PHI being sent to personal accounts

email security paubox

In January of 2016, officials at Village of Oak Park discovered an employee had emailed spreadsheets containing the protected health information (PHI) of 688 individuals to a personal email account.

The HIPAA violation was uncovered during an internal search for email correspondence between its staff and insurance carriers.
Continue reading “Email DLP can monitor PHI being sent to personal accounts”

Email DLP can curb automatic email forwarding rules

Email DLP - Paubox

Earlier this year, Health Department officials in Multnomah County, Oregon discovered an employee set up an automatic mail forwarder that resulted in a HIPAA violation. The employee in question configured their work email account to automatically forward all email to a personal Gmail account.

As we’ve previously covered, when it comes to Gmail and HIPAA compliance, the two don’t mix. In a nutshell, Google is willing to sign a Business Associate Agreement (BAA) for use with some, but not all, of their services.
Continue reading “Email DLP can curb automatic email forwarding rules”

Lack of email DLP causes HIPAA violation in California

Email DLP - Paubox

In 2015, Hillsides issued a press release alerting the public it became aware of a HIPAA violation caused by one of its employees.

The employee in question had been using their work email to send protected health information to their personal email address.

On at least five occasions between October 2014 and October 2015, the employee sent unencrypted email attachments to their personal email account containing:
Continue reading “Lack of email DLP causes HIPAA violation in California”

New features added to Paubox Email Suite Premium

Paubox DLP Suite - Data Loss Prevention

Over the past two weeks, we’ve leveraged customer feedback as a guide on how to level up the email DLP features for Paubox Email Suite Premium.

As we covered earlier, email DLP (data loss prevention) is a strategy for making sure end users do not send sensitive or critical information outside of a corporate network.
Continue reading “New features added to Paubox Email Suite Premium”

Big money HIPAA fines a good reminder for everyone

paubox hipaa

Whether the result of an innocent mistake or something more malicious, getting caught with a HIPAA violation can bring with it massive financial penalties. Fines and settlements routinely run into the mid-six figures and on several occasions have cost medical providers millions of dollars. Here are some of the largest HIPAA fines ever levied.

Continue reading “Big money HIPAA fines a good reminder for everyone”