OCR Settles HIPAA Ransomware Cybersecurity Investigation for $90,000. The Office for Civil Rights (OCR) announced a settlement with a provider of emergency medical services in Oklahoma for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an investigation concerning a ransomware attack on the provider’s information systems. OCR notes that since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks. The settlement also marks the first enforcement action in OCR’s Risk Analysis Initiative. This enforcement initiative was created to focus select investigations on compliance with the HIPAA Security Rule Risk Analysis provision, a key Security Rule requirement, and the foundation for effective cybersecurity and the protection of electronic protected health information (ePHI). 

In May 2022, OCR received a breach report concerning a ransomware incident that encrypted files on the provider’s network. The provider determined that the encrypted files affected the protected health information of 14,273 patients. OCR’s investigation determined that the provider had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems. Under the terms of the resolution agreement, the provider agreed to pay $90,000 and to implement a corrective action plan that will be monitored by OCR for three years. Under the corrective action plan, the provider must: (i) Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; (ii) Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis; (iii) Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Rules; and (iv) Train its workforce on its HIPAA policies and procedures. Go here to read the resolution agreement.

FDA Requests USCDI Include Expanded UDI Definition. The Food and Drug Administration (FDA) has proposed to ASTP ONC that the current definition included in the United States Core Data for Interoperability (USCDI) “Unique Device Identifier – Implantable” be replaced by a broader “Unique Device Identifier” element that incorporates all medical devices subject to the FDA Unique Device Identifier (UDI) Rule. This will also remove the need to include the data elements proposed in Level 2, Test Kit Unique Identifier, and Level 1, Instrument Unique Identifier from the Laboratory Data Class. Both of these would fall under the “Unique Device Identifier” data element in the Medical Device Class.

FDA contends that the main use case is for patient safety and the ability to reliably identify medical devices that have been used by patients, used for patient care, or implanted in the patient during a healthcare encounter regardless of the setting. FDA states that availability of the device identifier in the electronic medical record enables the following improvements in health care: (i) Effective reporting and evaluation of adverse events involving medical devices: electronic recording of UDI at the point of care enables providers to specifically identify the device(s) involved in adverse events, to allow for device specific post market surveillance, such as ability to identify potential safety signals and performance issues; and (ii) Availability of the UDI in the EHR enables unambiguous linkage of a specific device to patient outcomes for longitudinal evaluation and real-world evidence. Read the complete FDA submission here.

OCR and ASTP/ONC Release New Version of the Security Risk Assessment Tool. OCR and the Assistant Secretary for Technology Policy (ASTP), Office of the National Coordinator for Health IT (ONC) announced the release of version 3.5 of the Security Risk Assessment (SRA) Tool. The SRA Tool is designed to aid small and medium-sized health care organizations in their efforts to identify and assess potential risks and vulnerabilities to electronic protected health information (ePHI) when conducting a risk analysis as required by the HIPAA Security Rule. Conducting an accurate and thorough risk analysis is a foundational activity to protect ePHI and comply with the HIPAA Security Rule. The downloadable SRA Tool is a desktop application that walks users through multiple choice questions to help identify and assess potential risks and vulnerabilities to ePHI. References and best practices to strengthen an organization’s cybersecurity posture are provided while using the tool.

This latest version of the SRA Tool includes enhancements and improvements based on current cybersecurity guidance and user feedback from previous versions, including: (i) New and enhanced guidance and instructions within the SRA Tool; (ii) NIST Cybersecurity Framework (CSF) 2.0 references (replacing NIST CSF 1.1); (iii) Healthcare and Public Health (HPH) Cybersecurity Performance Goal (CPG) references; (iv) New content on mitigating organizational threats and vulnerabilities; (v) New content on cybersecurity supply chain risks; and (vi) Bug fixes and content improvements Go here to download the SRA Tool.

ASTP/ONC Outlines Current State of Information Blocking Violations by Providers, Developers. In a blog post, ASTP/ONC described how the agency has received over one information blocking complaint each business day since the regulation went into effect in April 2021, and almost 90% of these complaints have been against health care providers. During listening sessions the agency conducted, it heard concerns about many kinds of practices conducted by health care providers.  One concern raised was that health care providers may be imposing pre-conditions on the access, exchange, and use of electronic health information (EHI) that are not required by the HIPAA Privacy Rule or the law of any jurisdiction in which they operate. Other concerns involved perceived barriers to access such as gatekeeping, delays, and difficulties in establishing the connection or registration of apps used by patients to access their EHI.

Interested parties have also raised specific concerns regarding API-related practices by developers of certified health IT. Some concerns described developers’ failures to publish service base URLs for patients’ access to their EHI (45 CFR 170.404(b)(2)), and developers’ willingness to provide the URLs only to specifically approved apps. Other concerns described developers’ refusals to register and enable apps for production use within the required time (45 CFR 170.404(b)(1)(ii)), after authenticity verification had been completed. In light of the feedback the agency has received through listening sessions and complaints, it strongly encourages all information blocking actors and specifically health IT developers of certified health IT to review the examples of practices that could implicate the information blocking regulations.

HC3 Publishes Warning on Vulnerabilities Affecting Oracle Applications. The Health Sector Cybersecurity Coordination Center (HC3) published an Analyst Note on the "Miracle Exploit," a set of critical vulnerabilities affecting Oracle applications. The "Miracle Exploit" refers to a set of critical vulnerabilities in Oracle products, primarily affecting Oracle Fusion Middleware and its ADF Faces framework, which is used to build web interfaces for Java EE applications. This exploit, disclosed in 2022, includes CVE-2022-21445 and CVE-2022-2149, both of which allow attackers to execute remote code without authentication. This can lead to full system compromise, potentially exposing sensitive data and enabling lateral movement within a network. The HC3 termed the vulnerabilities "Miracle Exploit" due to their severity and widespread impact. Organizations using affected Oracle products are advised to immediately apply patches to avoid exploitation.

CISA Releases Tips to Improve Online Safety. The Cybersecurity and Infrastructure Security Agency (CISA) released Secure Our World, the agency’s cybersecurity awareness program. The program is designed to inform the public on opportunities to improve online safety and security. CISA identified four steps that individuals and organizations can take to reduce the likelihood of falling victim to online deceptive practices. Step one: Deploy strong passwords (tip sheet); Step two: Implement on multi-factor authentication (MFA) (tip sheet); Step three: Update organizational software (tip sheet); and Step four: Recognize and report phishing attacks (tip sheet).

ASTP/ONC Releases New Inferno Test Kit. ASTP/ONC released a new Inferno Test Kit to support testing of components of the HL7^® FHIR^® Subscriptions R5 Backport IG v1.1. Additionally, the Inferno SMART App Launch Test Kit has been updated with support for SMART App Launch v2.2 and its “User-access Brands and Endpoints” specification. Inferno is a health API testing framework for creating, executing and sharing FHIR^® conformance tests. The health IT community may use these voluntary Test Kits to test their implementations and further advance FHIR^® implementation guides (IGs). Go here to access the Inferno Test Kits.

Reminder: 2024 MVP Registration Now Open. CMS reminds participants in the Merit-based Incentive Payment System (MIPS) Value Pathways (MVPs), that the registration window is now open for the 2024 performance year. Individuals, groups, subgroups, and Alternative Payment Model (APM) Entities that wish to report an MVP can register until December 2, 2024, at 8 p.m. ET. To register, sign in to the Quality Payment Program (QPP) website with your HCQIS Access and Roles Profile (HARP) account. This is different from the 2023 process of completing an Excel form and emailing the QPP Service Center. Note that you must have a HARP account and QPP Security Official role to complete the MVP Registration.

For more information on HARP accounts, please refer to the Register for a HARP Account document in the QPP Access User Guide. For more information on obtaining the QPP Security Official role, review the Connect to an Organization document in the QPP Access User Guide.

Before you register, you will need to have the following items identified: (i) The MVP you plan to report; (ii) Whether you plan to administer the Consumer Assessment of Healthcare Providers and Systems (CAHPS) for MIPS Survey, if it is a quality measure option in your selected MVP; (iii) Whether you want to be evaluated on an outcomes-based administrative claims quality measure, if it is a quality measure option in your selected MVP; (iv) The population health measure you would like to be evaluated on: 2024 Hospital-Wide All-Cause Unplanned Readmission Measure or 2024 Clinician and Clinician Group Risk-standardized Hospital Admission Rates for Patients with Multiple Chronic Conditions; and (v) The participation option you plan to use: individual, group, subgroup, or APM Entity.

Individuals, groups, subgroups and APM Entities will register on the Quality Payment Program (QPP) website. You will need to have the Security Official role in order to register your organization. Please refer to the QPP Access User Guide for information about obtaining a Security Official role for your organization. To register: (i) Sign in to QPP; (ii) Click Register or edit an MVP registration from the landing page; and (iii) Click your MVP reporting option.