Man-in-the-Middle Attacks on ePHI, HIPAA Enforcement in the News
By Danielle Capilla, Chief Compliance Officer for United Benefit Advisors
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued its Man-in-the Middle Attacks and "HTTPS Inspection Products" guidance. The OCR warns organizations that have implemented end-to-end connection security on their internet connections using Secure Hypertext Transport Protocol (HTTPS) about using HTTPS interception products to detect malware over an HTTPS connection because the HTTPS interception products may leave the organization vulnerable to man-in-the-middle (MITM) attacks. In an MITM attack, a third party intercepts internet communications between two parties; in some instances, the third party may modify the information or alter the communication by injecting malicious code.
OCR provides a partial list of products that may be affected. Also, OCR provides a method that organizations can use to determine if their HTTPS interception product properly validates certificates and prevents connections to sites using weak cryptography.
OCR emphasized that covered entities and business associates must consider the risks presented to the electronic protected health information (ePHI) transmitted over HTTPS. Further, OCR encouraged covered entities and business associates to review OCR's recommendations for valid encryption processes to ensure that ePHI is not unsecured and the U.S. Computer Emergency Readiness Team's recommendations on protecting internet communications and preventing MITM attacks.
HIPAA Enforcement in the News
Below is a round up of the settlements recently in the news related to ePHI.
OCR Announces HIPAA Settlement for Impermissible Disclosure of ePHI, Insufficient Risk Analysis, and Insufficient Risk Management Processes
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its $2.5 million settlement with a wireless health services provider for impermissible disclosure of ePHI. OCR’s investigation revealed that the provider had insufficient risk analysis and risk management processes in place at the time of the impermissible disclosure, including failing to implement policies and procedures regarding ePHI safeguards. The settlement requires the provider to implement a corrective action plan.
OCR Announces HIPAA Settlement for Insufficient Security Management Process for ePHI
OCR announced its $400,000 settlement with a federally qualified health center (FQHC) based on the FQHC’s failure to have a security management process, including risk analyses sufficient to meet the Security Rule’s requirements. The settlement requires the FQHC to implement a corrective action plan. OCR’s announcement also provided a link to its guidance on the Security Rule.
OCR Announces HIPAA Settlement for Failure to Have Business Associate Agreements
OCR announced its $31,000 settlement with a small, for-profit health care provider based on the provider’s failure to produce a signed business associate agreement with its business associate who stored records containing PHI. The settlement requires the provider to implement a corrective action plan.
UBA’s question of the month from employers addressed breach notification requirements:
Q. Under what circumstances do HIPAA's breach notification requirements not apply when a breach of protected health information (PHI) occurs?
A. Generally, breach notification must be provided when a breach of unsecured PHI is discovered. HHS provides only two methods of creating "secured PHI" that would not be subject to the notification requirements if there is a breach:
This means that if PHI/ePHI is encrypted or destroyed and a breach occurs, HIPAA's notification requirements are not triggered.