Wyatt HITECH Law

A Blog About Health Information Technology, Privacy & Security Developments


Leave a comment

FDA Issues Cybersecurity Guidance to Medical Device Manufacturers

The U.S. Food & Drug Administration (FDA) has issued guidance setting forth its current thinking on issues related to cybersecurity of medical devices.

Because medical devices increasingly store or transmit sensitive patient health information, there are increased security risks of unauthorized access, modification, misuse or denial of use, or the unauthorized use of this information. Medical devices that connect to other devices or to the Internet or which have USB or other data ports are especially vulnerable. The FDA notes that “[f]ailure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.” Continue reading


Leave a comment

NIST Assigns Highest Risk Level to New Cyber Risk: BASH aka Shellshock

19073625On Wednesday, September 24, 2014, news broke about a newly discovered cyber security threat referred to as the BASH flaw or Shellshock.  By Thursday, September 25, 2014, cyber security experts were confirming the cyber vulnerability threat for users of UNIX and Linux based systems, including MAC IO X.  The National Institute of Standards & Technology (NIST) has rated the BASH flaw a 10 out of 10 on its vulnerability severity scale. Click here for the NIST alert. 

Devices containing the BASH flaw may include millions of stand-alone Web servers and Internet-connected devices.  HITRUST issued an alert to healthcare providers urging them to take appropriate steps to safeguard their systems.  The HITRUST alert states, in part:

“The HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) has been tracking and reporting on the Remote Code Execution Vulnerability Discovered in Bash on UNIX-based Operating Systems (OS). HITRUST C3 is issuing this alert to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations. HITRUST C3 – Healthcare Sector Cyber Threat Report HI255-14.”

According to Fierce HealthHIT: “The vulnerability happens when Bash is starting up; and it could allow a hacker to create a malicious code that would allow them to gain control of a compromised server.”  HITRUST and many other cyber experts are stating that the BASH Shellshock bug is worse than Heartbleed, which was the flaw discovered in the widely used website encryption code, OpenSSL, an issue on which we reported in April 2014.  The BASH flaw reportedly allows a hacker to completely take over a computer or server.

This is one of the more complicated cyber risk flaws to try to explain to the public, but this chap from UK has produced a 4-minute You Tube video trying to do just that.  We are not vouching for the accuracy of this video (especially given that we are not computer scientists), but we can recommend following his advice at the very end of the video:  “Make sure you keep your computers and any servers you run up to date with security patches and security fixes.”  If you want a more technical description of BASH, see the article published by Troy Hunt, Software architect and Microsoft MVP, on his blog at troyhunt.com or click here.


Leave a comment

September 22, 2014 Deadline for Business Associate Agreements

September 22nd Deadline Fast Approaching

September 22nd Deadline Fast Approaching

The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a “business associate” of a “covered entity”, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later in this post regarding the expansion of the “business associate” definition).  Among other changes, the Omnibus Rule requires a covered entity and business associate to revise their business associate agreement (BAA) to reflect the business associate’s new obligations.  All BAAs signed after January 24, 2013 should already include new language necessary to comply with the Omnibus Rule.  BAAs that were signed on or before January 24, 2013 were deemed compliant until September 22, 2014; however, if renewed or modified before that date then they must be brought into actual compliance at that time.  Covered entities and business associates must ensure that all BAAs are compliant with the Omnibus Rule before the September 22, 2014 deadline. Continue reading

Follow

Get every new post delivered to your Inbox.

Join 1,256 other followers