HHS Proposed Rule Aligns Regulation on Confidentiality of Substance Use Disorder Treatment Records with HIPAA

by Kathie McDonald-McClure

On November 28, 2022, the Secretary for the United States Department of Health & Human Services (HHS) released a Proposed Rule to amend the requirements in Title 42, Part 2, on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs.  Part 2 protects the confidentiality of SUD patient records (which generally include alcoholism, alcohol abuse, and drug abuse treatment and prevention records) by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Section 3221 of the CARES Act of 2020, enacted by Congress on March 27, 2020, in response to the COVID-19 pandemic, in effect, had amended Title 42, Part 2, to align it with HIPAA but also required HHS to implement these amendments in the Part 2 regulation through the rule-making process. The 260-page Proposed Rule, in sum, would incorporate requirements and definitions from the HIPAA rules into the 40-year-old Part 2 regulation, including HIPAA’s consent, disclosure, de-identification, unsecured PHI and breach notification requirements, as well as HIPAA penalties for noncompliance.

Part 2 Compliance Challenges. For years, providers who are subject to both HIPAA and Part 2’s separate privacy requirements for SUD records have had to grapple with identifying and segregating SUD records that are subject to Part 2 from records that are subject only to HIPAA. In the Proposed Rule, HHS acknowledges that this has contributed to ongoing operational and compliance challenges for providers. HHS notes several examples of this challenge, including the following:  

For example, once a HIPAA covered entity or business associate disclosed PHI to a person who was not a covered entity or business associate, the information was no longer protected by the Privacy Rule, and thus the Privacy Rule’s limitations on uses and disclosures did not apply. In contrast, Part 2 strictly limited the re-disclosure of Part 2 records by any individual or entity that received a Part 2 record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent or as otherwise permitted under the regulations.

(Proposed Rule, pp. 19-20.)

SUD Treatment De-Stigmatization & Coordination. HHS additionally notes that the continued segregation of Part 2 Program SUD records sets these records apart in ways that perpetuate the stigma surrounding a person with SUDs.

Prior to passage of the CARES Act, Congressional hearings on the Opioid Crisis had already highlighted the need for HHS to promulgate regulations modifying the confidentiality requirements for Part 2 records to align with HIPAA. Testimony before Congress was that SUD records were being withheld in ways that inhibit care coordination between providers of a person’s mental health and physical health, conditions that are inextricably linked. In the HHS Announcement of the Proposed Rule, Secretary Becerra says, “This proposed rule would improve coordination of care for patients receiving treatment while strengthening critical privacy protections to help ensure individuals do not forego life-saving care due to concerns about records disclosure.” 

Summary of Changes. Some of the most significant changes would include:

Continue reading

CISA Discourages Use of App-Based, SMS and Voice MFAs and Encourages Phishing-Resistant MFAs

Cyber Threat Actors Are Breaking the Security of Commonly Used MFAs

By: Kathie McDonald-McClure

A best practice in securing sensitive data is to deploy Multi-Factor Authentication (MFA) to prevent access by unauthorized users to internet-connected sources for such data. MFA requires authorized users to present a combination of two or more different authenticators (something you know, you have, or you are) to verify identity prior to access. MFA makes it more difficult for unauthorized users to gain access to servers and applications. For example, if one factor, such as a PIN, becomes compromised, the unauthorized user cannot gain access if they do not have the second factor, such as a mobile token or fingerprint.

Cyber security experts recommend MFA for all internet-facing applications with access to sensitive information. Such applications include remote desktop, Virtual Private Networks (VPNs), email accounts, financial and accounting software, file sharing and document management platforms, CRM, just to name a few.

Demonstrated compromises in commonly used MFAs prompts CISA to issue guidance. On October 31, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication. The CISA Guidance includes two Fact Sheets. One Fact Sheet, Implementing Phishing-Resistant MFA, describes the methods cyber threat actors are using to gain access to MFA credentials. These methods include phishing emails and malicious websites, MFA fatigue, exploitation of SS7 protocol vulnerabilities, and SIM swapping. This CISA Fact Sheet identifies App-Based MFA and SMS or Voice MFA as being particularly vulnerable to these methods of stealing MFA credentials.

CISA strongly encourages organizations currently using App-Based, SMS or Voice MFA to migrate to a Phishing-Resistant MFA for as many applications as is feasible. CISA indicates that the currently available Phishing-Resistant MFA options are limited to FIDO/WebAuthn (included in most major browsers) and the PKI-based MFA (smart cards used with SSO technologies). App-Based MFAs verify the identity of users either by generating a one-time password (OTP) or sending a “push” pop-up notification to the mobile application. SMS and Voice MFAs send a code to the user’s phone or email. The user then retrieves this second factor code from their text or email to use for login authentication. CISA says that SMS and Voice MFA should only be used as a last resort.

CISA acknowledges there are several stumbling blocks to the deployment of Phishing-Resistant MFAs. These include the lack of support for it in the organization’s existing systems and products, difficulty in deploying it to all staff members at once, and upper management concerns that users will resist the migration. Nevertheless, CISA recommends that the organization’s IT leadership prioritize the migration to Phishing-Resistant MFA in logical phases focusing on the technologies at highest risk, such as email systems, file servers, and remote access systems, and the users who are high-value targets, such as system administrators, attorneys, HR staff, and others with access to sensitive data.

What if your organization uses mobile push-notification based MFA and migration to Phishing-Resistant MFA is not feasible? CISA recommends using “number matching” in the MFA application to mitigate MFA fatigue. CISA says, “MFA fatigue, also known as ‘push bombing,’ occurs when a cyber threat actor bombards a user with mobile application push notifications until the user either approves the request by accident or out of annoyance with the nonstop notifications.” Refer to the CISA Fact Sheet titled, Implementing Number Matching in MFA Applications, for guidance on how to enable “number matching” on MFA configurations to prevent MFA fatigue.

So why is a lawyer writing this technical piece? We assist clients proactively to prevent security breaches and reactively after a security incident in the preparation or revision of IT data security policies and procedures necessary to meet regulatory, contractual, cyber insurance underwriting, and other third-party expectations. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and security practice, visit Data Privacy and Cyber Security.

If you need additional information, please contact:

Kathie McDonald-McClure

Phone: 502.562.7526

Email: kmcclure@wyattfirm.com

“Shields Up” Cyber Threat Alert Issued for All U.S. Organizations

By Kathie McDonald-McClure

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a Shields UpAlert for every organization in the United States. The Shields Up Alert states that, as a result of the Russian government’s use of cyber as a key component of asserting pressure on a country’s government, military and population, “[e]very organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety.” The Shields Up Alert sets forth specific recommended actions for organizations to take, regardless of size, to:

  • Reduce the likelihood of a damaging cyber intrusion,
  • Quickly detect a potential intrusion,
  • Ensure the organization is prepared to respond to an intrusion, and
  • Maximize the the organization’s resilence to a destructive cyber incident.

Read the full Shields Up Alert here.

Apache Log4j Vulnerability in Java Applications May Pose Risk to Confidential Company and Personal Information

By: Kathie McDonald-McClure

On December 11, 2021, the United States Cybersecurity & Infrastructure Security Agency (CISA), issued a Statement regarding what it called a “critical vulnerability affecting products containing the log4j software library”.  This Statement emphasizes that end users are reliant on their vendors to inform them about the vulnerabilities and to develop patches to protect against the vulnerabilities.   Separately, CISA established a webpage for Apache Log4j Vulnerability Guidance that CISA is continually updating to impart further guidance and vendor information as they become available.  End users should be on the lookout for critical patches from their vendors.

According to the CISA Guidance, the Log4j vulnerability is being widely exploited by a growing set of malicious actors to steal information, launch ransomware attacks, or conduct other malicious activity such as taking over a company server to mine cryptocurrency.  At least 10 major technology vendors have issued statements that one or more of their products have been affected by the Log4j vulnerability: Cisco, IBM, VMware, Amazon Web Services (AWS), Fortinet, Broadcom, ConnectWise, HCL Connections, N-Able, and Okta.[1] On December 15, 2021, the Microsoft 365 Defender Threat Intelligence Team reported that a new family of ransomware, called Khonsari, is being deployed via the Log4j vulnerability on non-Microsoft hosted servers.

Continue reading