New HIPAA Guidance on Ransomware: OCR’s encryption “gold standard” is no longer “golden”

August 8, 2016September 7, 2016 WyattLLP Cyber Security and Cyber Crime, Data Privacy & Security, HIPAA breach, encryption, healthcare cybersecurity, LoProCo Analysis, Office for Civil Rights, privacy and security of protected health information, ransomware

By Margaret Young Levi and Kathie McDonald-McClure

Ransomware encrypts a user’s data and denies access to that data until a ransom is paid. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has released new guidance to help health care entities better understand and respond to the ever-increasing threat of ransomware. On July 11, 2016, HHS posted a blog entitled “Your Money or Your PHI: New Guidance on Ransomware.” The HHS blog post includes a Fact Sheet for health care entities regarding ransomware. This blog post highlights some of the more striking points in the OCR Fact Sheet and considerations for entities subject to HIPAA in addressing ransomware attacks.

Ransomware can cause harm beyond denying access to data. The OCR Fact Sheet provides useful technical details about how ransomware malware works, and notes that data can be exfiltrated (i.e., transferred outside the computer network system). Exfiltration can occur before or after the ransomware attack that encrypts the data. It depends on the type of malware employed in the attack. An April 2016 ransomware report from the Institute for Critical Infrastructure Technology (ICIT) provides even more technical details about the types of ransomware currently in use. The ICIT report states that advanced persistent threats (APTs) and other hackers interested in collecting confidential data use ransomware as a form of distraction while stealthily using other malware to exfiltrate data.

The use of ransomware has skyrocketed. According to OCR, the number of ransomware attacks has risen steeply in the last year, from an average of 1,000 per day in 2015 to an average of 4,000 attacks daily since January 1, 2016, including some very public attacks on hospitals. Hospitals and other health care providers are especially vulnerable to Continue reading →

Corporate Counsel magazine quotes Wyatt attorneys on changes to Tennessee data breach law

April 20, 2016 WyattLLP Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security Corporate Counsel magazine, data breach, data privacy and data security, encryption, Tennessee

Kathie McDonald-McClure and Matt San Roman, members of Wyatt’s Data Privacy & Security Service Team, were recently interviewed for Corporate Counsel magazine. The article, “Tennessee Enacted the Toughest Data Breach Law Yet,” addresses the new amendment to the Tennessee Identity Theft Deterrence Act of 1999. The amendment, among other changes, may eliminate the “encryption safe harbor” rule (pending a legislative fix to other language that may keep it in). Other states may follow suit if cybercriminals demonstrate ways around popular encryption methods.

Please note that the full text of the article is only available to subscribers. To read our prior blog posts discussing the Tennessee amendment in more detail, click here and here.

Tennessee’s Data Breach Law Drawing National Attention

April 14, 2016April 20, 2016 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Health Information Technology, HIPAA, Privacy & Security ACC, Association of Corporate Counsel, Corporate Counsel magazine, state data breach notification laws, Tennessee data breach law

By Kathie McDonald-McClure

We recently posted an article about Tennessee’s amendment to its data breach notification law. This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country. As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine, cyber security was a plenary session topic at the 2016 Association of Corporate Counsel (ACC) Mid-Year Meeting in New York City this week. See “At ACC Event, Experts Say Data Breaches Are Inevitable. So Now What?”, Corporate Counsel (April 14, 2016)(Read more: here). In fact, an ACC Foundation report on the “State of Cybersecurity”, released in December 2015, said one-third of in-house counsel reported that their companies experienced a data breach and more than one-half reported increased spending in cybersecurity.

Matt San Roman and I spoke with Ms. Williams-Alvarez this morning. She is working on a follow-up article regarding the amendments (HB2005 and SA0618) to the Tennessee data breach law. When the article is published, we will provide a link here for those of you who are not currently Corporate Counsel subscribers. Stay tuned . . .

Tennessee Amends Data Breach Notification Law – Removes Encryption Exemption (or does it?)

April 4, 2016April 20, 2016 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Health Information Technology, HIPAA Apple iphone encryption, encryption as the gold standard, encryption safe harbor, state data breach notification laws

By Kathie McDonald-McClure and Matt San Roman

data-breaches-notification

On March 24, 2016, Tennessee Governor Bill Haslam signed into law SB2005 as amended by SA0618, revising the Tennessee Identity Theft Deterrence Act of 1999, currently codified at T. C. A. § 47-18-2101, et seq. Under the revised law, organizations subject to the law that experience a data breach will be required to notify affected individuals in Tennessee “immediately” and no later than 45 days from the discovery or notification of a security breach of computerized personal information, unless a law enforcement investigation related to the breach requires a delay in notification. While most similar state laws refrain from mandating a definite period within which to provide notification to affected individuals or state agencies, Tennessee, effective July 1, 2016, will join seven other states in requiring notification within a specific time.

Perhaps more notably with this amendment, Tennessee “may” be the first state in the United States to remove the encryption safe harbor.* The 46 other state data breach notification laws require notification to affected individuals if Continue reading →

A Single Stolen, Unencrypted Laptop Can Cost Entities Millions of Dollars

March 21, 2016 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security electronic protected health information, encryption, ePHI, Federal Law Resources, Office for Civil Rights, Privacy and Security Rules, U.S. Department of Health and Human Services

Earlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both settlements stem from the entity’s reports to OCR of the thefts of unencrypted laptops containing electronic protected health information (ePHI) even though one of the laptops was password protected.

First, on March 16, 2016, OCR announced that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle potential violations of the HIPAA Privacy and Security Rules after a laptop containing the ePHI of 9,497 individuals was stolen from the vehicle of one of its contractors in July 2011.

OCR’s subsequent investigation determined that North Memorial failed to enter into a business associate agreement with this contractor, as required under the HIPAA Privacy and Security Rules. The investigation also discovered that North Memorial failed to conduct an organization-wide risk analysis to address all of the risks and vulnerabilities to its ePHI. OCR concluded Continue reading →