New Kentucky Data Breach Rules Go into Effect

July 15, 2014July 18, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security definition of personally identifiable information, encryption standards, Privacy & Security, privacy and security of protected health information, state data breach law

Kentucky imposes new security and data breach notification requirements.

In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach notification requirements. Some level of comfort may be taken by health care providers, health insurance companies, banks, or others who are subject to either the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or Title V of the Gramm-Leach-Bliley Act of 1999, as at least HB 232 appears to exempt them. However, questions remain as to whether HIPAA-covered entities and banks are exempt under HB 5 when they have a contract with a state agency and receive personal information from the agency. Hopefully this issue will be sorted out in the rule-making to come, before additional requirements of HB 5 kick in on January 1, 2015.

Continue reading →

Healthcare CIOs Face Cyber Risk: Internet Explorer Gives Hackers Total Access (Microsoft Issues Patch)

April 29, 2014May 1, 2014 Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology HIPAA Security Rule, IE's zero-day threat, Internet Explorer Cyber Security Vulnerability, Microsoft Security Advisory for IE patch

Updated May 1, 2014 at 5:30 pm

The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security. While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here). As of April 26, 2014, the month was still roaring like a lion with yet another newly discovered cyber security threat to Internet Explorer (IE), first announced by FireEye Research Labs. Microsoft quickly confirmed the flaw on its Security TechCenter webpage. Today, May 1, 2014, Microsoft released a critical security update announcing a patch for all versions of Microsoft IE, including XP, which have the vulnerable flaw. This patch, which fixes the vulnerability discussed further in this article, should be immediately installed.

IE’s Vulnerability Dubbed “Operation Clandestine Fox.” FireEye named the flaw “Operation Clandestine Fox” for a couple of reasons. One is that hackers are already exploiting the vulnerability in an active “campaign.” Further, FireEye said the exploits are “clandestine” because the hackers lure computer users to malicious web code, like a “fox” who lures prey to a watering hole and then moves in for the kill.

With the IE vulnerability, the hacker can use Adobe Flash content, a popular website or an email to bait the computer user to click on malicious HTML code. This allows the hacker to download the malicious software to the user’s computer. Once downloaded, the hacker gains access to the user’s computer and can then gather the information needed to access other programs and networks accessed by the user. Such access can include otherwise secure servers, databases and networks. The risk has been perceived as sufficiently significant to prompt the U.S. Department of Homeland Security to issue a security advisory to its CERT Vulnerability Alerts Database webpage. Microsoft and Homeland Security are updating their advisories almost daily, requiring daily, if not hourly, vigilance on the part of Chief Information Officers (CIOs) in developing a responsive action plan.

HIPAA Security Rule Compliance: Develop An Action Plan. CIOs should immediately assess newly identified cyber security vulnerabilities posed to its networks and develop an action plan to address them. The risk assessment should include an evaluation of how confidential electronic data is accessed by others such as employees, medical staff, patients, and third-party vendors. Ensuring security is especially critical for those who can remotely access your organization’s electronic health record system. Continue reading →

Healthcare CIOs: Check for vulnerability of OpenSSL servers to Heartbleed

April 10, 2014April 14, 2014 Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law cyber risks and cyber crime, Heartbleed bug in OpenSSL, Heartbleed cyber risk for HIT, HIPAA security risk assessment, Securing protected health information from risks of Heartbleed, website encryption

Updated April 13, 2014 at 6:30 pm

CYBER RISK ALERT! Just when we thought we were safe online while using websites that display the key security “https” in the URL, we learn that nothing could be further from reality. On April 7, 2014, security researchers at Codenomicon announced the discovery of a flaw in the OpenSSL (security socket layer) that is used in an estimated two-thirds of the servers that support websites displaying the “https” letters that we have come to trust. Based on the back-end technology of OpenSSL, which involves what is called a “heartbeat” extension and a leakage of data from the server, this new cyber liability threat has been dubbed Heartbleed.

Vulnerability of HIT and Compliance with HIPAA. Although the OpenSSL flaw’s name has no direct connection to health information technology (HIT), it ironically could be a pain for health care providers. Continue reading →

March 1, 2014 is Deadline to Report Breaches Affecting Less than 500

February 28, 2014March 12, 2014 Kathie McDonald-McClure Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law HIPAA breach, HIPAA Omnibus Rule, linkedin, privacy and security of protected health information, reporting data breach to OCR

Saturday, March 1, 2014, is the deadline for entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) all “small breaches” of unsecured protected health information that occurred during 2013. Entities subject to this deadline include a health care provider that conducts certain transactions in electronic form, health plans and health care clearinghouses. A “small breach” is a breach affecting less than 500 individuals.

Although affected individuals must be notified within 60 days of the breach’s discovery, the breach itself also must be reported to OCR within 60 days of the close of the calendar year in which it was discovered, or by March 1 of the following year. The notice must be submitted electronically. A separate breach notification form must be completed for each breach. To submit breach notification reports to OCR, click here.

Remember: HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule, has a new definition of a “breach” that became effective March 26, 2013. It is OCR’s position that a breach is presumed—unless an entity can demonstrate that there is a Low Probability that the data has been Compromised (LoProCo). With any loss, theft or potential unauthorzed access to unsecured protected health information, entities should immediately perform a risk assessment and look at certain factors to decide whether there is a low probability of compromise or LoProCo. If a LoProCo analysis is not done, a breach is presumed and, even if under a LoProCo analysis it would not have been a breach, a loss, theft or unauthorized access of unsecured protected health information must be reported as a breach to OCR. For more information about the LoProCo analysis, see our previous post on December 1, 2013, here.

Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

February 24, 2014March 12, 2014 Erin Brisbay McMahon Federal Law Resources, Health Information Technology Breach Notification, data breach, Health Information Technology, HIPAA breach, privacy and security of protected health information, security of protected health information

The Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What lessons can be learned? Continue reading →