New HIPAA Exception Allows Covered Entities to Report Behavioral Health Considerations Applicable to Possessing a Firearm

February 22, 2016 Margaret Young Levi Privacy & Security behavioral health considerations, covered entity, Federal Law Resources, HHS, mental health prohibitor, National Instant Criminal Background Check System, NICS, PHI, protected health information, U.S. Department of Health and Human Services

As of February 5, 2016, a change in the law allows certain health care providers to report the identity of an individual who is prohibited from possessing a firearm for mental health reasons to the National Instant Criminal Background Check System (“NICS”). The Department of Health & Human Services (“HHS”) amended the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to allow such reporting by health care providers who are a “covered entity” under HIPAA and who are: state agencies; designated by the state with lawful authority to make the adjudications or commitment decisions that make individuals subject to a “mental health prohibitor”; or serve as repositories of information for NICS reporting purposes. The Final Rule that makes this amendment to HIPAA was published in the Federal Register on January 6, 2016: click here.

Before this amendment, health care providers who are “covered entities” under HIPAA could report information to the NICS only if:

(1) the health care provider had designated itself as a “hybrid entity” where the Privacy Rule would apply only to the entity’s functions that are subject to Continue reading →

Kentucky Chamber To Host Cyber Security Seminar on December 17, 2015

November 20, 2015December 8, 2015 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement Kentucky Chamber of Commerce, Wyatt Tarrant & Combs law firm

Data privacy and security issues are bursting at the seams in ALL industry sectors due to the ability to connect to the internet through networks, apps and a multitude of devices that enable individuals and organizations to collect, transmit, store and use information in a multitude of ways. Connecting to the internet poses privacy and security risks regarding confidential information that, if used or disclosed in certain ways, can result in significant financial and reputational harm to the entity, its employees, clients, customers and others.

Is your company counting on you to make sure it doesn’t have a data breach and end up on the front page?
Do you know the latest ways that cyber thieves are trying to gain access to your data?
Are you learning from others’ mistakes, so that your company doesn’t have to learn the hard way?
Are your policies in step with state and federal laws and regulations as well as government enforcement trends?
Do you have a plan for dealing with the financial hit that would accompany a data breach?

If these questions have been weighing on you, as your company’s CEO, CFO, IT manager, HR manager, in-house counsel or risk officer, come to a one-day conference on December 17, 2015, in Lexington, Kentucky, hosted by the Kentucky Chamber of Commerce and sponsored by Wyatt, Tarrant & Combs, LLP. Learn about trends in security, legal compliance, risk management and law enforcement on cyber security and data protection and gain practical, hands-on information that you can take back to your company, which will begin paying dividends right away. Continue reading →

FTC Releases Report and Practical Advice on the Internet of Things

February 26, 2015 Margaret Young Levi FTC Enforcement, Privacy & Security Fair Information Practice Principles, Federal Trade Commission, financial data, FIPPs, FTC, Internet of Things, IoT, personal data, Privacy & Security, security risks

On January 27, 2015, the Federal Trade Commission (FTC) released a staff report entitled “Internet of Things: Privacy & Security in a Connected World.” This report suggests steps businesses can take to protect consumers’ privacy and security as they use objects that connect and send data to the Internet.

The FTC Staff Report defines the Internet of Things (IoT) as “the ability of everyday objects to connect to the Internet and to send and receive data.” Examples of such objects are bracelets that track fitness activities and share the data with friends, cameras that post pictures online, RFID tags to monitor inventory, and home automation systems to monitor lights, temperature and security and report to homeowners when they are away. In health care, such objects include medical devices that monitor vital signs and other patient data, such as insulin pumps and blood pressure cuffs, and then share this data with physicians and caregivers. Basically, the IoT is “essentially any other Internet-connected device that isn’t a mobile phone, tablet, or traditional computer.”

The number of “things” connected to the Internet is greater than the number of people, and, as of this year, there will be 25 billion devices connected to the Internet. But this increased connectivity comes with increased privacy and security risks. First, financial and personal data stored on these devices can be stolen. Second, when the objects are connected to a network, security vulnerabilities in the objects may Continue reading →

FDA Issues Cybersecurity Guidance to Medical Device Manufacturers

October 20, 2014October 29, 2014 Margaret Young Levi Health Information Technology, Privacy & Security cybersecurity, FDA, medical device

The U.S. Food & Drug Administration (FDA) has issued guidance setting forth its current thinking on issues related to cybersecurity of medical devices.

Because medical devices increasingly store or transmit sensitive patient health information, there are increased security risks of unauthorized access, modification, misuse or denial of use, or the unauthorized use of this information. Medical devices that connect to other devices or to the Internet or which have USB or other data ports are especially vulnerable. The FDA notes that “[f]ailure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.” Continue reading →

NIST Assigns Highest Risk Level to New Cyber Risk: BASH aka Shellshock

September 26, 2014October 9, 2014 Kathie McDonald-McClure Privacy & Security BASH aka Shellshock flaw, cyber risks and cyber crime, Health Information Technology, privacy and security of protected health information

On Wednesday, September 24, 2014, news broke about a newly discovered cyber security threat referred to as the BASH flaw or Shellshock. By Thursday, September 25, 2014, cyber security experts were confirming the cyber vulnerability threat for users of UNIX and Linux based systems, including MAC IO X. The National Institute of Standards & Technology (NIST) has rated the BASH flaw a 10 out of 10 on its vulnerability severity scale. Click here for the NIST alert.

Devices containing the BASH flaw may include millions of stand-alone Web servers and Internet-connected devices. HITRUST issued an alert to healthcare providers urging them to take appropriate steps to safeguard their systems. The HITRUST alert states, in part:

“The HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) has been tracking and reporting on the Remote Code Execution Vulnerability Discovered in Bash on UNIX-based Operating Systems (OS). HITRUST C3 is issuing this alert to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations. HITRUST C3 – Healthcare Sector Cyber Threat Report HI255-14.”

According to Fierce HealthHIT: “The vulnerability happens when Bash is starting up; and it could allow a hacker to create a malicious code that would allow them to gain control of a compromised server.” HITRUST and many other cyber experts are stating that the BASH Shellshock bug is worse than Heartbleed, which was the flaw discovered in the widely used website encryption code, OpenSSL, an issue on which we reported in April 2014. The BASH flaw reportedly allows a hacker to completely take over a computer or server.

This is one of the more complicated cyber risk flaws to try to explain to the public, but this chap from UK has produced a 4-minute You Tube video trying to do just that. We are not vouching for the accuracy of this video (especially given that we are not computer scientists), but we can recommend following his advice at the very end of the video: “Make sure you keep your computers and any servers you run up to date with security patches and security fixes.” If you want a more technical description of BASH, see the article published by Troy Hunt, Software architect and Microsoft MVP, on his blog at troyhunt.com or click here.