New HIPAA Guidance on Ransomware: OCR’s encryption “gold standard” is no longer “golden”

By Margaret Young Levi and Kathie McDonald-McClure

softwareRansomware encrypts a user’s data and denies access to that data until a ransom is paid. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has released new guidance to help health care entities better understand and respond to the ever-increasing threat of ransomware.  On July 11, 2016, HHS posted a blog entitled “Your Money or Your PHI: New Guidance on Ransomware.”  The HHS blog post includes a Fact Sheet for health care entities regarding ransomware.  This blog post highlights some of the more striking points in the OCR Fact Sheet and considerations for entities subject to HIPAA in addressing ransomware attacks.

Ransomware can cause harm beyond denying access to data.  The OCR Fact Sheet provides useful technical details about how ransomware malware works, and notes that data can be exfiltrated (i.e., transferred outside the computer network system).  Exfiltration can occur before or after the ransomware attack that encrypts the data.  It depends on the type of malware employed in the attack.  An April 2016 ransomware report from the Institute for Critical Infrastructure Technology (ICIT) provides even more technical details about the types of ransomware currently in use.  The ICIT report states that advanced persistent threats (APTs) and other hackers interested in collecting confidential data use ransomware as a form of distraction while stealthily using other malware to exfiltrate data.

The use of ransomware has skyrocketed.  According to OCR, the number of ransomware attacks has risen steeply in the last year, from an average of 1,000 per day in 2015 to an average of 4,000 attacks daily since January 1, 2016, including some very public attacks on hospitals.  Hospitals and other health care providers are especially vulnerable to Continue reading

Federal Government Report Summarizes Health Care Privacy Compliance Efforts

government buildingThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading

Privacy Breaches – They’re FTC Territory, Too!

by Ann F. Triebsch

Lock and KeyWe’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with enforcing HIPAA, but some of those same privacy breaches can be scrutinized by the FTC to determine if they are “unfair or deceptive acts or practices in or affecting commerce”, which the FTC Act prohibits. On August 29, 2013, the FTC filed suit in Federal District Court in Atlanta against LabMD, a medical testing laboratory, and its president, to compel it to comply with an investigative demand for information on whether it failed to properly protect private information of about 9,000 consumers (FTC v. LabMD, U.S.D.C. N.D. Ga., Case No. 1:12-CV-3005) .

Continue reading

HIPAA Breaches in the News Again!

It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to “implement appropriate administrative and technical safeguards” required by HIPAA when it left an online application database unsecured and exposed the electronic protected health information (“PHI”) of more than 600,000 individuals. WellPoint self reported this issue when it submitted a breach notification required under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. This breach highlights the importance of ensuring that PHI is secured when system updates are performed.

Continue reading