Deadline Approaching to Revise HIPAA Policies

November 21, 2024November 22, 2024 Wyatt Data Privacy & Security, HIPAA cybersecurity, data privacy, final rule, health care law, health care providers, HIPAA Compliance, ocr guidelines, privacy, privacy practices, protected health information (PHI), regulatory changes, reproductive health

By: Margaret Young Levi

The December 23, 2024 deadline is fast approaching for HIPAA covered entities, including health care providers and health plans, to revise their HIPAA policies and procedures relating to reproductive health.

Earlier this year, the Office for Civil Rights (OCR) issued a Final Rule prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. This will require HIPAA covered entities to amend their policies and procedures, as well as their Notice of Privacy Practices (NPP). While updates to policies and procedures must be completed by December 23, 2024, the new NPP requirements will not go into effect until February 16, 2026. Some covered entities will need to amend their business associate agreements if the agreements permit an activity no longer permitted under the revised Privacy Rule.

For additional information about this Final Rule, please check out our previous article on this topic.

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

Iranian Threat Actors Use Password Spraying And MFA Push-Bombing To Hack Organizations In Critical Sectors

October 17, 2024October 22, 2024 Wyatt Cyber Security and Cyber Crime, Data Privacy & Security Brute Force Credential Access, CISA Cybersecurity Advisory, Cyber Security, cybersecurity, Iranian Cyber Threat Actors, MFA, MFA fatigue, password spraying MFA push-bombing, security, technology

Written by: Kathie McDonald-McClure

On October 16, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”) and the National Security Agency (“NSA”) issued a Joint Cybersecurity Advisory warning that threat actors from Iran are using “password spraying” and Multi-Factor Authentication (MFA) “push-bombing” (also called “MFA fatigue”) to gain access to organization networks and web-based applications in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

With password spraying, the threat actor creates a list of usernames and then tries to login to each account with a single commonly used password. If the attempt fails, the attacker moves on to a different common password and tries again until they get a hit. Even with MFA, using a strong password in the first instance can impede a threat actor’s further attempts to gain access via MFA push-bombing.

With MFA push-bombing, the threat actor sends a legitimate user’s smartphone a large number of MFA push-notifications, hoping that the user will click on one to stop the barrage. Once the threat actor gains access to an account, they frequently register their devices with MFA to enable persistent access to the environment via a valid account.

The use of MFA push-notifications to a smartphone in the absence of a second form of authentication (e.g., entering a code in an Authenticator app) is particularly vulnerable to the use of brute force and credential access. Does your network or any of your web-based applications rely solely on a push notification to gain access? Specifically, if access to your network or a web-based application can be gained by a mere click on a link in a SMS or email message, or by answering a call to a mobile device and there is no second method of authentication before permitting access, talk to your IT team or the vendor of the web-based application about strengthening the authentication method.

Regularly review your password policy to ensure it is up-to-date with best practices. Ensure users in your organization are educated on the password policy. Also, educate permitted users on the network and web-based applications on the techniques used by threat actors to gain access via weak and reused passwords. Ensure users understand the criticality of denying MFA push-notification requests that they did not generate.

Talk to your IT team today regarding the Joint Cybersecurity Advisory on the threats to weak passwords and MFA methods. As recommended in the Advisory, implement exercises, tests and validate your organization’s security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the Advisory (e.g., Modify Authentication Process: MFA and MFA Request Generation).

We regularly work with clients to assist in preparing or updating applicable IT information security policies and procedures. Learn more about Wyatt’s data privacy and cyber security practice by visiting the Wyatt Data Privacy & Cyber Security webpage.

Changes to the Health Breach Notification Rule Include Regulations for Health Apps

June 11, 2024July 2, 2024 Wyatt Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA Breach Notification, cybersecurity, Electronic Health Records, FTC Final Rule, HBNR, healthcare, personal health record, PHR, PHR identifiable health information, privacy, security, technology

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading →

Kentucky Enacts New Consumer Data Privacy Act

June 5, 2024June 13, 2024 Wyatt Data Privacy & Security, FTC Enforcement, Privacy & Security, State Consumer Privacy Protection Laws ad trackers, consumer online privacy, cybersecurity, data privacy, geolocation data, KCDPA, privacy, security, technology

Written by: Margaret Young Levi, Kathie McDonald-McClure and Drayden Burton (Wyatt Summer Associate)

On April 4, 2024, Governor Andy Beshear added Kentucky to the growing list of states with comprehensive data privacy legislation by signing House Bill 15 into law. The Kentucky Consumer Data Protection Act (“KCDPA”) will become effective on January 1, 2026. The KCDPA creates rights for Kentucky consumers as well as imposes requirements on certain businesses that handle consumer data.

What rights does the KCDPA create for consumers?

The KCDPA provides “consumers,” which it defines as natural persons residing in Kentucky who are acting solely in an individual context, with a swathe of rights concerning their personal data. These rights mirror the laws of other states that have passed similar legislation. These rights include:

HHS and American Hospital Association Alert Providers to Act Now on “Citrix Bleed” Vulnerability

December 7, 2023December 11, 2023 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Health Information Technology Citrix Bleed, critical infrastructure, cyber threats, cybersecurity, hacking, healthcare sector, HIPAA Security Rule, ransomware, technology

The United States Health & Human Services Department (HHS) Health Sector Cybersecurity Coordination Center (HH3) issued an HH3 Sector Alert for a software vulnerability dubbed the “Citrix Bleed“. The HH3 Alert advises on a Citrix security advisory regarding a zero-day vulnerability that impacts the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (fomerly Citrix Gateway). The HH3 Alert, issued on November 30, 2023, urges healthcare organizations to upgrade their devices to prevent damage to the health sector from cyber attacks, including ransomware.

Per the HH3 Alert, even if the patch that Citrix released for this vulnerability was implemented, Citrix warns that compromised sessions will still be active after the patch is implemented. Organizations should follow the Citrix guidance to upgrade devices and remove any active or persistent sessions with the commands listed in the Alert.

On December 1, 2023, the American Hospital Association (AHA) similarly alerted its members about the Citrix Bleed issuing its own alert titled, “Urgent: Hospital Action Needed to Protect Against ‘Citrix Bleed’ Threat.” AHA also published the following article the same day: “HHS-HC3 calls for immediate hospital action to protect against ‘Citrix Bleed’ vulnerability and ransomware threat.”

In its weekly Medicare MLN Connects news on December 7, 2023, the Centers for Medicare and Medicaid Services (CMS) asks providers to make sure their IT department reads the information and takes necessary action. Providers also should share the HH3 Alert with their network clearinghouse and vendors.

Relatedly, on December 6, 2023, CNN reported that HHS shared exclusively with CNN a plan focused on getting more money and training to small and rural health care providers who lack dedicated cybersecurity staff. CNN reported that Biden administration officials “have long been concerned that software providers continue to sell insecure products that hackers are too easily able to exploit.” Click here to read the full CNN article, titled “US health officials call for surge in funding and support for hospitals in wake of cyberattacks that diverted ambulances,” by Sean Lyngass.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more. Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526