privacy and security of protected health information

FTC issues Final Order and data security lessons in LabMD case

Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, HIPAA, Privacy & Security , , , , , , ,

After HoursOn July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ).  The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act.  It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network.  Two alleged security incidents form the basis of the Complaint.  In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD.  In the second incident, dozens of day sheets and a small number of Continue reading

New HIPAA Guidance on Ransomware: OCR’s encryption “gold standard” is no longer “golden”

WyattLLP Cyber Security and Cyber Crime, Data Privacy & Security, HIPAA , , , , , ,

By Margaret Young Levi and Kathie McDonald-McClure

softwareRansomware encrypts a user’s data and denies access to that data until a ransom is paid. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has released new guidance to help health care entities better understand and respond to the ever-increasing threat of ransomware.  On July 11, 2016, HHS posted a blog entitled “Your Money or Your PHI: New Guidance on Ransomware.”  The HHS blog post includes a Fact Sheet for health care entities regarding ransomware.  This blog post highlights some of the more striking points in the OCR Fact Sheet and considerations for entities subject to HIPAA in addressing ransomware attacks.

Ransomware can cause harm beyond denying access to data.  The OCR Fact Sheet provides useful technical details about how ransomware malware works, and notes that data can be exfiltrated (i.e., transferred outside the computer network system).  Exfiltration can occur before or after the ransomware attack that encrypts the data.  It depends on the type of malware employed in the attack.  An April 2016 ransomware report from the Institute for Critical Infrastructure Technology (ICIT) provides even more technical details about the types of ransomware currently in use.  The ICIT report states that advanced persistent threats (APTs) and other hackers interested in collecting confidential data use ransomware as a form of distraction while stealthily using other malware to exfiltrate data.

The use of ransomware has skyrocketed.  According to OCR, the number of ransomware attacks has risen steeply in the last year, from an average of 1,000 per day in 2015 to an average of 4,000 attacks daily since January 1, 2016, including some very public attacks on hospitals.  Hospitals and other health care providers are especially vulnerable to Continue reading

Kathie McDonald-McClure to present at Health Enterprises Network/HIMSS event on HIPAA in integrated healthcare

WyattLLP Data Privacy & Security , , , ,

HEN-HIMSS Whose Data Is It AnywayKathie McDonald-McClure, member of Wyatt’s Data Privacy & Security and Health Care Service Teams, will be speaking at an event presented by the Health Enterprises Network and Bluegrass Healthcare Information and Management Systems Society (Bluegrass HIMSS) entitled, “Whose Data Is It Anyway?”  Ms. McDonald-McClure will share strategies for achieving a “Yes-Yes” as well as avoiding the “No-No’s” under the Health Information Portability and Accountability Act of 1996 (HIPAA) with the exchange of health information in an integrated healthcare setting.

Please click here for more information and to register.

Date: January 21, 2016
Time: 5:00 p.m. – 6:00 pm (Cocktail Hour and Registration); 6:00 – 8:00 p.m. (Presentation).

Location:
Kosair Charities Clinical & Translational Research Building
505 S. Hancock Street
Louisville, KY 40202

NIST Assigns Highest Risk Level to New Cyber Risk: BASH aka Shellshock

Kathie McDonald-McClure Privacy & Security , , ,

19073625On Wednesday, September 24, 2014, news broke about a newly discovered cyber security threat referred to as the BASH flaw or Shellshock.  By Thursday, September 25, 2014, cyber security experts were confirming the cyber vulnerability threat for users of UNIX and Linux based systems, including MAC IO X.  The National Institute of Standards & Technology (NIST) has rated the BASH flaw a 10 out of 10 on its vulnerability severity scale. Click here for the NIST alert. 

Devices containing the BASH flaw may include millions of stand-alone Web servers and Internet-connected devices.  HITRUST issued an alert to healthcare providers urging them to take appropriate steps to safeguard their systems.  The HITRUST alert states, in part:

“The HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) has been tracking and reporting on the Remote Code Execution Vulnerability Discovered in Bash on UNIX-based Operating Systems (OS). HITRUST C3 is issuing this alert to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations. HITRUST C3 – Healthcare Sector Cyber Threat Report HI255-14.”

According to Fierce HealthHIT: “The vulnerability happens when Bash is starting up; and it could allow a hacker to create a malicious code that would allow them to gain control of a compromised server.”  HITRUST and many other cyber experts are stating that the BASH Shellshock bug is worse than Heartbleed, which was the flaw discovered in the widely used website encryption code, OpenSSL, an issue on which we reported in April 2014.  The BASH flaw reportedly allows a hacker to completely take over a computer or server.

This is one of the more complicated cyber risk flaws to try to explain to the public, but this chap from UK has produced a 4-minute You Tube video trying to do just that.  We are not vouching for the accuracy of this video (especially given that we are not computer scientists), but we can recommend following his advice at the very end of the video:  “Make sure you keep your computers and any servers you run up to date with security patches and security fixes.”  If you want a more technical description of BASH, see the article published by Troy Hunt, Software architect and Microsoft MVP, on his blog at troyhunt.com or click here.

September 22, 2014 Deadline for Business Associate Agreements

Margaret Young Levi Health Information Technology, HITECH Law, Privacy & Security, Uncategorized , , , , , , , ,
September 22nd Deadline Fast Approaching
September 22nd Deadline Fast Approaching

The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a “business associate” of a “covered entity”, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later in this post regarding the expansion of the “business associate” definition).  Among other changes, the Omnibus Rule requires a covered entity and business associate to revise their business associate agreement (BAA) to reflect the business associate’s new obligations.  All BAAs signed after January 24, 2013 should already include new language necessary to comply with the Omnibus Rule.  BAAs that were signed on or before January 24, 2013 were deemed compliant until September 22, 2014; however, if renewed or modified before that date then they must be brought into actual compliance at that time.  Covered entities and business associates must ensure that all BAAs are compliant with the Omnibus Rule before the September 22, 2014 deadline. Continue reading