A draft bill recently introduced in the U.S. Senate serves as a good reminder that compliance with data breach reporting requirements is critical. This bill follows significant, high-profile data breaches by Uber and Equifax, both of which involved millions of individuals (87 million and 145 million, respectively) and both of which went unreported for a significant period of time following discovery by the companies. Equifax took more than a month to notify the public, while Uber took more than a year. Continue Reading Proposed Law Would Criminalize Failures to Report Data Breaches
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released its October Cybersecurity Newsletter last week with a focus on mobile devices. Given the amount of work conducted on mobile devices (odds are that at least some of you are reading this on a smart phone), the newsletter is practical for many in the health care industry. It is also timely in light of the increasing development and use of health apps. (For those developers interested in HIPAA and mobile devices, see our recent post here.)
The key HIPAA risk faced by those in the health care sector using mobile devices is the compromise of electronic protected health information (ePHI); a risk that is compounded by the portability and lack of robust security on these devices. In its newsletter, OCR advises organizations to take some important steps to ensure that ePHI is well-protected on mobile devices. According to OCR, organizations should:
- Ensure that mobile devices are properly configured before accessing/storing ePHI
- Train employees on the secure use of mobile devices and the risks of malware infecting mobile devices
- Implement policies and procedures for mobile devices
- Take certain IT-related precautions such as:
- Automatic lock/logoff
- Logon authentication
- Regular software/security patch updates
- Encryption, anti-virus and remote wipe capabilities
- Use ONLY secure Wi-Fi connections
- Use Virtual Private Networks (VPNs)
- Limit downloads to only verified third-party apps
Depending on the size of your organization, some of these recommendations might sound a bit involved, but any efforts now can go a long way to saving you from a data breach. This is particularly true when considering that a breach involving health records can cost upwards of $350 per record.
The newsletter also contains links to much more detailed guidance and information for how to minimize cybersecurity risk on mobile devices.
As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters. OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.
Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.
The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate
OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks. As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.
Unbeknownst to many, Congress established the Health Care Industry Cybersecurity Task Force in 2015 to address the health care industry’s cybersecurity challenges. That Task Force–a combination of public and private participants–released a report last week describing U.S. healthcare cybersecurity as being in “critical condition.” This conclusion, while disheartening, shouldn’t be surprising to readers of this blog. We’ve blogged about a range of cybersecurity issues affecting health care, from the potential hacking of medical devices with deadly consequences, to ransomware attacks that threaten to shut down hospitals. Continue Reading HHS Task Force Says Healthcare Cybersecurity is in “Critical Condition”
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
By now, you may have heard about the global ransomware attacks affecting health care and other organizations throughout the world, in particular the United Kingdom, but also in the United States. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it. Continue Reading Ransomware Attack – Quick Facts
It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR