On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017). Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them. During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI
Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released new guidance on reporting and monitoring cyber threats. The guidance urges covered entities and business associates to report suspicious activity, including cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT). US-CERT is an organization within the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. It is operational 24 hours a day, and accepts, triages, and collaboratively responds to incidents. Continue Reading OCR Releases Guidance on Reporting and Monitoring Cyber Threats
As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed. In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.
On February 16, 2017, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).
The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.
Earlier this week, the U.S. Department of Homeland Security (DHS) updated a prior advisory revealing cybersecurity vulnerabilities in St. Jude Medical’s Merlin@home transmitter.
The Merlin@home transmitter is used by patients with St. Jude implantable cardiac devices to wirelessly transmit data from the patient’s cardiac device to the Merlin.net Patient Care Network. The uploaded data can then be monitored by a physician to determine whether the device is functioning properly. This past January, DHS released an advisory detailing a vulnerability that could allow an unauthorized user to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered transmitter could then be used to modify the implanted device to rapidly deplete its battery and/or administer inappropriate pacing or shocks to the patient. St. Jude quickly made an update available to patch this vulnerability.
The updated advisory extends the vulnerability to Merlin transmitters that are used by providers. These transmitters contain the same hardware and software as the models used by patients in their home, but have an additional functionality called MerlinOnDemand that allows providers to use one transmitter in their office to obtain device data from multiple patients. According to the advisory, the endpoints between the implanted device and the Merlin.net website are not verified. This makes the transmission vulnerable to a “man-in-the-middle” that would allow an attacker to remotely access the device. St. Jude has said that the MerlinOnDemand-enabled devices will receive the same patch that was provided to the home-based models.
The new vulnerability comes on the heels of the U.S. Food and Drug Administration’s release of final guidance on the postmarket management of cybersecurity in medical devices.
On January 18th, the U.S. Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule updating regulations for the protection of human research subjects, the so-called “Common Rule.” The original Common Rule had been in place for almost 30 years, with little change despite significant research and technology advances during that time. Further change is on the horizon for the Common Rule, as the 21st Century Cures Act (Cures) includes a mandate for HHS and the Food and Drug Administration (FDA) to harmonize long-standing differences between the Common Rule and FDA Human Subject Protection regulations. Continue Reading The Newly Updated Common Rule is Here – And On a Collision Course With the 21st Century Cures Act
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
On January 12th at 1:00pm EST, my colleague Susan Foster, PhD will present a webinar on Transferring Data from the EU. In particular, Sue will discuss the ways in which the EU General Data Protection Regulation creates new avenues for data transfers, and narrows others, and will also address sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.
As we reported earlier this week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights described a phishing campaign that is attempting to convince recipients of their inclusion in OCR’s Phase 2 audit program. The email, which was disguised as an official communication, suggests that recipients click on a link. This link takes recipients to a non-governmental website marketing cybersecurity services.
On Wednesday, OCR followed up their alert with additional details about the phishing campaign. According to OCR, the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address for its HIPAA audit program, OSOCRAudit@hhs.gov, noting that such subtlety is typical in phishing scams.
OCR also took the opportunity to confirm that it has notified select business associates of their inclusion in the Phase 2 HIPAA audits. For more information about the Phase 2 audit program please visit our earlier post.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published an alert on Monday describing a phishing campaign disguised as an email from OCR. The email is being circulated on mock HHS letterhead under the signature of OCR’s Director Jocelyn Samuels and is being sent to HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. When clicked, the link takes the recipient to a non-governmental website marketing a firm’s cybersecurity services. In its alert, HHS clarified that it is in no way associated with the firm.
Covered Entities and Business Associates should be aware of this email and should make their workforces aware of it. This can also serve as an important reminder of the importance of being vigilant about phishing campaigns and not clicking links in any email that seems suspicious or unexpected.
While the firm’s specific claims of inclusion in the audit program are not based in fact, OCR’s audit program is itself quite real. This past July we discussed the audit letters that were sent to health care providers and health care clearinghouses alerting them to their inclusion in the audit. We also described how OCR would be auditing businesses associates during the fall season. Given that fall is upon us, it is now more critical than ever for business associates to review their compliance efforts.