The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode. FTPs are routinely used to transfer information between network hosts. As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients. In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs
On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017). Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them. During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has been busy lately, issuing three news releases on the HIPAA Privacy and Security Rules.
On February 24th, OCR published a crosswalk between the HIPAA Security Rule and the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The document outlines the safeguards required by the Security Rule and maps them to the applicable subcategory in the Cybersecurity Framework and other commonly used frameworks. The Security Rule does not require healthcare organizations to follow the Cybersecurity Framework, but OCR points out that many organizations already follow the Cybersecurity Framework and that the crosswalk can help organizations discover gaps in their security policies. OCR released the crosswalk less than a week after Hollywood Presbyterian reported that it paid hackers to end a malware attack on the hospital’s computer systems. Continue Reading Recent HIPAA Updates from OCR
Earlier this week Mintz Levin’s Privacy & Security Matters blog posted some useful “bytes” to consider for the latest installment of the “Privacy Monday” series.
Of particular interest for those following health care privacy and security matters is the recent House Energy & Commerce Committee report revealing data breaches and vulnerabilities involving HHS. The Privacy and Security Matters blog post also provides some very practical privacy pointers and most importantly, an invite to our webinar discussion of vendor risk management and data protection on August 26 at 1PM ET.
Click here to get these handy end-of-summer bytes.
Cybersecurity is of increasing importance to health care organizations, given the growing trend of enforcement and increasing penalties. President Obama’s Executive Order 13636: Improving Critical Infrastructure Cybersecurity included “the incapacity or destruction of  systems and assets [that] would have a debilitating impact on . . . national public health or safety” as part of the “critical infrastructure” of the United States. On the anniversary of this Executive Order, the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity (Framework) that provides a structure that organizations, regulators and customers engaged in the nation’s critical infrastructure can use to create, guide, assess or improve comprehensive cybersecurity programs.
On March 25th, Mintz Levin’s Privacy & Security Practice is hosting a panel discussion in the firm’s Boston office that will examine the NIST Framework in depth and provide insights into how organizations, including health care and life sciences companies, can use it to assess and improve their security procedures. Topics will include:
- An update on cybersecurity legislative policies;
- The NIST Framework and federal regulatory initiatives affecting government and private sector suppliers;
- Recent developments in the U.S. Securities and Exchange Commission’s approach to disclosure of cybersecurity threats for public companies; and
- The current state of the market for cybersecurity insurance and considerations for potential insureds.
To register and get more details about the panel, click here.