The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released its October Cybersecurity Newsletter last week with a focus on mobile devices. Given the amount of work conducted on mobile devices (odds are that at least some of you are reading this on a smart phone), the newsletter is practical for many in the health care industry. It is also timely in light of the increasing development and use of health apps. (For those developers interested in HIPAA and mobile devices, see our recent post here.)

The key HIPAA risk faced by those in the health care sector using mobile devices is the compromise of electronic protected health information (ePHI); a risk that is compounded by the portability and lack of robust security on these devices. In its newsletter, OCR advises organizations to take some important steps to ensure that ePHI is well-protected on mobile devices. According to OCR, organizations should:

  • Ensure that mobile devices are properly configured before accessing/storing ePHI
  • Train employees on the secure use of mobile devices and the risks of malware infecting mobile devices
  • Implement policies and procedures for mobile devices
  • Take certain IT-related precautions such as:
    • Automatic lock/logoff
    • Logon authentication
    • Regular software/security patch updates
    • Encryption, anti-virus and remote wipe capabilities
    • Use ONLY secure Wi-Fi connections
    • Use Virtual Private Networks (VPNs)
    • Limit downloads to only verified third-party apps

Depending on the size of your organization, some of these recommendations might sound a bit involved, but any efforts now can go a long way to saving you from a data breach. This is particularly true when considering that a breach involving health records can cost upwards of $350 per record.

The newsletter also contains links to much more detailed guidance and information for how to minimize cybersecurity risk on mobile devices.

OCR released a simple checklist and infographic last week to assist Covered Entities and Business Associates with responding to potential cyber attacks.  As cybersecurity remains a pressing concern for health care entities, these guidance documents are a useful reminder of best practices that health care entities should have in place in case of a cybersecurity incident.

Continue Reading OCR Publishes Checklist and Infographic for Cyber Attack Response

Unbeknownst to many, Congress established the Health Care Industry Cybersecurity Task Force in 2015 to address the health care industry’s cybersecurity challenges. That Task Force–a combination of public and private participants–released a report last week describing U.S. healthcare cybersecurity as being in “critical condition.” This conclusion, while disheartening, shouldn’t be surprising to readers of this blog. We’ve blogged about a range of cybersecurity issues affecting health care, from the potential hacking of medical devices with deadly consequences, to ransomware attacks that threaten to shut down hospitals.  Continue Reading HHS Task Force Says Healthcare Cybersecurity is in “Critical Condition”

Press ReleaseThe U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas.  Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics.  In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.

Continue Reading Memorial Hermann’s Use of Patient Name in Press Release Leads to $2.4 Million HIPAA Settlement

Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode.  FTPs are routinely used to transfer information between network hosts.  As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients.  In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs

On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017).  Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them.   During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has been busy lately, issuing three news releases on the HIPAA Privacy and Security Rules.

On February 24th, OCR published a crosswalk between the HIPAA Security Rule and the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The document outlines the safeguards required by the Security Rule and maps them to the applicable subcategory in the Cybersecurity Framework and other commonly used frameworks. The Security Rule does not require healthcare organizations to follow the Cybersecurity Framework, but OCR points out that many organizations already follow the Cybersecurity Framework and that the crosswalk can help organizations discover gaps in their security policies. OCR released the crosswalk less than a week after Hollywood Presbyterian reported that it paid hackers to end a malware attack on the hospital’s computer systems. Continue Reading Recent HIPAA Updates from OCR

Earlier this week Mintz Levin’s Privacy & Security Matters blog posted some useful “bytes” to consider for the latest installment of the “Privacy Monday” series.

Of particular interest for those following health care privacy and security matters is the recent House Energy & Commerce Committee report revealing data breaches and vulnerabilities involving HHS. The Privacy and Security Matters blog post also provides some very practical privacy pointers and most importantly, an invite to our webinar discussion of vendor risk management and data protection on August 26 at 1PM ET.

Click here to get these handy end-of-summer bytes.

Cybersecurity is of increasing importance to health care organizations, given the growing trend of enforcement and increasing penalties.  President Obama’s Executive Order 13636: Improving Critical Infrastructure Cybersecurity included “the incapacity or destruction of [] systems and assets [that] would have a debilitating impact on . . . national public health or safety” as part of the “critical infrastructure” of the United States.   On the anniversary of this Executive Order, the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity (Framework) that provides a structure that organizations, regulators and customers engaged in the nation’s critical infrastructure can use to create, guide, assess or improve comprehensive cybersecurity programs.

On March 25th, Mintz Levin’s Privacy & Security Practice is hosting a panel discussion in the firm’s Boston office that will examine the NIST Framework in depth and provide insights into how organizations, including health care and life sciences companies,  can use it to assess and improve their security procedures.  Topics will include:

  • An update on cybersecurity legislative policies;
  • The NIST Framework and federal regulatory initiatives affecting government and private sector suppliers;
  • Recent developments in the U.S. Securities and Exchange Commission’s approach to disclosure of cybersecurity threats for public companies; and
  • The current state of the market for cybersecurity insurance and considerations for potential insureds.

To register and get more details about the panel, click here.