Following recent news about the Heartbleed exploit, CloudFlare, a San Francisco-based security services company, challenged hackers to use Heartbleed to get private encryption keys that would unlock secure data. It reported multiple winners to its challenge. By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes the security verification. They could also decrypt traffic passing between a client and a server, known as a man-in-the-middle attack, or possibly unscramble encrypted communications they’ve collected in the past. Continue Reading →
Health information technology solutions that are remotely hosted or cloud based are becoming more common. In these scenarios, a health care provider is allowing its data – often times including protected health information (“PHI”) – to flow through or be stored in the vendor’s data center. If PHI is involved, the parties should determine whether a Business Associate Agreement (“BAA”) is necessary for HIPAA compliance. But knowing a vendor’s security standard – regardless of whether a BAA is in place – can provide the health care provider confidence that its data will be protected, with a lower risk of damaging breaches occurring. Continue Reading →
On February 1, 2013, the Federal Trade Commission (FTC) issued two publications recommending ways that key players in the mobile marketplace, such as operating system providers, application developers, advertising networks and analytics companies, can promote mobile privacy and security.
Attached is a link to a webinar that I recently conducted with Teramedica on Establishing an Effective Records Management and Data Retention Program: Health Care Industry Considerations.
This one-hour webinar helps health care organizations gain tactical insight into the essential legal and business requirements of establishing an effective records management and data retention program. Patient data storage and data access is becoming one of the most costly and challenging areas of health care delivery. Continue Reading →
In analyzing a claim under Article 4A (Electronic Funds Transfers) of the Uniform Commercial Code, the U.S. Court of Appeals for the First Circuit determined that a bank did not utilize commercially reasonable security procedures when it failed to monitor risk reports and decreased the dollar threshold which triggered use of challenge questions by customers. Patco Construction Company, Inc. v. Peoples United Bank (July 3, 2012) . The practical take away from this ruling is that “commercially reasonable security” requires active monitoring and that the effectiveness and commercially reasonableness of security procedures can be impacted by treating all transactions as “high risk.” Continue Reading →
The public comment period regarding securing health information while using mobile devices ends on March 30, 2012. Information regarding ONC’s Mobile Device Roundtable discussion and a link to provide comments can be found here.
Should you have any questions, please contact Alisa Kuehn at 317.977.1475 or firstname.lastname@example.org.
The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced on Tuesday, March 13, 2012, that Blue Cross Blue Shield of Tennessee (“BCBST”) will pay $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). BCBST had previously notified HHS that 57 unencrypted hard drives containing protected health information, social security numbers, diagnosis codes, dates of birth, and other sensitive information were stolen from a BSCST leased facility.
This settlement represents the first enforcement action by OCR under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act Breach Notification Rule. HITECH requires that covered entities report a protected health information breach for 500 individuals or more both to the media and to HHS. BCBST reported the breach, but according to OCR, failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.
For additional details regarding the enforcement action and settlement click here.
Should you have any questions, please contact Ammon Fillmore at 317.977.1492 or email@example.com.
On Monday, March 5th, the American National Standards Institute (“ANSI”) issued its long-awaited report, “Financial Impact of Breached Protected Health Information” (http://webstore.ansi.org/phi/). The Report provides a good summary of the current state of health data privacy and security in the U.S., HIPAA legislative history, and some potential measures that can be taken to strengthen the protection of health data privacy and security. Most interesting, the Report also discusses the financial impact of breached PHI, giving examples of actual costs that an organization might incur when a data breach occurs.
Let us know what you think of the Report’s findings and what steps your organization is taking to protect PHI. We’re also interested in any insights you have for other organizations to better protect PHI.
Should you have any questions, please contact Mark Garsombke at 414.721.0907 or firstname.lastname@example.org