Data Privacy & Security/HIPAA/HITECH

By now you have probably heard about the ongoing FIN4 cyber attacks on publicly traded entities in the healthcare and pharmaceutical industries. If not, here’s a brief recap.

On Sunday, Nov. 30, security consulting firm FireEye published a report on the current hacking efforts of a group dubbed FIN4. FIN4 has targeted more than 100 organizations, 68 percent of them publicly traded healthcare and pharmaceutical companies, stealing non-public information for illicit trading advantage. Additional targets include law firm partners and M&A consultants privy to proprietary information on imminent merger and acquisition transactions or other non-public, market-moving developments.

A Dec. 1 Strafford webinar on the legal and regulatory challenges of Ebola will feature five Husch Blackwell attorneys. The 90-minute CLE webinar with interactive Q&A will provide guidance to healthcare counsel and their clients in addressing HIPAA and EMTALA concerns when treating Ebola patients.

The panel will discuss state and federal mandatory reporting requirements, employment issues and lessons learned from the first U.S. Ebola cases.

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) released a bulletin on Nov. 10 reminding entities covered under the Health Insurance Portability and Accountability Act (HIPAA) that the protections continue to be in effect during emergencies, including Ebola and other outbreaks. HHS wants to make sure healthcare providers are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in emergency situations.

Now that patients with Ebola have landed on U.S. soil, hospitals and other healthcare providers must prepare for the possibility that a patient with Ebola will walk through the doors. In this Oct. 30 webinar, Husch Blackwell presenters will look at some of the pressing legal issues related to treating patients with communicable diseases such as Ebola, and what providers can do now to prepare their clinical, compliance and legal teams.

In the Electronic Health Records (EHR) space, unconnected and competing systems carry the potential for organizational train wrecks.

Until robust, efficient, and mandatory interoperability standards emerge, providers should consider linking systems through other means, as failure to do so may lead to malpractice and regulatory compliance issues.

A new White Paper, Driving the Golden Spike:

The U.S. Department of Health & Human Services (“HHS”) issued final regulations in January 2013 modifying the privacy, security and enforcement provisions under the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Covered entities and business associates were generally required to comply with the final regulations by Sept. 23, 2013. To reduce administrative burden and costs of renegotiating existing business associate agreements, HHS provided a transition period. Business associate agreements in place as of Jan. 25, 2013, and not modified or renewed between March 26, 2013, and Sept. 23, 2013, were deemed to comply with the new regulations for up to 12 months. All relevant entities should note that the deemed compliance period ends Sept. 22, 2014.

The Food and Drug Administration (FDA) released a new Draft Guidance June 20, 2014, that would make significant changes to the way mobile medical devices are regulated, despite only being claimed by the FDA in September 2013. In that original Guidance, the FDA defined a new industry that it intended to regulate: the creators and providers of mobile medical apps. Such apps originally included many different kinds of apps, from blood glucose monitors to apps that displayed MRI or ECG visual data.

“End-users, sysadmins, and developers lead the pack when it comes to mucking things up, though pretty much all of us are guilty.” These are simple, yet telling, words from the 2014 Data Breach Investigations Report released this week by Verizon.

The report statistics indicate:

  •  46 percent of all data security incidents in healthcare come from theft or simply losing a laptop or other device containing confidential information—triple that of almost all other industry sectors

Because the healthcare community relies upon encryption to safeguard e-Protected Health Information (ePHI), vulnerability to the underlying security of any encryption code is potentially devastating.

The Heartbleed computer bug is gaining substantial media coverage recently, and for good reason. Organizations, especially those in healthcare, should pay special attention to risks from the bug. Heartbleed is not a computer virus, but is actually a software defect. The defect went unnoticed for a long period of time, and was unfortunately adopted by many websites.

Discovered by Neel Mehta of Google Security, the Heartbleed bug is based on a fault in functionality in the widely used OpenSSL library. This library is used by security vendors’ products to secure web browsing and even mobile banking applications. For example, if you go to a site like Amazon, you may notice a little lock in the browser section of the bar with the letters “https”– that is a sign that the website uses, and is a part of, the OpenSSL library. When the Heartbleed bug is exploited, the attacker can retrieve memory, up to 64KB from the remote system.  Such information may contain usernames, passwords, keys or other useful information that enables bigger attacks.

The Senate Committee on Commerce, Science, and Transportation today released its analysis of the 2013 Target Data Breach, using the “intrusion kill chain” framework from Lockheed Martin as its analytical tool.  In short, the analysis shows that although Target likely failed at multiple steps along the chain to stop the breach, the opening salvo by the attackers was waged on a Target vendor, Fazio Mechanical Services.

Although details are not reported, the report does suggest that the attacker may “have sent malware-laden emails to Fazio at least two months before the Target data breach began.”  Target’s supplier portal and facilities management pages were apparently viewable on the Internet, and files from the sites “allowed the attacker to map Target’s internal network prior to the breach.”  Unfortunately, Fazio was also using a free version of an anti-malware product, which did not provide real-time protection and was intended only for individual consumer use.