This page contains news stories from 2009
Click for the latest news stories
Click for the Directory of News Stories
Verizon Business Releases Data Breach Investigations Reports
In December 2009, the Verizon Business Risk Team issued the 2009 Data Breach Investigations Supplemental Report, a companion to the 2009 Data Breach Investigations Report issued earlier this year. The supplemental report provides further insights into the data, and highlights the role of Malware (keyloggers, spyware, backdoor, or command/control) in the top-ranked threat action types. The reports are at: http://www.verizonbusiness.com/worldwide/products/security/risk/
FTC Red Flags Enforcement Delayed Again, until June 1, 2010
The US Federal Trade Commission announced on October 30, 2009 that the FTC, at congressional request, has delayed enforcement of the FTC Red Flags Rule a fourth time, now until June 1, 2010. In addition, on October 30, 2009, the U.S. District Court ruled that the FTC may not apply the Red Flags Rule to attorneys. The FTC Press Release is at: http://www.ftc.gov/opa/2009/10/redflags.shtm
New HIPAA Enforcement Interim Final Rule, in effect 11/30/09
On October 30, 2009, the US Department of Health and Human Services issued a new HIPAA Enforcement Interim Final Rule to meet requirements in the American Recovery and Reinvestment Act. The rule changes the penalty structure for violations and includes new, higher penalties. The rule goes into effect November 30, 2009, and public comment will be considered if received by HHS by December 29, 2009. The HIPAA enforcement interim final rule is available at: http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480a4e565
HHS Office of Inspector General Issues FY 2010 Work Plan
On October 1, 2009, the US Department of Health and Human Services Office of Inspector General issued its work plan for fiscal year 2010, detailing the areas that will be receiving attention for compliance and enforcement over the coming year. Not unexpectedly, there is new emphasis on HIPAA enforcement. The work plan is available at http://oig.hhs.gov/08/Work_Plan_FY_2010.pdf
HHS OCR and others Issue Regulations Under Genetic Law
On October 1, 2009, the US Department of Health and Human Services Office for Civil Rights issued a proposed rule under the Genetic Information Nondiscrimination Act (GINA) that requires changes to the HIPAA Privacy Rule pertaining to prohibition of the use of genetic information for insurance underwriting purposes. The HHS OCR proposed rule as well as companion rules from EEOC and DOL/CMS/Treasury and the source legislation are all available on the OCR site at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/genetic/index.html The Department of Labor fact sheet including a good overview is available at: http://www.dol.gov/ebsa/newsroom/fsGINA.html#
HHS Posts Instructions and Forms for Breach Notification
On October 1, 2009, the US Department of Health and Human Services made available on its Web site instructions and electronic forms for Breach Notification under the new rules in effect as of September 23, 2009, at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html or http://tinyurl.com/yemwev8
NIST Releases Video Guide to Information Security
On October 1, 2009, National Institute of Standards and Technology (NIST) released a video for the small business community titled "Information Technology Security for Small Business. It's not just good business. It's essential business" giving small business owners a glimpse into the resources from NIST, SBA, and the FBI that will help protect them from cyber crime. The video describes computer hacking, denial-of-service, laptop theft, insider abuse, computer viruses, and computers made into bots, and encourages small business owners to define their security needs, establish security practices, and stay current. To see the video and other resources, go to: http://csrc.nist.gov/groups/SMA/sbc/library.html#04
NIST Releases Guide to Security Acronyms and Abbreviations
On October 1, 2009, National Institute of Standards and Technology (NIST) released interagency report NISTIR 7581, System and Network Security Acronyms and Abbreviations, a guide to the alphabet soup that pervades information security, available at: http://csrc.nist.gov/publications/nistir/ir7581/nistir-7581.pdf
NIST Releases Draft Guide to Small Business Info Security
On August 26, 2009, the National Institute of Standards and Technology (NIST) released a draft of NISTIR 7621, Small Business Information Security: The Fundamentals, intended to help small businesses and organizations implement the fundamental concepts of an effective information security program. The draft is available at: http://csrc.nist.gov/publications/PubsDrafts.html#ir7621
IEEE Releases Information Security Standard for Printers
The Institute of Electrical and Electronics Engineers (IEEE) released on June 12, 2009 the first of a series of standards for securing networked printers, which are vulnerable to hacking and exposure of information printed on the devices. For an article on the standard from Dark Reading, please see http://www.darkreading.com/shared/printableArticle.jhtml?articleID=219500204 and for the IEEE background article and link to the standard, please see http://standards.ieee.org/announcements/bkgnd_ieee2600.html
HHS and FTC Issue Interim Rules on Breach Notification
The US Department of Health and Human Services and the Federal Trade Commission published on August 19 and 17, 2009 (respectively) their interim final rules on the notification to individuals of breaches of health information held by HIPAA Covered Entities and Business Associates (under HHS rules) and Personal Health Records (under FTC rules), pursuant to the requirements of the American Recovery and Reinvestment Act of 2009 (ARRA). The FTC announcement is available at http://www.ftc.gov/opa/2009/08/hbn.shtm and the interim rule and notification form are at http://www.ftc.gov/healthbreach/. The HHS site on the topic is at http://tinyurl.com/lmhono and the HHS interim rule is at: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
HHS Yet Again Expanding HIPAA Privacy Enforcement Team
Now for the third time in two months, HHS has announced two more positions to be filled on their HIPAA enforcement team, this time, for "Privacy Outreach Specialists". For more information on these, go to http://www.usajobs.gov/ and enter the corresponding job announcement number: HHS-OS-14-2009-0003 (DE), or HHS-OS-14-2009-0004 (MP). The open period for these positions is Tuesday, August 11, 2009 to Monday, August 31, 2009.
HHS Again Expanding HIPAA Privacy Enforcement Team
For the second time in two months, the US Department of Health and Human Services (HHS) has announced on August 4, 2009, new positions for Health Information Specialists to join their health information privacy enforcement team. These expansions indicate that HHS is moving aggressively to prepare for the new enforcement activities mandated by the American Recovery and Reinvestment Act of 2009 (ARRA). For more information on these positions, go to http://www.usajobs.gov/ and enter the corresponding job announcement number: HHS-OS-14-2009-0012, or HHS-OS-14-2009-0013. The open period for these positions is Friday, July 31, 2009 to Thursday, August 13, 2009.
HHS Moves HIPAA Security Rule Enforcement to OCR
On August 3, 2009, the US Department of Health and Human Services (HHS) filed for publication in the Federal Register on August 4, 2009 the delegation of enforcement of the HIPAA Security Rule, formerly under the Center for Medicare and Medicaid Services (CMS), to the HHS Office for Civil Rights (OCR), which is already responsible for enforcing the HIPAA Privacy Rule. Now the HHS OCR will have authority for both Privacy and Security Rule enforcement, effective immediately, as well as that for new privacy and security-related regulations under the American Recovery and Reinvestment Act of 2009 (ARRA). Press release: http://www.hhs.gov/news/press/2009pres/08/20090803a.html Notice: http://www.hhs.gov/ocr/privacy/srdelegationofauthority2009.pdf
NIST Releases New SP 800-53 Security Controls Guide
On July 31, 2009, the National Institute of Standards and Technology (NIST) released the final publication of Special Publication 800-53 Revision 3, Recommended Security Controls. In this historic revision, NIST has included controls for both National Security and non-National Security systems, based on input from a wide range of security experts and includes state-of-the-practice safeguards and countermeasures. SP 800-53 Revision 3 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-53_Rev3
FTC Delays Red Flags Rule Enforcement Again, to 11/1/2009
On July 29, 2009, just shy of the August 1, 2009 deadline, the Federal Trade Commission announced it has yet again delayed the enforcement deadline for the Red Flags Rule, now set for November 1, 2009. According to the press release, available at http://www.ftc.gov/opa/2009/07/redflag.shtm, the delay is being made to allow small business to become more familiar with the rule and implement the required programs and policies. Links to the FTC Red Flags Web site and frequently asked questions are contained in the press release.
HHS Expanding HIPAA Privacy Enforcement Team
On July 16, 2009, the Department of Health and Human Services announced the posting of new positions to be filled for Health Information Privacy Specialists, to expand the HHS HIPAA Privacy enforcement team. This can be expected to become a growing area of effort for HHS, as the HIPAA-related provisions in the stimulus bill (ARRA-HITECH) require increased, and growing, enforcement activity. For more information on these positions, go to http://www.usajobs.gov/ and enter the corresponding job announcement number: HHS-OS-2009-0501 (DE), or HHS-OS-2009-0502 (MP). The open period for these positions is Monday, July 13, 2009 to Friday, July 24, 2009.
Version 2.0 of Consensus Audit Guidelines Released
On May 9, 2009, version 2.0 of the Consensus Audit Guidelines was released, identifying the top 20 information security controls to implement in order to prevent the vast majority of information security issues that can arise. The CAG is developed with input from a number of information security experts in the government and private sectors and is regarded as a critical tool in ensuring good information security practices. For the CAG, see http://www.sans.org/cag/
New Nevada Data Encryption Law Goes Into Effect 1/1/2010
On May 29, 2009, Nevada's governor signed Senate Bill 227, requiring all businesses doing business with Nevada residents to encrypt all personal information in transit, such as credit card information, effective January 1, 2010. Encryption must meet Federal standards (such as FIPS 140-2). Nevada SB 227 is available at: https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf
NIST Issues Revision to Telework and Remote Access Guide
On June 16, 2009, the National Institute of Standards and Technology published the finalized new version of SP 800-46 Revision 1,Guide to Enterprise Telework and Remote Access Security, a comprehensive update to the original SP 800-46, which was published in 2002.
. Draft SP 800-46 Revision 1 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-46-rev1selecting, implementing, and maintaining the necessary security controls, and it also provides recommendations for information stored on telework devices and transmitted across external networksThe guide emphasizes the importance of securing sensitive
FTC Issues New FAQs on Identity Theft Red Flags
On June 11, 2009, the U.S. Federal Trade Commission released a new set of Frequently Asked Questions about Red Flags Rules and Address Discrepancy Rules, how they apply, and how organizations can comply with them. The FAQs are available at: http://ftc.gov/os/2009/06/090611redflagsfaq.pdf
NIST Issues Final Draft of SP 800-53 Revision 3 Security Guide
On June 3, 2009, the National Institute of Standards and Technology released the final public draft of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.
Revision 3 includes state-of-the-practice safeguards and countermeasures to address advanced cyber threats capable of exploiting vulnerabilities in information systems. The final publication of SP 800-53, Revision 3 is targeted for July 31, 2009. Comments will be accepted until June 30, 2009. SP 800-53 Rev. 3 is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-53_Rev3
ONCHIT Issues Plan for HITECH Privacy and Security
On May 18, 2009, the Office of the National Coordinator for Health Information Technology (ONCHIT) issued an implementation plan for the privacy and security provisions (sub-title D) of the HITECH act (title XIII) contained within the stimulus bill (ARRA). While the plan does not contain much more hard information than in the act itself, it does lay out an operating plan and defines the amount of ARRA funds to go to enforcement of HIPAA, $10 million. To see the plan, go to: http://www.hhs.gov/recovery/reports/plans/onc_hit.pdf
FTC Delays Red Flags Rule Again, to August 1, 2009
On April 30, 2009, just one day before the last deadline set by the Federal Trade Commission, the FTC postponed the compliance deadline to August 1, 2009. In addition, the FTC will soon release a compliance template for businesses that personally know their customers.
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring creditors to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services, such as most health care providers.
Go to http://www.ftc.gov/opa/2009/04/redflagsrule.shtm for the FTC press release, and http://www.ftc.gov/redflagsrule for the FTC's "How-To Guide" Web site.
HHS Issues Guidance on HITECH Act Breach Notification
On April 17, 2009, pursuant to the HITECH act portion (Title XIII) of ARRA, HHS issued guidance on the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, so that it will not be subject to the breach notification provisions in sections 13402 and 13407. The HHS press release is available at http://www.hhs.gov/news/press/2009pres/04/20090417a.html and the guidance language (to be available also in the Federal Register) is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf An informative article from Health Leaders Media is at: http://tinyurl.com/djozk5
HHS is also requesting public comment on breach notification and the guidance, to inform rule-making for the forthcoming interim final regulations on breach notification, due before August 17, 2009. Comments must be submitted by May 21, 2009, preferably at http://www.regulations.gov.
FTC Proposes Breach Notification Rules for PHRs
On April 16, 2009, pursuant to the American Recovery and Reinvestment Act of 2009, the FTC proposed rules for notifying consumers when the security of their electronic health information held in a Personal Health Record has been breached. Many questions remain as to how to implement this requirement, and the proposed rule is open for comment through June 1, 2009.
The FTC press release is at http://www.ftc.gov/opa/2009/04/healthbreach.shtm; the proposed rule is at http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf. Go to https://secure.commentworks.com/ftc-healthbreachnotification if you wish to file a public comment on the proposed rule.
PCI Council Releases Prioritized Approach for DSS Compliance
On March 31, 2009 The Payment Card Industry Security Standards Council released an updated guide to becoming compliant with the PCI Data Security Standard that will "help merchants identify how to reduce risk to card holder data as early on as possible in their compliance journey." The tool groups together the requirements of PCI DSS 1.2 into six key milestones, helps businesses identify highest risk targets, creates a common language around PCI DSS implementation efforts, and enables merchants to demonstrate compliance progress. The Prioritized Approach guide and tool were first released on March 3, 2009.
The Prioritized Approach guide (.pdf) and tool (an Excel worksheet) are available at: https://www.pcisecuritystandards.org/education/prioritized.shtml and a related Computerworld article is at: http://tinyurl.com/dk44v2 The PCI Quick Reference Guide is at: https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
NIST Releases Draft Telework & Remote Access Security Guide
On February 24, 2009, The National Institute of Standards and Technology released a draft of Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security. SP 800-46 Revision 1 is intended to help organizations understand and mitigate the risks associated with the technologies they use for telework.
The guide emphasizes the importance of securing sensitive information stored on telework devices and transmitted across external networks, and it provides recommendations for selecting, implementing, and maintaining the necessary security controls. Draft SP 800-46 Revision 1 is a comprehensive update to the original SP 800-46, which was published in 2002. Draft SP 800-46 Revision 1 is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-46-rev1
CVS Gets $2.25 Million Fine for Improper Disposal of PHI
On February 18, 2009, the Department of Health and Human Services and the Federal Trade Commission announced that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels. Among other issues, the reviews by HHS Office of Civil Rights and the FTC indicated that CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process, and failed to adequately train employeeson how to dispose of such information properly.
HHS and FTC will require CVS to conduct third-party assessments of compliance and report to HHS for three years and to the FTC for 20 years. The HHS Resolution Agreement and Corrective Action Plan are on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresagrcap.pdf. Information about the FTC Consent Order agreement is available at www.ftc.gov, the FTC press release is at http://www.ftc.gov/opa/2009/02/cvs.shtm and the final order from FTC is at http://www.ftc.gov/os/caselist/0723119/090623cvsdo.pdf
HHS OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information, available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.
Stimulus Bill Includes Major Changes for Privacy and Security
On February 17, 2009, the President Obama signed the economic stimulus package, including Title XIII–Health Information Technology, also known as the HITECH Act. Subtitle D–Privacy calls for improved privacy and security for health information, including treating business associates as though they are covered entities, breach notification, accounting of all EHR disclosures, increased penalties, audit requirements, and more. The final text is at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf or http://www.opencongress.org/bill/111-h1/text . See sections in the 13400s, beginning on the bill's page 144, about 1/3 of the way in, for the relevant privacy and security requirements, some effective immediately. There are good summaries at: http://wistechnology.com/articles/5513/ and http://tinyurl.com/c979tx or http://computersecuritylaw.us/2009/02/17/american-recovery-and-reinvestment-act-overview-of-modifications-to-the-hipaa-privacy-and-security-regulations.aspx An excellentanalysis of the HIPAA impacts is provided by AHIMA at http://www.ahima.org/dc/documents/AHIMAAnalysisofARRAPrivacy-3-2009.pdf
Massachusetts Delays Security Compliance Deadline to 1/1/10
On February 12, 2009 the Massachusetts Office of Consumer Affairs and Business Regulation announced that the new information security requirements for businesses holding consumer information would be set to take affect in January 1, 2010, delayed for a second time from the original January 1, 2009 date. In addition, the rule was softened to make it easier for third party providers to work with a business's personal data. The press release for the announcement is available at: http://tinyurl.com/dhhdrl and the revised regulation is available at: http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf A related article in Computerworld magazine is available at: http://tinyurl.com/bhqaln
HHS OCR Posts New Health Information Privacy Web Site
On February 10, 2009, the Department of Health and Human Services, Office for Civil Rights posted its new Web site, including health information privacy (HIP) pages that have been extensively revised to improve organization and ease of use for consumers, covered entities and others seeking reliable advice on the HIPAA Privacy Rule and the Patient Safety Rule. The new health information privacy web pages are available at: http://www.hhs.gov/ocr/privacy/index.html
Economic Stimulus Package Includes Health Information Security Breach Notification (and other requirements)
The January 16, 2009 committee draft of the economic stimulus package containing significant provisions related to healthcare information privacy and security, including requirements to notify healthcare consumers when the security of their health information has been breached. The committee text is available at: http://energycommerce.house.gov/images/stories/Documents/Markups/PDF/ec-health-001-xml.pdf, or http://tinyurl.com/7ldy5p. The privacy and security language begins on page 164. Also included is language making healthcare business associates subject to HIPAA Security Rule safeguard provisions.
NIST Releases Draft Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
On January 13, 2009, the National Institute of Standards and Technology (NIST) Computer Security Division released a public draft of Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling. NIST requests comments on draft SP 800-122 by March 13, 2009. The draft is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-122
Click for the latest news stories
Click for the Directory of News Stories