Idaho State University Settles HIPAA Security Case for $400K
At the close of the first day of the annual NIST-OCR HIPAA Security conference in Washington, DC, just in time for OCR Director Leon Rodriguez to discuss in his day-two keynote address, HHS released information about a new $400,000 settlement for HIPAA Security Rule violations, this time related to a breach of records of 17,500 patients at ISU's Pocatello Family Medicine Clinic, caused by some server firewalls' being disabled for most of a year, and lack of a real Risk Analysis and system activity reviews that could have prevented or limited the breach, among other violations. The press release is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement-press-release.html.html and the Resolution Agreement is available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.pdf
New HHS HIPAA Educational Tools for Consumers, Providers
On April 30, 2013, the US Department of Health and Human Services Office for Civil Rights announced new tools to educate consumers and providers about the HIPAA Privacy and Security Rules. See http://www.hhs.gov/ocr/privacy
OCR has posted a series of fact sheets for consumers, available in eight languages, about cpmsumer rights under the HIPAA Privacy Rule,on OCR’s website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers
The fact sheets compliment a set of seven videos released earlier this year on OCR’s YouTube channel. A video on The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel at http://www.youtube.com/user/USGovHHSOCR
OCR has also launched three modules for health care providers that offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals, on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:
• Patient Privacy: A Guide for Providers
http://www.medscape.org/viewarticle/781892?src=ocr
• HIPAA and You: Building a Culture of Compliance
http://www.medscape.org/viewarticle/762170?src=ocr
• Examining Compliance with the HIPAA Privacy Rule
http://www.medscape.org/viewarticle/763251?src=ocr
Reports on Breaches Show Weaknesses, Identity Theft
In addition to the Verizon report noted in the story below, additional reports have been released looking at data breaches and healthcare information. In a new study, Ponemon Institute surveyed a sample of privacy and compliance leaders in various organizations about their expectations of having a breach, their breach prevention practices, and their data breach response plan, and found that among healthcare organizations, 94% had had a breach in the last two years, 39% had no breach response plan, and only 19% were equipped to determine the size or causes of breaches. The report is available at: http://www.experian.com/data-breach/readiness-survey.html
Separately, analysis by Javelin Strategy and Research on the results of the massive Utah PHI breach in 2012 that affected 780,000 people found that 25% of all affected individuals had suffered identity theft, and that costs of the incident, caused by a simple but entirely preventable human error, approach a total of over $400 million. The analysis is available at: https://www.javelinstrategy.com/blog/2013/04/28/financial-pain-ensues-when-custodians-of-health-fail-to-be-good-stewards-of-privacy/
2013 Verizon Data Breach Investigations Report Released
On April 23, 2013, the Verizon 2013 Data Breach Investigations Report was released, describing the security threat landscape and characteristics of breaches over the last year. The report includes information about 621 confirmed data breaches as well as more than 47,000 reported security incidents that were investigated by Verizon and 18 of its global partners, including law enforcement.
Probably the most damning statistic is that the vast majority of breaches are discovered by someone other than the entity having the breach. As always, if you are serious about security, you need to review this annual report.
The report is at: http://www.verizonenterprise.com/DBIR/2013/ and a related story in GovInfoSecurity.com is at: http://www.govinfosecurity.com/interviews/verizon-report-ddos-broad-threat-i-1892
NIST/OCR HIPAA Security Conference Announced: May 21-22
The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are co-hosting the 6th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on May 21 & 22, 2013 at the Ronald Reagan Building and International Trade Center in Washington, D.C., exploring the current health information technology security landscape and the HIPAA Security Rule, and highlighting the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.
Presentations will cover a variety of topics including the Omnibus HIPAA/HITECH Final Rule, identity management, strengthening cybersecurity in the health care sector, integrating security safeguards into health IT, managing insider threats, securing mobile devices, and more. Participants can choose to participate on-site, or through a live web cast. Lunch and refreshments are included in the on-site registration fee and all registrations include access to archived webcast presentations and materials.
Visit the conference web page for more information and registration: http://www.nist.gov/itl/csd/2013-hipaa-conference.cfm
HHS to Survey Entities Receiving a 2012 HIPAA Audit; New Audit Effort to Begin in FY 2014, beginning October 1, 2013
On March 19, 2013, the US Department of Health and Human Services announced it will be surveying those entities subjected to the random audit program in 2012, to help design the revised HIPAA random audit program, now slated to restart in the next Federal Fiscal Year, which begins October 1, 2013, barely a week after the new HIPAA rules go into effect.
The announcement is available at https://www.federalregister.gov/articles/2013/03/19/2013-06281/agency-information-collection-activities-proposed-collection-public-comment-request
A story on the announcement in Health Data Management is available at http://www.healthdatamanagement.com/news/hipaa-privacy-security-breach-notification-enforcement-45853-1.html and in iHealthBeat at http://www.ihealthbeat.org/articles/2013/3/19/ocr-seeks-input-on-survey-of-hipaa-audit-program-participants.aspx
HHS OCR Hiring Staff for HIPAA Enforcement Activity
On February 27, 2013, the US Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) Office of the Deputy Director Health Information Privacy (ODDHIP) announced several job positions, since closed March 12, seeking experience in privacy and security compliance and enforcement as well as in the areas of policy, outreach, and health information technology systems. The OCR Division of Health Information Privacy enforces the HIPAA Privacy and Security Rules and the confidentiality provisions of the Patient Safety and Quality Improvement Act.
It is unknown what impact the Sequester will have on these positions, but the indication is clear that HIPAA enforcement activity will be on the increase.
H-P Print Server Software Vulnerable to Attack by Hackers
A story published January 23, 2013 on the Information Week Web site indicates that any printers using H-P JetDirect print server software may be hacked to allow access to copies of documents previously printed, among other vulnerabilities. The software is used by many printer manufacturers, not only H-P.
Users of printers that use JetDirect should ensure they have applied all patches issued and work with vendor support to find ways to delete copies of printed documents until new patches are developed by H-P. The article is at: http://www.informationweek.com/security/vulnerabilities/security-flaws-leave-networked-printers/240146805
HIPAA Business Associate Agreement Language Updated
On January 25, 2013, the US Department of Health and Human Services updated on its Web site the sample language for Business Associate Agreements meeting the requirements of the new final HIPAA rule, published the same day. While the language should always be finalized by your own attorney, the sample language does show the required elements any agreement should contain. The sample language is available at the same address as the old sample language: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
HIPAA Final Omnibus Rule Finally Released, Major Changes
On January 17, 2013, the US Department of Health and Human Services released the new final HIPAA rule for all the HITECH Act changes (and more, with the exception of the proposed Accounting of Disclosures changes). The rule will be published January 25, 2013 in the Federal Register, go into effect 60 days later and are enforceable by September 23, 2013.
Significant changes from the proposed and interim final rules include allowing Business Associate Agreements using the old language before the publication date of the rule (not the effective date, as proposed) to be able to have 18 months to update the agreement to the new rules.
Also significant is the elimination of the "Harm Standard" in the Breach Notification Rule, replaced with a risk assessment to determine if there is a "low probability of compromise" of the data.
The changes from the current and proposed rules are significant and will be discussed in further detail over the coming weeks. The Rulemaking announced January 17, 2013 may be viewed as a PDF and in the Federal Register at https://www.federalregister.gov/articles/2013/01/25/2013-01073/hipaa-privacy-security-enforcement-and-breach-notification-rules. The HHS Press Release is at: http://www.hhs.gov/news/press/2013pres/01/20130117b.html.
HIPAA Settlement for Laptop Breach at Idaho Hospice Agency
The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the HIPAA Security Rule. An unencrypted laptop computer containing the electronic protected health information of 441 patients had been stolen, and OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI and did not have in place policies or procedures to address mobile device security.
From the press release: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Here's the link to the HHS OCR news release on the settlement, with links to the agreement, and to guidance on how to protect mobile data: http://www.hhs.gov/news/press/2013pres/01/20130102a.html
HHS ONC Introduces New Site for Mobile Device Security
On December 12, 2012, the US Department of Health and Human Services Office of the National Coordinator for Health IT made available a new web site dedicated to Mobile Devices and Health InformationPrivacy and Security. The site is intended to help hospitals and physicians better understand how and why to protect sensitive health data stored on mobile devices. The site includes explanatory videos, fact sheets and downloadable posters. See: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
HHS OCR Releases Guidance on De-Identification of PHI
On November 26, 2013 the US Department of Health and Human Services Office for Civil Rights published Guidance Regarding Methods for De-identification of PHI in Accordance with HIPAA via a web page that includes general statements of guidance as well as frequently asked questions that help illustrate the guidance. There is actually a lot of useful information on the page and it would be of great use to anyone wrestling with issues of de-identification and PHI under HIPAA. See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
Verizon Data Breach Investigations Report 2012 Snapshots
In March, 2012, the Verizon RISK Team released the 2012 Data Breach Investigations Report, detailing trends in information security based on numerous incidents investigated in 2011. In general, the external threats are growing, in particular for "soft" targets like hospitality and healthcare. The Verizon page with links to the 2012 report (available as a PDF or as a free iBook) and reports from 2009-2011 is at: http://www.verizonbusiness.com/about/events/2012dbir/
There is also a Healthcare Industry-specific snapshot of the report available at: http://www.verizonbusiness.com/resources/reports/rp_dbir-industry-snapshot-healthcare_en_xg.pdf Make sure you take care of their basic recommendations to avoid security issues!
Verizon Announces HIPAA-compliant Cloud Services and BAA
On October 1, 2012, Verizon Enterprise Solutions unveiled a comprehensive cloud and data center infrastructure portfolio specifically designed meet HIPAA requirements for safeguarding electronic protected health information. Where appropriate, Verizon is prepared to sign a HIPAA Business Associate Agreement, unlike many other cloud service providers. The press release is available at http://www.verizonbusiness.com/about/news/pr-25994-en-Verizon+Introduces+Cloud+Portfolio+to+Help+Health+Care+Industry+Meet+HIPAA+Security+Requirements.xml and an article in Computerworld magazine on Verizon's announcement is available at http://www.computerworld.com/s/article/9231911/Verizon_launches_HIPAA_compliant_eHealth_cloud_service
NIST September ITL Bulletin Focuses on Incident Handling
On September 28, 2012, the NIST Computer Security Resource Center announced the availability of the September ITL Bulletin, focusing on the topic of the month: Revised Guide Helps Organizations Handle Security Related Incidents. The bulletin discusses the recently updated NIST SP 800-61 Computer Security Incident Handling Guide. The September, 2012 bulletin is available at: http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf and SP 800-61 is available at http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
To view other NIST ITL (Information Technology Laboratory) Security Bulletins, see: http://csrc.nist.gov/publications/PubsITLSB.html
NIST Releases Updated Risk Assessment Guide SP 800-30 rev 1
On September 18, 2012, the National Institute of Standards and Technology released Revision 1 of Special Publication SP 800-30, Guide for Conducting Risk Assessments, which is the foundation of risk analysis procedures under HIPAA. The new guide is much larger, contains a great deal of background information, and is much harder for the average compliance officer to approach. It is thick with theory and explanations that only serve to obfuscate the meaning and goals. The process described is much more complicated than the one in the original version, and is not necessarily appropriate for many health care organizations.
So warned, the new version is available at: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf, and the old version (recommended) is still available at: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
ONC Releases Privacy & Security Training Game for Practices
The Office of the National Coordinator for Health Information Technology has released Cybersecure: Your Medical Practice, which is a game developed to teach good basic privacy and security principles for health care offices, by requiring users to respond to privacy and security challenges. Users choosing the right response earn points and see their virtual medical practices flourish, and vise versa. The game is available at no cost at: http://www.healthit.gov/providers-professionals/privacy-security-training-games and additional resources from ONC are available at http://www.healthit.gov/providers-professionals/ehr-privacy-security
MEEI Gets $1.5 million Settlement for Laptop Security Issues
On September 17, 2012, the US Department of Health and Human Services Office For Civil Rights announced a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) concerning insecure laptops and a lack of risk analysis, mitigation of risk, and policies and procedures. The HHS information page on the settlement, with links to the resolution agreement and more, is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html
HIPAA Audit Protocol Quietly Revised, Has New Web Address
At some point during September, 2012, without announcement, the US Department of Health and Human Services Office For Civil Rights updated the recently released HIPAA Audit Protocol with some modifications, a few more questions, and some improvements in usability. The updated protocol is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html and the prior version is still at the old URL. The OCR page on the HIPAA Audit Program is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
Revised NIST Computer Security Incident Handling Guide
During August, 2012, the National Institute of Standards and Technology published Revision 2 of the Computer Security Incident Handling Guide, an updated version of the very useful NIST Special Publication 800-61. NIST SP 800-61 Revision 2 includes major chapters on Organizing a Computer Security Incident Response Capability, Handling an Incident, and Coordination and Information Sharing, as well as appendices that include such information as Incident Handling Scenarios. Strongly recommended, available at: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
HIPAA Privacy, Security and Breach Audit Protocol Released
On June 26, 2012, The US Department of Health and Human Services Office for Civil Rights released the audit protocol for the current round of random HIPAA Privacy, Security, and Breach Notification compliance audits, to be completed by the end of 2012. In all, 115 random compliance audits for HIPAA covered entities are planned for 2012. See how your organization would do -- the audit protocol is available at http://ocrnotifications.hhs.gov/hipaa.html
The protocol has 165 questions, most with several sub-questions, and multiple references of comparisons to "established performance criteria" and "specified criteria" that are NOT defined in the protocol, limiting its usefulness, and there are some issues with some of the questions, but it is a great way to see just what kind of documentation you might be asked to produce in an audit. There is plenty of call for explanations and justifications under the addressable specifications, so it's clear that full documentation of your compliance decisions is necessary.
Unfortunately, there is no obvious way to simply download the entire table with all the cell contents showing so you can create your own tool or table and use their questions in a more accessible way, but the online access is of real value.
Alaska Medicaid Hit With $1.7 million Settlement for Security
On June 26, 2012, The US Department of Health and Human Services Office for Civil Rights announced it had reached a settlement of $1.7 million with the Alaska Department of Health and Social Services, the state Medicaid agency, for possible violations of the HIPAA Security Rule. A USB drive with PHI was stolen; investigation found inadequate policies and procedures, no risk analysis, incomplete security training, lack of device and media controls, not addressing encryption, and overall insufficient risk management measures.
The press release makes it clear that state agencies are not exempt from HIPAA. In addition to the penalty, the settlement calls for a corrective action plan and monitoring of compliance. There are no sacred cows in HIPAA compliance any more, not even up in Alaska. See the HHS OCR page on the settlement agreement at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html
California Releases HIPAA Security Toolkit for Small Providers
On June 7, 2012, the California Health and Human Services Agency’s (CHHS), Office of Health Information Integrity (CalOHII) announced the release of its HIPAA Security Rule Toolkit. It is an online toolkit that helps entities better understand the requirements of the HIPAA Security Rule, and assist organizations in implementing HIPAA requirements. The online toolkit can be accessed via the CalOHII website: http://ohii.ca.gov/calohi/ The the toolkit is available at: https://www.ohii.ca.gov/securitytool/compliance/login.aspx and the user guide is at: https://www.ohii.ca.gov/securitytool/downloads/CalOHII_HSR_User_Guide.pdf
NIST/OCR HIPAA Security Conference Presentations Released
On June 7, 2012, NIST released the presentation slides given at the 2012 NIST/OCR HIPAA Security Conference in Washington, DC, now available for download at http://csrc.nist.gov/news_events/hiipaa_june2012/presentations.html. The topics cover a great deal of useful information including one particularly useful study by the Office of the National Coordinator detailing the security features of various smart phones, laptops, and tablets. See the link for the ONC Mobile Device Project in the June 6 topic list. And the entire webcast of the presentations is available for viewing at: http://www.nist.gov/itl/csd/hipaa-security-conference-2012-webcast.cfm
HHS OCR Releases HIPAA Enforcement Training Materials for State Attorneys General
On June 4, 2012 the US Department of Health and Human Services Office for Civil Rights announced the availability of training materials in HIPAA Enforcement for State Attorneys General to help them use their new authority to enforce the HIPAA Privacy and Security Rules. The materials include videos and slides from in-person training sessions for State AGs conducted in 2011, as well as computer-based training modules that can be downloaded and saved to your own computer. Although developed for State AGs, the training materials provide a great deal of information about the content and enforcement of the HIPAA Rules that may be of interest to a broader audience. For more information, see: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/sagmoreinfo.html
NIST Releases Cloud Computing Synopsis & Recommendations
On May 29, 2012, NIST released the final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations which is a is NIST’s general guide to cloud computing. It explains cloud systems in plain language, provides recommendations for information technology decision makers, and presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing. The guide is available at: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf
Apple Releases its First Guide to iOS Security for Users and System Administrators
In May 2012 Apple released a new guide: iOS Security providing details about how security technology and features are implemented within the iOS platform. It also outlines key elements that organizations should understand when evaluating or deploying iOS devices on their networks. The move is unprecedented for Apple; up until now Apple has not provided definitive documentation for users and system administrators on using iOS security features and capabilities. See: http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf
Symantec Releases Internet Security Threat Report - 2011 Trends
Symantec released in April 2012 its Internet Security Threat Report: 2011 Trends spotlighting how the threat landscape is changing and what businesses and individuals should do to protect themselves. Troubling for Healthcare is the news that Healthcare reports more breaches by far than any other sector, 43% of the total, although it is ranked third, at 8%, for the number of identities exposed. This is an easy-to-use report that includes a lot of useful information, and is available at: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf
ONC Issues Guide to Protecting Privacy & Security of PHI
On May 8, 2012, The Office of the National Coordinator for Health IT released a 47-page 10-step plan for protecting the privacy and security of health data, developed in conjunction with the American Health Information Management Association. Any entity that wishes to attest to the meaningful use of their EHR so that they can receive Federal funding would be well advised to take note – if you're audited for meaningful use compliance, you will want to be sure you've covered these bases. The list of steps itself echoes many of the same themes we've been espousing for years, but makes it clear that if you want to attest to meaningful use, you need to take privacy and security seriously. The guide is available at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Questions Used in Current HIPAA Privacy and Security Audits
The Malvern Group's Sue Miller has published a briefing with a list of information requests submitted to the covered entity in one of the first round of random HIPAA Privacy and Security Rule compliance audits. The two-page list contains no real surprises – make sure you have policies and procedures and can show you've been using them – but it does provide the first publicly available list of questions specifically related to Privacy compliance as well as Security compliance questions. Sample security questions have been available for five years. For a copy of Sue Miller's briefing including the two-page questionnaire, please see: http://malverngroup.com/uploads/OCR_Audit_Document_Request_Brief_20120424_v_2.pdf
HHS Hits Phoenix Cardiac Surgery Group with $100K Penalty
On April 17, 2012 the US Department of Health and Human Services announced it has reached a settlement with Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, which has agreed to pay $100,000 and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).
This penalty hits the nail on the head: You can't ignore the HIPAA Security Rule any longer. Go read the press release (with links to the settlement agreement) at http://www.hhs.gov/news/press/2012pres/04/20120417a.html and take note -- Every item they touch on I've been harping on for years now: Policies and Procedures, Training, Risk Analysis, and Business Associate Agreements; all ignored over a period of years. Sounds like a great poster child for how NOT to do HIPAA security compliance! Note the quote from Leon Rodriguez, director of OCR in the release: "We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity."
NIST/OCR HIPAA Security Conference for 2012 Announced
On April 2, 2012, The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced they are co-hosting the 5th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on June 6 & 7, 2012 at the Ronald Reagan Building and International Trade Center in Washington, D.C. The fee is just $395, a bargain for a two-day event featuring just about everyone you need to hear from or talk with about HIPAA Security. In fact, Jim Sheldon-Dean will be speaking on a panel discussing HIPAA Security Rule Toolkit Use Case studies during the conference the morning of June 7.
This event will highlight the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule. The conference will offer important keynote addresses and plenary sessions as well as breakout sessions following two learning tracks around specific areas of security management and technical assurance. For information and registration, please see: http://www.nist.gov/itl/csd/hipaasec.cfm
New HIPAA Rules Submitted to OMB; Released by End of June?
On March 24, 2012, the Office of Management and Budget received the final new HIPAA rule changes, including final rules for all of the proposed and interim final rules put forth as a result of the HITECH Act, except for the rules pertaining to Accounting of Disclosures, but also including changes pursuant to the Genetic Information Nondiscrimination Act. The final rule will be out within 90 days, which puts it at the end of June.
Expectations are that changes from the proposed and interim final rules will be minimal, with the possible exception of modifications to the "harm standard" within the Breach Notification Rule. The OMB Regulatory Dashboard for pending regulations is at http://www.reginfo.gov/public/jsp/EO/eoDashboard.jsp (scroll down to the section for HHS) and the status of the process for this rule is available at http://www.reginfo.gov/public/do/eoDetails?rrid=121784
Breaches Lead to Bankruptcy, $1.5 million Settlement; ANSI Report Shows Financial Impacts of Breaches of PHI
A March 12, 2012 entry in the WSJ Blog Bankruptcy Beat reports that a national firm that reviews medical records has filed for bankruptcy as a result of a break-in last New Year's Eve in their California office. The cost of dealing with the breach was more than the company was worth so the company filed for Chapter 7 bankruptcy. See: http://blogs.wsj.com/bankruptcy/2012/03/12/burglary-triggers-medical-records-firm’s-collapse/
March 13, 2012 saw several stories on the first reported settlement of violations discovered under the HIPAA Breach Notification rule, by Blue Cross and Blue Shield of Tennessee, for $1.5 million. The breach involved the theft of 57 hard drives loaded with voice and video recordings of customer service conversations that involved personal information. (BCBST now encrypts data-at-rest but it should probably have been disposed of before.) For the article in Modern Healthcare, please see: http://www.modernhealthcare.com/article/20120313/NEWS/303139960/ The settlement agreement between BCBST and HHS can be obtained at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf
In addition, a new report has just been released by the American National Standards Institute (ANSI): The Financial Impact of Breached Protected Health Information -- A Business Case for Enhanced PHI Security, available at no charge with registration. It includes information on how to calculate the potential costs of breaches, but you don't have to look far beyond the examples above to see the potential costs. See: http://webstore.ansi.org/phi/
NIST Releases Guidelines on Wireless Networks and Draft Update to SP 800-53 Recommended Security Controls
On February 21, 2012 the National Institute of Standards and Technology (NIST) released Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANS), a tidy little document providing valuable guidance on security configuration and monitoring of wireless networks. The announcement is available at: http://csrc.nist.gov/news_events/index.html#feb21 and SP 800-153 is available at: http://csrc.nist.gov/publications/nistpubs/800-153/sp800-153.pdf
On February 28, 2012, NIST released its February ITL Bulletin, also focusing on guidelines for the secure use of wireless networks, available at: http://csrc.nist.gov/publications/nistbul/february-2012_itl-bulletin.pdf . Previous ITL Security Bulletins are available on the CSRC website at: http://csrc.nist.gov/publications/PubsITLSB.html
Also on February 28, 2012, NIST released the initial public draft of SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations which includes changes such as:
• New security controls and control enhancements;
• Clarification of security control requirements and specification language;
• New tailoring guidance including the introduction of overlays;
• Additional supplemental guidance for security controls and enhancements;
• New privacy controls and implementation guidance;
• Updated security control baselines;
• New summary tables for security controls to facilitate ease-of-use; and
• Revised minimum assurance requirements and designated assurance controls.
SP 800-53 is the go-to guide for protecting information, and this new version is updated to reflect the changing security landscape. The announcement is available at: http://csrc.nist.gov/news_events/index.html#feb28 and the draft is available at: http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
CMS Proposes Meaningful Use Stage 2 Regs: Increased Security
On February 23, 2012 the Centers for Medicare and Medicaid Services (CMS) released the proposed Stage 2 Regulations on Meaningful Use of EHRs, and the new rules call for increased attention to the security of data at rest, specifically on portable devices that contribute to so many of the breaches reported to HHS. They also call for the use of secure messaging with patients.
The CMS fact sheet is at http://tinyurl.com/6rvrjex, the proposed regulation is at http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf, and I have posted an extract of the proposed rule covering the security issues here.
California Releases Updated Breach Handling Recommendations
On January 3, 2012, the California Office of Privacy Protection released a new version of their Recommended Practices on Notice of Security Breach Involving Personal Information, updated to reflect the latest changes in California law, as well as the latest thinking on security and breach prevention. This guide includes some excellent recommendations for anyone in any state to reduce the chances of a breach, as well as the specifics relevant to California. Available at: http://www.privacy.ca.gov/business/recom_breach_prac.pdf
Click to view news stories from 2011
Click to view news stories from 2010
Click to view news stories from 2009
Click to view news stories from 2008
Click to view news stories from 2007 and earlier