Lewis Creek Systems, LLC

Verizon Business Releases Incident Sharing Framework

On March 9, 2010, Verizon Business released a beta version of the Verizon Incident Sharing Framework (VerIS), a version of the assessment document used by Verizon forensic investigators to systematically gather, categorize, and report on data breach incidents.  A white paper on the framework is available at:  http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdf  and the framework itself is available at:  http://securityblog.verizonbusiness.com/wp-content/uploads/2010/03/VerIS_Framework_Beta_1.pdf

HHS Posts List of Major PHI Breaches on its "Wall of Shame"

Enforcing of New HIPAA Business Associate Provisions Delayed

On February 19, 2010, Hunton & Williams LLP reported on the Privacy and Information Security Law Blog that HHS will not seek to enforce the business associate provisions of the HITECH Act, which became effective February 17, 2010, until the final rules are published.  See:  http://tinyurl.com/y8nbr3c  or  http://www.huntonprivacyblog.com/2010/02/articles/hipaa-1/hhs-delays-enforcement-of-hitech-act-business-associate-provisions/index.html  

Data Breach Costs Top $200 Per Customer Record in 2009

On January 25, 2010 Network World magazine reported that the Ponemon Institute's annual study of the costs of data breaches shows that the average cost of a data breach rose to $204 per customer record in 2009.  The three main causes for data breaches are negligence, system failures, and attacks.  The article is at: http://www.networkworld.com/news/2010/012510-data-breach-costs.html  

First Lawsuit Filed by a State Attorney General Under HIPAA

On January 13, 2010, the Connecticut Attorney General sued Health Net of Connecticut, Inc. for failing to properly secure the records of 446,000 enrollees, in the first such action authorized under changes contained in the ARRA/HITECH Act allowing state attorneys general to enforce HIPAA.  The Connecticut Attorney General's Office press release is available at:  http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=453918   

Verizon Business Releases Data Breach Investigations Reports

In December 2009, the Verizon Business Risk Team issued the 2009 Data Breach Investigations Supplemental Report, a companion to the 2009 Data Breach Investigations Report issued earlier this year.  The supplemental report provides further insights into the data, and highlights the role of Malware (keyloggers, spyware, backdoor, or command/control) in the top-ranked threat action types.  The reports are at: http://www.verizonbusiness.com/worldwide/products/security/risk/  

FTC Red Flags Enforcement Delayed Again, until June 1, 2010

The US Federal Trade Commission announced on October 30, 2009 that the FTC, at congressional request, has delayed enforcement of the FTC Red Flags Rule a fourth time, now until June 1, 2010.  In addition, on October 30, 2009, the U.S. District Court ruled that the FTC may not apply the Red Flags Rule to attorneys.  The FTC Press Release is at: http://www.ftc.gov/opa/2009/10/redflags.shtm   

New HIPAA Enforcement Interim Final Rule, in effect 11/30/09

On October 30, 2009, the US Department of Health and Human Services issued a new HIPAA Enforcement Interim Final Rule to meet requirements in the American Recovery and Reinvestment Act.  The rule changes the penalty structure for violations and includes new, higher penalties.  The rule goes into effect November 30, 2009, and public comment will be considered if received by HHS by December 29, 2009.  The HIPAA enforcement interim final rule is available at:   http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480a4e565  

HHS Office of Inspector General Issues FY 2010 Work Plan

On October 1, 2009, the US Department of Health and Human Services Office of Inspector General issued its work plan for fiscal year 2010, detailing the areas that will be receiving attention for compliance and enforcement over the coming year.  Not unexpectedly, there is new emphasis on HIPAA enforcement.  The work plan is available at http://oig.hhs.gov/08/Work_Plan_FY_2010.pdf  

HHS OCR and others Issue Regulations Under Genetic Law

On October 1, 2009, the US Department of Health and Human Services Office for Civil Rights issued a proposed rule under the Genetic Information Nondiscrimination Act (GINA) that requires changes to the HIPAA Privacy Rule pertaining to prohibition of the use of genetic information for insurance underwriting purposes.  The HHS OCR proposed rule as well as companion rules from EEOC and DOL/CMS/Treasury and the source legislation are all available on the OCR site at:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/genetic/index.html  The Department of Labor fact sheet including a good overview is available at:  http://www.dol.gov/ebsa/newsroom/fsGINA.html#  

HHS Posts Instructions and Forms for Breach Notification

On October 1, 2009, the US Department of Health and Human Services made available on its Web site instructions and electronic forms for Breach Notification under the new rules in effect as of September 23, 2009, at:  http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html  or http://tinyurl.com/yemwev8   

NIST Releases Video Guide to Information Security

On October 1, 2009, National Institute of Standards and Technology (NIST) released a video for the small business community titled "Information Technology Security for Small Business. It's not just good business. It's essential business" giving small business owners a glimpse into the resources from NIST, SBA, and the FBI that will help protect them from cyber crime. The video describes computer hacking, denial-of-service, laptop theft, insider abuse, computer viruses, and computers made into bots, and encourages small business owners to define their security needs, establish security practices, and stay current.  To see the video and other resources, go to:  http://csrc.nist.gov/groups/SMA/sbc/library.html#04  

NIST Releases Guide to Security Acronyms and Abbreviations

On October 1, 2009, National Institute of Standards and Technology (NIST) released interagency report NISTIR 7581, System and Network Security Acronyms and Abbreviations, a guide to the alphabet soup that pervades information security, available at:  http://csrc.nist.gov/publications/nistir/ir7581/nistir-7581.pdf    

NIST Releases Draft Guide to Small Business Info Security

On August 26, 2009, the National Institute of Standards and Technology (NIST) released a draft of NISTIR 7621, Small Business Information Security: The Fundamentals, intended to help small businesses and organizations implement the fundamental concepts of an effective information security program.  The draft is available at: http://csrc.nist.gov/publications/PubsDrafts.html#ir7621  

IEEE Releases Information Security Standard for Printers

The Institute of Electrical and Electronics Engineers (IEEE) released on June 12, 2009 the first of a series of standards for securing networked printers, which are vulnerable to hacking and exposure of information printed on the devices.  For an article on the standard from Dark Reading, please see   http://www.darkreading.com/shared/printableArticle.jhtml?articleID=219500204 and for the IEEE background article and link to the standard, please see   http://standards.ieee.org/announcements/bkgnd_ieee2600.html  

HHS and FTC Issue Interim Rules on Breach Notification

The US Department of Health and Human Services and the Federal Trade Commission published on August 19 and 17, 2009 (respectively) their interim final rules on the notification to individuals of breaches of health information held by HIPAA Covered Entities and Business Associates (under HHS rules) and Personal Health Records (under FTC rules), pursuant to the requirements of the American Recovery and Reinvestment Act of 2009 (ARRA).  The FTC announcement is available at http://www.ftc.gov/opa/2009/08/hbn.shtm and the interim rule and notification form are at http://www.ftc.gov/healthbreach/.  The HHS site on the topic is at http://tinyurl.com/lmhono and the HHS interim rule is at: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf  

HHS Yet Again Expanding HIPAA Privacy Enforcement Team

Now for the third time in two months, HHS has announced two more positions to be filled on their HIPAA enforcement team, this time, for "Privacy Outreach Specialists".  For more information on these, go to http://www.usajobs.gov/ and enter the corresponding job announcement number: HHS-OS-14-2009-0003 (DE), or HHS-OS-14-2009-0004 (MP).  The open period for these positions is Tuesday, August 11, 2009 to Monday, August 31, 2009.

HHS Again Expanding HIPAA Privacy Enforcement Team

For the second time in two months, the US Department of Health and Human Services (HHS) has announced on August 4, 2009, new positions for Health Information Specialists to join  their health information privacy enforcement team.  These expansions indicate that HHS is moving aggressively to prepare for the new enforcement activities mandated by the American Recovery and Reinvestment Act of 2009 (ARRA).  For more information on these positions, go to http://www.usajobs.gov/ and enter the corresponding job announcement number: HHS-OS-14-2009-0012, or HHS-OS-14-2009-0013.  The open period for these positions is Friday, July 31, 2009 to Thursday, August 13, 2009.

HHS Moves HIPAA Security Rule Enforcement to OCR

On August 3, 2009, the US Department of Health and Human Services (HHS) filed for publication in the Federal Register on August 4, 2009 the delegation of enforcement of the HIPAA Security Rule, formerly under the Center for Medicare and Medicaid Services (CMS), to the HHS Office for Civil Rights (OCR), which is already responsible for enforcing the HIPAA Privacy Rule.  Now the HHS OCR will have authority for both Privacy and Security Rule enforcement, effective immediately, as well as that for new privacy and security-related regulations under the American Recovery and Reinvestment Act of 2009 (ARRA).  Press release: http://www.hhs.gov/news/press/2009pres/08/20090803a.html   Notice: http://www.hhs.gov/ocr/privacy/srdelegationofauthority2009.pdf  

NIST Releases New SP 800-53 Security Controls Guide

On July 31, 2009, the National Institute of Standards and Technology (NIST) released the final publication of Special Publication 800-53 Revision 3, Recommended Security Controls.  In this historic revision, NIST has included controls for both National Security and non-National Security systems, based on input from a wide range of security experts and includes state-of-the-practice safeguards and countermeasures.  SP 800-53 Revision 3 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-53_Rev3  

FTC Delays Red Flags Rule Enforcement Again, to 11/1/2009

On July 29, 2009, just shy of the August 1, 2009 deadline, the Federal Trade Commission announced it has yet again delayed the enforcement deadline for the Red Flags Rule, now set for November 1, 2009.  According to the press release, available at http://www.ftc.gov/opa/2009/07/redflag.shtm, the delay is being made to allow small business to become more familiar with the rule and implement the required programs and policies.  Links to the FTC Red Flags Web site and frequently asked questions are contained in the press release.

HHS Expanding HIPAA Privacy Enforcement Team

On July 16, 2009, the Department of Health and Human Services announced the posting of new positions to be filled for Health Information Privacy Specialists, to expand the HHS HIPAA Privacy enforcement team.  This can be expected to become a growing area of effort for HHS, as the HIPAA-related provisions in the stimulus bill (ARRA-HITECH) require increased, and growing, enforcement activity.  For more information on these positions, go to http://www.usajobs.gov/ and enter the corresponding job announcement number: HHS-OS-2009-0501 (DE), or HHS-OS-2009-0502 (MP).  The open period for these positions is Monday, July 13, 2009 to Friday, July 24, 2009.   

Version 2.0 of Consensus Audit Guidelines Released

On May 9, 2009, version 2.0 of the Consensus Audit Guidelines was released, identifying the top 20 information security controls to implement in order to prevent the vast majority of information security issues that can arise.  The CAG is developed with input from a number of information security experts in the government and private sectors and is regarded as a critical tool in ensuring good information security practices.  For the CAG, see http://www.sans.org/cag/

New Nevada Data Encryption Law Goes Into Effect 1/1/2010

On May 29, 2009, Nevada's governor signed Senate Bill 227, requiring all businesses doing business with Nevada residents to encrypt all personal information in transit, such as credit card information, effective January 1, 2010.  Encryption must meet Federal standards (such as FIPS 140-2).  Nevada SB 227 is available at:  https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf   

NIST Issues Revision to Telework and Remote Access Guide

On June 16, 2009, the National Institute of Standards and Technology published the finalized new version of SP 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, a comprehensive update to the original SP 800-46, which was published in 2002.  

The guide emphasizes the importance of securing sensitive information stored on telework devices and transmitted across external networks, and it also provides recommendations for selecting, implementing, and maintaining the necessary security controls. Draft SP 800-46 Revision 1 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-46-rev1

FTC Issues New FAQs on Identity Theft Red Flags

On June 11, 2009, the U.S. Federal Trade Commission released a new set of Frequently Asked Questions about Red Flags Rules and Address Discrepancy Rules, how they apply, and how organizations can comply with them.  The FAQs are available at:  http://ftc.gov/os/2009/06/090611redflagsfaq.pdf   

NIST Issues Final Draft of SP 800-53 Revision 3 Security Guide

On June 3, 2009, the National Institute of Standards and Technology released the final public draft of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations.  The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.

Revision 3 includes state-of-the-practice safeguards and countermeasures to address advanced cyber threats capable of exploiting vulnerabilities in information systems.  The final publication of SP 800-53, Revision 3 is targeted for July 31, 2009. Comments will be accepted until June 30, 2009.  SP 800-53 Rev. 3 is available at:  http://csrc.nist.gov/publications/PubsDrafts.html#800-53_Rev3  

ONCHIT Issues Plan for HITECH Privacy and Security

On May 18, 2009, the Office of the National Coordinator for Health Information Technology (ONCHIT) issued an implementation plan for the privacy and security provisions (sub-title D) of the HITECH act (title XIII) contained within the stimulus bill (ARRA).  While the plan does not contain much more hard information than in the act itself, it does lay out an operating plan and defines the amount of ARRA funds to go to enforcement of HIPAA, $10 million.  To see the plan, go to: http://www.hhs.gov/recovery/reports/plans/onc_hit.pdf

FTC Delays Red Flags Rule Again, to August 1, 2009

On April 30, 2009, just one day before the last deadline set by the Federal Trade Commission, the FTC postponed the compliance deadline to August 1, 2009.  In addition, the FTC will soon release a compliance template for businesses that personally know their customers.  

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring creditors to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.  FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services, such as most health care providers.

Go to http://www.ftc.gov/opa/2009/04/redflagsrule.shtm for the FTC press release, and http://www.ftc.gov/redflagsrule for the FTC's "How-To Guide" Web site.

HHS Issues Guidance on HITECH Act Breach Notification

On April 17, 2009, pursuant to the HITECH act portion (Title XIII) of ARRA, HHS issued guidance on the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, so that it will not be subject to the breach notification provisions in sections 13402 and 13407.  The HHS press release is available at http://www.hhs.gov/news/press/2009pres/04/20090417a.html and the guidance language (to be available also in the Federal Register) is available at   http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf  An informative article from Health Leaders Media is at: http://tinyurl.com/djozk5  

HHS is also requesting public comment on breach notification and the guidance, to inform rule-making for the forthcoming interim final regulations on breach notification, due before August 17, 2009.  Comments must be submitted by May 21, 2009, preferably at http://www.regulations.gov.

FTC Proposes Breach Notification Rules for PHRs

On April 16, 2009, pursuant to the American Recovery and Reinvestment Act of 2009, the FTC proposed rules for notifying consumers when the security of their electronic health information held in a Personal Health Record has been breached.  Many questions remain as to how to implement this requirement, and the proposed rule is open for comment through June 1, 2009. 

The FTC press release is at http://www.ftc.gov/opa/2009/04/healthbreach.shtm; the proposed rule is at http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf.  Go to https://secure.commentworks.com/ftc-healthbreachnotification if you wish to file a public comment on the proposed rule.

PCI Council Releases Prioritized Approach for DSS Compliance

On March 31, 2009 The Payment Card Industry Security Standards Council released an updated guide to becoming compliant with the PCI Data Security Standard that will "help merchants identify how to reduce risk to card holder data as early on as possible in their compliance journey." The tool groups together the requirements of PCI DSS 1.2 into six key milestones, helps businesses identify highest risk targets, creates a common language around PCI DSS implementation efforts, and enables merchants to demonstrate compliance progress.  The Prioritized Approach guide and tool were first released on March 3, 2009.

The Prioritized Approach guide (.pdf) and tool (an Excel worksheet) are available at:  https://www.pcisecuritystandards.org/education/prioritized.shtml and a related Computerworld article is at:  http://tinyurl.com/dk44v2  The PCI Quick Reference Guide is at:  https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf   

NIST Releases Draft Telework & Remote Access Security Guide

On February 24, 2009, The National Institute of Standards and Technology released a draft of Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security.  SP 800-46 Revision 1 is intended to help organizations understand and mitigate the risks associated with the technologies they use for telework. 

The guide emphasizes the importance of securing sensitive information stored on telework devices and transmitted across external networks, and it provides recommendations for selecting, implementing, and maintaining the necessary security controls. Draft SP 800-46 Revision 1 is a comprehensive update to the original SP 800-46, which was published in 2002. Draft SP 800-46 Revision 1 is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-46-rev1   

CVS Gets $2.25 Million Fine for Improper Disposal of PHI

On February 18, 2009, the Department of Health and Human Services and the Federal Trade Commission announced that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels.  Among other issues, the reviews by HHS Office of Civil Rights and the FTC indicated that CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process, and failed to adequately train employees on how to dispose of such information properly.

HHS and FTC will require CVS to conduct third-party assessments of compliance and report to HHS for three years and to the FTC for 20 years.  The HHS Resolution Agreement and Corrective Action Plan are on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresagrcap.pdf.  Information about the FTC Consent Order agreement is available at www.ftc.gov, the FTC press release is at http://www.ftc.gov/opa/2009/02/cvs.shtm and the final order from FTC is at http://www.ftc.gov/os/caselist/0723119/090623cvsdo.pdf    

HHS OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information, available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.

Stimulus Bill Includes Major Changes for Privacy and Security

On February 17, 2009, the President Obama signed the economic stimulus package, including Title XIII–Health Information Technology, also known as the HITECH Act.  Subtitle D–Privacy calls for improved privacy and security for health information, including treating business associates as though they are covered entities, breach notification, accounting of all EHR disclosures, increased penalties, audit requirements, and more.  The final text is at  http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf  or http://www.opencongress.org/bill/111-h1/text .  See sections in the 13400s, beginning on the bill's page 144, about 1/3 of the way in, for the relevant privacy and security requirements, some effective immediately.  There are good summaries at:  http://wistechnology.com/articles/5513/ and http://tinyurl.com/c979tx or  http://computersecuritylaw.us/2009/02/17/american-recovery-and-reinvestment-act-overview-of-modifications-to-the-hipaa-privacy-and-security-regulations.aspx  An excellent analysis of the HIPAA impacts is provided by AHIMA at http://www.ahima.org/dc/documents/AHIMAAnalysisofARRAPrivacy-3-2009.pdf

Massachusetts Delays Security Compliance Deadline to 1/1/10

On February 12, 2009 the Massachusetts Office of Consumer Affairs and Business Regulation announced that the new information security requirements for businesses holding consumer information would be set to take affect in January 1, 2010, delayed for a second time from the original January 1, 2009 date.  In addition, the rule was softened to make it easier for third party providers to work with a business's personal data.  The press release for the announcement is available at: http://tinyurl.com/dhhdrl and the revised regulation is available at: http://www.mass.gov/Eoca/docs/idtheft/201CMR17amended.pdf  A related article in Computerworld magazine is available at: http://tinyurl.com/bhqaln  

HHS OCR Posts New Health Information Privacy Web Site

On February 10, 2009, the Department of Health and Human Services, Office for Civil Rights posted its new Web site, including health information privacy (HIP) pages that have been extensively revised to improve organization and ease of use for consumers, covered entities and others seeking reliable advice on the HIPAA Privacy Rule and the Patient Safety Rule.  The new health information privacy web pages are available at: http://www.hhs.gov/ocr/privacy/index.html  

Economic Stimulus Package Includes Health Information Security Breach Notification (and other requirements)

The January 16, 2009 committee draft of the economic stimulus package containing significant provisions related to healthcare information privacy and security, including requirements to notify healthcare consumers when the security of their health information has been breached.  The committee text is available at: http://energycommerce.house.gov/images/stories/Documents/Markups/PDF/ec-health-001-xml.pdf, or http://tinyurl.com/7ldy5p.  The privacy and security language begins on page 164.  Also included is language making healthcare business associates subject to HIPAA Security Rule safeguard provisions.

NIST Releases Draft Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

On January 13, 2009, the National Institute of Standards and Technology (NIST) Computer Security Division released a public draft of Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).  SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality.  The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling.  NIST requests comments on draft SP 800-122 by March 13, 2009.  The draft is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-122