Monday, July 2, 2012

Moving to www.SecurityBlawg.com

Greetings,

We have decided to start blogging on law firm security-related matters exclusively.  As a result, we will be ending this blog and migrating to our new blog at www.securityblawg.com.  If you are interested in law firm security, please come join us there!

-Adam

Monday, April 30, 2012

HIPAA, Text Messaging & OCR


There have been a few blog posts recently about the implications of text messaging (SMS) ePHI under the HIPAA Privacy and Security rules. Adam Greene (DWT)  works through the HIPAA analysis under both rules in an excellent article published earlier this month.

The recent focus on text messages makes sense as the technology continues to grow in popularity. One recent study found that 73% of physicians use text messaging for work purposes. This trend seems to have attracted OCR’s attention. We recently blogged about the HIPAA/HITECH resolution agreement that OCR reached with Phoenix Cardiac Surgery Center. Although the agreement does not describe any conduct involving text messaging, the corrective action plan nonetheless singles out text messaging in three separate sections:

[Risk Management]
Covered Entity’s risk management plan must implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.


[Technical Safeguards]
Technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI transmitted to or from or stored on a portable device, regardless of whether the portable device is owned by the Covered Entity or a workforce member. Covered Entity must submit evidence to satisfy this obligation that includes text messaging of ePHI.


[Training]
Covered Entity must provide documentation that it has completed a Privacy and Security Rule training since 2009 that includes additional training addressing its revised policies and procedures on the use and transmission of ePHI by text messaging.

What is especially interesting here is not just that OCR expresses concern over text messaging but that OCR has called out the technology so many times in such a short document.  We’re forced to wonder whether the covered entity was really pushing the envelope with its texting practices (but why no mention of that conduct?) or whether OCR might be using this as an occasion to voice a broader concern.  Whatever motivation OCR may have had for focusing on text messaging, the takeaway is clear: implement policies around the use of text messaging for ePHI and ensure risk analysis/risk assessment extends to this form of communication if you allow it within your environment.  In a future blog post, we’ll take a closer look at SMS and its potential shortcomings for communicating ePHI.

Wednesday, April 25, 2012

Wacky Wednesday Roundup 2012-04-25

It has been a busy week so we have had difficulty getting a blog post up, but fear not, Wacky Wednesday must go on!

Careful What You Say Online:  Part Deux

Wasn’t it just last week that we commented on how crazy it would be for people to get in legal trouble over annoying people online?  Well apparently you don’t need that Arizona law after all as a Texas couple just won a $13.8 million judgment from a jury over anonymous comments made on an Internet forum.  A similar case is currently pending in Las Vegas with a couple suing an anonymous commenter over controversial comments on a local web site.  Is this the end of annoying online comments?  I doubt it but posters should think twice before assuming “anonymous” comments will stay (or ever were) anonymous.

Interpretive Dance As A Form of Authentication

Don’t like carrying your two-factor tokens? Would you prefer to show off your tango skills instead? Apparently dance moves are enough to identify an individual, or so some would have you believe. Authorities claim they were able to identify their suspect based on his “swag” dance moves.

And You Thought Your Employees Needed Social Media Training

And from the “Really.....wait, really?” book comes the story of two young kids in love who decided to share some excitement by pretending to steal gas from a police car and then post it on Facebook.  Oh wait, they actually stole gas and then posted on Facebook and then admitted it.  Welcome to the “World’s Dumbest Digital Criminals” hall of fame.

Friday, April 20, 2012

More Healthcare Breaches



South Carolina State Medicaid Agency Dataloss 


The first comes from South Carolina where an employee of the  S.C. Department of Health and Human Services inappropriately transferred just over 228,000 medical records to a personal email account.  There are a few interesting points here:

1)  The organization discovered the breach internally during an “agency performance review” spurred by a complaint about the employee’s slow turnaround time on claims processing.  As a result, it sounds like this breach was discovered by dumb luck rather than as a part of their HIPAA compliance program (as with the recent Utah breach, it is unclear whether HHS-OCR would seek civil monetary penalties against a state program operating with federal funding).

2)  The organization acted swiftly to fire the individual and immediately offer credit monitoring to all involved, clearly having learned how to handle this type of event from their reported previous incident in 2006.

3)  The former employee was arrested yesterday afternoon on 5 counts of violating South Carolina’s “Medically Indigent Act” which states in relevant part, “Patient records received by counties, the department, or other entities involved in the administration of the program created pursuant to Section 44-6-150 are confidential. Patient records gathered pursuant to Section 44-6-170 are also confidential.”  The penalties are enumerated as well:  “A person violating this section is guilty of a misdemeanor and, upon conviction, must be fined not more than five thousand dollars or imprisoned not more than one year, or both.”  The suspect was also reportedly charged with one count of “disclosure of confidential information”

Insider threats like these are a real problem for the health care industry and unfortunately the South Carolina incident is hardly an anomaly. Earlier this week, news broke that a manager working at a nonprofit brain injury center had been stealing patient information since 2006 to perpetrate tax fraud.  Last week there was news of a similar occurrence at Memorial Health Center in Florida.  And there was yet another case in Long Island where the source of the breach may be an insider.

While it may be difficult to prevent employees from going rogue and performing this type of misconduct, the number of patients impacted and the severity of the impact can be reduced by minimizing employee access to what’s required, something the HIPAA Privacy Rule conveniently does through the “minimum necessary” principle.

Emory University Hospital System Loses 315,000 Patient Records


The second noteworthy incident comes from Emory University Hospital system where 10 disks containing 315,000 patient records disappeared. A hospital employee had placed the disks in an unlocked filing cabinet and first noticed they were missing in mid-February of this year. The disks held unencrypted medical records for surgical patients treated between 1990 and 2007. These records were from an older system that Emory no longer uses. Hospital officials maintain that encryption was not available with the outdated system. They believe the employee who stored the disks made an honest mistake in selecting a storage location against policy.

This incident reinforces the importance of maintaining an up-to-date inventory of all PHI within the environment. Had the hospital tracked the flow of data better, basic risk management principles would have dictated a more secure storage location. And, where one control (here encryption) isn’t available, having compensating controls is essential. In this case, better physical security likely would have prevented the loss.

Thursday, April 19, 2012

Wacky Wednesday Roundup 2012-04-18

Some weeks truth really does sound stranger than fiction and this may be one of them. Wacky Wednesday articles are the result of our searching for important news and instead finding......well, what you see below.  Enjoy!  

Careful What you Say Online


It is quite amusing to think what might happen if the Arizona bill criminalizing annoying people online actually becomes law.  It may be the perfect solution for those recent law grads who are are having difficulty finding employment.

Video games are the leading source of privacy violations?  Really?  Nurses are posting sexual health concerns on Facebook because it’s “funny” and Facebook “isn’t real.” But, somehow we're supposed to be worried about video games?

Hackers Corner


With patient portals a key requirement of Meaningful Use Stage 2, we can expect more web-based access to our own health records in the near future.  I for one hope they do a better job of securing patient portals than the 260 companies whose websites were hacked in a 3 month period by a 15-year-old boy who was “bored”.  

If you are a hacker, you probably shouldn’t brag about it by posting a photo which contains the GPS coordinates of your house.  One member of the Anonymous group found this out the hard way recently when police used the GPS information to monitor and then arrest him on numerous criminal charges.  Many modern phones and cameras embed location information into their pictures, something I would have expected an expert “hacker” to know.   

For a more personal look into the motivations of hackers, th3j35t3r, an self-proclaimed American “Hacktivist for good” recently did a Q&A session with a class at the University of Southern Maine.  th3j35t3r has made news for a few reasons including his attack on Wikileaks and his alleged hacking of a Rhode Island Congressman’s cell-phone via Twitter.  It is clear that he or she believes the future belongs to the geek as much as the meek.  

Bad Times For Traders


In recent years American prosecutors have sought stiffer sentences against white collar criminals but they still have a ways to go before they catch up to China’s imposition of the death penalty for financial fraud.  Talk about high stakes trading.  

Someone who may not be doing much high stakes trading soon is Alex Hope, best known for spending £125,000 (about $200,000) on a single bottle of champagne during a night on the town.  He was arrested by the British Financial Services Authority (FSA) on suspicion of committing offences under the FSA Markets Act 2000 and the Fraud Act 2006.  Luckily for him, England does not impose the death penalty for such crimes.  

School Is Hard


Some idealistic Law students at NYU recently tried to clean-up the language of their class mailing list by offering alternatives to the all-too-common Internet exclamation “WTF.”  However, their good intentions were frustrated by apparent confusion on WTF “WTF” actually means.  Multiple layers of hilarity ensued.  

Whether you are embarrassed or just unprepared for your test, someone has proven that bomb-threats make an effective form of denial-of-service attack on universities.  There have been over 50 threats against the University of Pittsburgh in the past few months, each one causing building evacuations and class cancellations.  With ever-rising tuition costs, it is no surprise some students are annoyed.  

Wednesday, April 18, 2012

HIPAA Enforcement 2.0


There Is A New Sheriff In Town

That is the message director of OCR Leon Rodriguez wants the industry to hear loud and clear.  Yesterday’s announcement  of a $100,000 HIPAA settlement with Phoenix Cardiac Surgery, P.C. is the most recent evidence that the Office for Civil Rights means business with respect to HIPAA enforcement.  Phoenix Cardiac Surgery represents the first smaller health care provider to face serious penalties for failure to comply with the HIPAA Security Rule, but we have every reason to think it won’t be the last.

“We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity”  says Director Rodriguez about today’s settlement.

Just last month Blue Cross Blue Shields of Tennessee was forced to pay a whopping $1.5 million dollars in a settlement with HHS after 57 hard drives containing PHI were stolen from a storage facility.  OCR held firm on the amount of the settlement despite plausible claims that extracting PHI from the drives would be difficult and time consuming.

Can’t Say He Didn’t Warn You 


Those who have followed Director Rodriguez since he took office will not be surprised by OCR’s readiness to penalize noncompliant entities.  He has spoken candidly about his willingness to employ civil monetary penalties as a tool to drive compliance. As he explained in a recent interview, "I've learned as a prosecutor and then as a defense lawyer, enforcement promotes compliance."  And promoting compliance is something he is determined to do, “[t]he message that I would put out there is this really matters to me personally and really matters to the secretary [of HHS]. So we're going to be serious both about our enforcement work and no less serious about making sure that we educate everybody out there, both covered entities and patients, about what the requirements are for health information privacy.”

Just The Beginning


Increased enforcement actually predates the appointment of Leon Rodriguez and has been on the rise since the Office for Civil Rights took over enforcement of the Security Rule in 2009.  Prior to this change, HHS had delegated enforcement responsibility for the Security Rule to the Centers for Medicare & Medicaid Services (CMS). The Office of the Inspector General (OIG) audited the effectiveness of CMS programs and issued multiple reports criticizing the department for lax enforcement of the HIPAA Security Rule.  In addition to OIG’s recommendation that OCR bolster enforcement activities, the HITECH act affords wide latitude in the use of civil monetary penalties to deter noncompliance.

OCR first used these enhanced HITECH penalties in February 2011 to levy an astonishing $4.3 million penalty against  Cignet Health of Prince George’s County, MD. for Privacy Rule violations.   Just two days later, OCR announced a $1 million HIPAA settlement with Mass General and later that year UCLA accepted a $865,000 HIPAA settlement for alleged Privacy and Security Rule violations.  This series of settlements seems to reflect a major shift towards increased penalty-based enforcement. Director Rodriguez validated that trend by explaining, “a portion of those that might have been corrective action-only cases five years ago are now going to be monetary enforcement cases.”

The likelihood of seeing more large monetary penalties in the near future has also greatly increased since the Office for Civil Rights within Health and Human Services launched the Department’s first proactive, comprehensive HIPAA/HITECH audit program. Historically, HHS compliance review efforts have been driven by reported complaints and have evaluated only some aspects of the HIPAA rules. However, this new program calls for stratified random selection of 120 covered entities for comprehensive audits in 2012 with more audits likely to follow in 2013.  Under this program covered entities that have never been evaluated for compliance before may find themselves under careful scrutiny by a large team of auditors ready to refer findings to OCR for possible civil monetary penalties.


OCR actually has a particularly strong incentive to impose more monetary penalties. The Department absorbs a portion of each fine directly into its own operating budget. Faced with a 5% cut this coming year, OCR may well look to monetary enforcement activities to make up for the short fall. In fact, Director Rodriguez has apparently hinted that he intends to do just that.


The increased enforcement and oversight means covered entities not currently compliant have reason for concern.  When asked about the trend of increased enforcement and whether or not to expect more enforcement resolutions in the near future, Director Rodriguez replied, “I think you can expect that; absolutely you can expect that.”

Friday, April 13, 2012

Health Care Friday 2012-04-13

Utah Breach


The Utah Medicaid data breach has been making a lot of headlines this week, in part due to the huge discrepancy between the initial estimate on the size of the breach and the revised estimate released just days later. When you announce a breach of 24,000 records and that number suddenly balloons into 900,000 (37.5X larger than initially reported), you definitely attract attention.

Commentators have questioned whether the Utah servers that were breached met HIPAA security requirements. Their analyses seem to focus exclusively on HIPAA's encryption requirement. However, based on the information currently available, other controls mandated by HIPAA would have been more effective at preventing this sort of password-guessing attack. There is clearly widespread misunderstanding about how and when encryption is best used. In this case, I would argue that Utah’s IT staff should have done more to prevent the attacker from gaining control of the server. Using encryption as an additional layer of security would have been fine, but that would not be the most effective first line of defense. Once more details about the actual attack become available, we will do a more detailed write-up of how a correctly designed HIPAA compliance program could have prevented this sort of attack (if anyone has more detailed information, please email us at blog@carlsonwolf.com).


Other Breach News


In other breach news, most people have now had the chance to review the 2012 version of Ponemon’s annual Cost of Data Breach Study. Here is a pretty good follow-up over at infosecisland.

The American Medical Association also performed some follow-up reporting on the 2012 version of the Verizon Data Breach investigations report. They wanted to highlight the growing problem of small practices experiencing breaches and being targeted by hackers due to their weaker security controls.


ACA Perspective from HIMSS


For those still wondering about the potential impacts of the Supreme Court’s ruling on the Affordable Care Act, here is an article discussing a recent HIMSS presentation. This article is a little more optimistic than some other recent articles in concluding that Health IT would only be slowed rather than stopped if ACA was struck down. It also discusses some of the specifics about what might be impacted and links to more detailed info. Worth reading if you’re wondering how this might all shake out when the final ruling does come down.


Now that's a penalty...


While not HIPAA-related, a 1.1 billion dollar judgment in the healthcare industry is worth calling out. I thought HHS-OCR was seriously stepping up its enforcement penalties, but OCR’s penalties pale in comparison to the Arkansas court’s massive judgment against Johnson & Johnson.


IT Salary Survey


On an even more tangential topic, Network Computing has released its 2012 IT Salary survey (registration required). “Staffers report a median raise in total compensation of 1%, while managers report a 1.8% raise, according to our InformationWeek 2012 U.S. IT Salary Survey of 13,880 IT professionals. As recently as 2010, the median raise was 0%.” Notice that this is a survey generic IT staff and may not represent the impact of rapidly growing demand for and projected shortage of Health IT professionals in particular.