Legal Disclaimer Your use of this Blog does not create an attorney-client relationship. Your e-mail or comments do not create an attorney-client relationship. We have no duty to keep confidential the information that is submitted to this blog. This blog is not a substitute for, nor does it constitute legal advice. Only an attorney who knows the details of your particular situation and is properly licensed in the applicable state (or states) is able to appropriately and properly address any legal issues you may have.
|
By Robert Hudock, on June 12th, 2010  Print This PostIt is important to be aware of whether your insurance policy covers security incidents, especially, where insurance is a component of your risk management controls. A recent example illustrates this potential issue.
* Perpetual Storage (http://www.perpetualstorage.com/index_home.htm) an off-site storage facility, allegedly lost, by the action or inaction of one of its’ drivers, backup tapes belonging to the University of Utah, when the tapes were stolen from an employee’s car.
* Colorado Casualty is seeking a declaration that it is not responsible for covering the loss of $3.3 million associated with notifying 1.7 million people whose individually identifiable information was lost. (http://www.sltrib.com/education/ci_14978059).
* On June 1, 2008, an employee of Perpetual Storage picked up backup tapes containing information about 1.7 million people, 1.1 million of which contained social security numbers, in a secure vehicle to transport the backup tapes directly and immediately to the granite vault facility.
* Early on the morning of June 2nd the tapes were stolen from the vehicle of the Perpetual Storage employee. This year Colorado Casualty filed a declaratory judgment against Perpetual Storage, Inc. (“Perpetual Storage”) and the University of Utah (which operates a hospital). [...]
By Robert Hudock, on March 25th, 2010 Print This PostOn March 19th, HHS published a notice in the Federal Register that HHS intends to complete approximately 2500 surveys to assess public perception of Health Information Exchanges.[i] Public perception of the security of HIE’s is key to understanding how ONC will eventually regulate HIEs. On a macro level the National Health Information Network (NHIN) is a network of HIEs. At this time most states have received grants to implement an HIE. Recently, however, HHS has also announced a scaled down version of the Connect software to be used for limited transaction between providers. Generally, NHIN Connect software framework is designed to enable secure and interoperable electronic health information exchanges (HIE) with NHIN compliant organizations, including federal agencies, local-level health organizations, and healthcare participants in the private sector. However, the NHIN Direct initiative announced in January, 2010 may replace some HIEs that do not bring value added services to the market [...]
By Robert Hudock, on March 19th, 2010 Print This PostConfiguration management remains a challenging issue especially for small and mid-size organizations. With the complex dependencies of modern applications a modification to an organization browser, a security patch of the operating system, and even hard-ware upgrades can introduce incompatibilities or security vulnerabilities into your organization’s information system. Today NIST announced the publication of Initial Public Draft Special Publication 800-128, Guide for Security Configuration Management of Information Systems. This publication provides guidelines for managing the configuration of information system architectures and associated components for secure processing, storing, and transmitting of information. Security configuration management is an important function for establishing and maintaining secure information system configurations, and provides important support for managing organizational risks in information systems. This publication beyond providing an excellent resource includes two invaluable [...]
By Robert Hudock, on March 16th, 2010 Print This PostOne of the most common (and high risk) user installed software found on the enterprise desktop computer is P2P[i] file-sharing software. This software can be detected with networking scanning software like Nessus.[ii]
Unlike, other software, P2P file-sharing software is very effective at circumventing an organization’s security perimeter. In most organizations measures in-place to prevent users from installing software are easily circumvented: (1) by installing and running the device from a USB key, (2) using the local Administrator account to install the software because the local Administrator account has not been set after the last re-image or the local administrator account password is known to users, or (3) IT installs the software at the request of a user. Recently, the Department of Health and Human Services (“HHS “)has been very proactive in getting the message out that portable media, laptops, and other similar devices that contain electronic protected health information (e-PHI) must be encrypted. However, despite numerous alleged disclosures of e-PHI on P2P networks, HHS is failing to inform patients, covered entities, and business associates of covered entities about the risks of peer-to-peer (P2P) file sharing and the inadvertent sharing of documents containing [...]
By Robert Hudock, on March 12th, 2010 Print This PostHIMSS is the largest health care technology conference in the United States. This year the conference was held in Atlanta, the conference brought $25 million to Atlanta. The tone of HIMSS 2010 was cautiously optimistic in light of the uncertainty surrounding threatened Governments legislative actions. Vendors are working hard to meet recently promulgated regulatory requirements for EHR systems; some of legislated requirements for EHRs are not essential or likely to be used by most physicians. The government is positioned as the primary funding source for EHR and HIE technology. Grants for HIE implementation total almost 400 million dollars, with a promise of more grants to come. Implementation models for state HIE’s vary from a federated model to states with loosely associated local HIE’s. Thus far a strong centralized structure seems to be the most effective implementation [...]
By Robert Hudock, on December 10th, 2009 Print This PostOn December 1st, 2009 the Office of the Secretary of the Office of the National Coordinator (ONC) for Health Information Technology announced the creation of a new Chief Privacy Office and the Office of Economic Modeling and Analysis (among three others including the Office of Chief Scientist, Deputy National Coordinator for Programs & Policy, and Deputy National Coordinator for Operations). The New Chief Privacy Officer is a necessary creation under the ARRA (and the HITECH Act). This role is different from the other positions that seem to be a re-organization of roles and responsibilities that already existed to some extent just with more specificity around functions and duties. Aside from the Chief Privacy Officer the New Economic Modeling and Analysis Position seems like a timely creation given recent articles discussing whether Health Information Technology and more specifically Electronic Health Record Systems (EHRs) actually reduce the cost of care and/or increase the quality of care. Also of note, the new Office of the Deputy National Coordinator for Programs and Policy will be responsible for the open source Connect initiative and the National Health Information [...]
By Robert Hudock, on November 29th, 2009 Print This PostThis article discusses techniques for implementing the updated requirements of the HIPAA Security Rule, with particular focus on strategies for assessing the effectiveness of implemented security controls to support compliance and audit, as well as a covered entity’s (or business associate) overarching risk management program in the context of HIPAA Compliance. Covered entities are becoming more pro-active in monitoring their business associate compliance with HIPAA privacy and security regulations and the recent changes largely the product of the HITECH Act. In the past I have used a series of questions to ascertain the compliance status of business associates to comply with HIPAA privacy and security rules. I find it useful to map security controls to NIST Special Publication 800-53. The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. The controls are included in the final version of Special Publication 800-53, Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations,” released in August of 2009. (Available at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf). [...]
By Robert Hudock, on November 17th, 2009 Print This PostNext year should be interesting. From Red Flag compliance, federal breach reporting requirements, significantly augmented HIPAA penalties, and HIPAA security standards that are based on NIST guidelines will change the traditional compliance model for Covered Entities and Business Associates. Hot topics for enforcement next year (based on recent CMS audits of their business partners) will likely be in the areas encryption of portable media devices, remote access by employees to protected health information, and failure to document a rational risk management [...]
By Robert Hudock, on October 12th, 2009 Print This PostGenerally in the event of a “breach” of “unsecured” PHI, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached. (45 C.F.R. § 164.404(a)(1).) Despite the obvious utility of the new harm standard, a few privacy advocates (and four United States congressmen) have expressed displeasure with the new HHS harm standard. An October 1st letter from congressional leaders sent to HHS Secretary Sebelius argues that the ARRA did not imply a harm standard in the breach notification requirements, and requests that HHS repeal the harm standard that was included in the interim final regulations on Breach Notification for Unsecured Protected Health Information. [...]
By Robert Hudock, on September 22nd, 2009 Print This PostI am a little unclear as to why privacy advocates and security vendors believe that the harm standard, found within the new HHS regulations for security breaches, in any way hampers the HITECH Act’s security breach notice rule for covered entities and business associates. Many states use a similar risk based type analysis, in fact only seven states have a strict acquisition based standard, of those only a couple of these states link their definition of encryption to FIPS 140-2. In comparison to risk based states where one assesses the potential risk to a consumer resulting from theft of sensitive informatioin, the federal standard is more helpful in the sense that it highlights key criteria to be evaluated in assessing risk to consumers. [...]
Improve the web with Nofollow Reciprocity. |
Computer Security Law and Guidance
|
Office of the National Coordinator — Time to Reorganize.
On December 1st, 2009 the Office of the Secretary of the Office of the National Coordinator (ONC) for Health Information Technology announced the creation of a new Chief Privacy Office and the Office of Economic Modeling and Analysis (among three others including the Office of Chief Scientist, Deputy National Coordinator for Programs & Policy, and Deputy National Coordinator for Operations). The New Chief Privacy Officer is a necessary creation under the ARRA (and the HITECH Act). This role is different from the other positions that seem to be a re-organization of roles and responsibilities that already existed to some extent just with more specificity around functions and duties. Aside from the Chief Privacy Officer the New Economic Modeling and Analysis Position seems like a timely creation given recent articles discussing whether Health Information Technology and more specifically Electronic Health Record Systems (EHRs) actually reduce the cost of care and/or increase the quality of care. Also of note, the new Office of the Deputy National Coordinator for Programs and Policy will be responsible for the open source Connect initiative and the National Health Information [...]