The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims. The notice would solicit public opinion on
data privacy
South Dakota and Colorado strengthen data breach protections
Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a…
Your money or your PHI: New guidance on ransomware
On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.
Medical technology initiatives announced in Health Minister’s budget speech
The use of technology in the health sector is on the rise. The intersection of these two industries leads to interesting legal questions relating to digital risk, including big data analytics, data security and privacy.
In his budget speech on…
FDA warns of potential link between antimalware and medical device failure
On February 8, 2016, the U.S. Food and Drug Administration (FDA) issued a Product Problem Report concerning the following device: Merge Hemo Programmable Diagnostic Computer, manufactured by Merge Healthcare. The Merge Hemo device monitors, measures and records physiological data from patients undergoing cardiac catheterization procedures and transfers this data to a monitoring station that runs on a personal computer. This FDA report is the first identifying antimalware as the cause of a medical device failure.
Australian TGA on cyber security
In a timely note, the March 2016 edition of the Medical Devices Safety Update, put out by the Australian Therapeutic Goods Administration, highlights medical device cyber security as a key issue.
Interestingly, this comes shortly after the release by…
Ransomware incident response – prevention, readiness and strategy
Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is built to exploit the inherent value assigned to data security and control, by taking it away from the user. It does this by combing for critical system files and potentially valuable user data (word documents, excel spreadsheets, pdf files, outlook messages, and the like). As these target files are identified, a strong encryption algorithm is applied to prevent infected computer systems from properly functioning while inhibiting bewildered users from accessing their own files, unless and until the attackers are paid to provide the decryption key.
FDA builds on postmarket cybersecurity measures for medical devices
On January 15, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” outlining recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices. The FDA stresses that an effective cybersecurity risk management program should address potential cybersecurity risks throughout the product’s entire lifecycle. The draft guidance addresses the shared concerns of the FDA, manufacturers, providers, and consumers about the risks to the safety and efficacy of medical devices and private patient data and the difficulties in detecting new cybersecurity threats. The 2016 draft guidance builds on premarket approval cybersecurity risk management recommendations published by the FDA in its 2014 guidance.
HHS modifies HIPAA rules to facilitate criminal background check reporting
On January 6, 2015, the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS) issued a final rule modifying certain provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The modifications grant to certain covered entities a narrowly tailored permission to disclose limited information concerning individuals subject to the Federal mental health prohibitor, as needed for National Instant Criminal Background Check System (NICS) reporting.
Anthem breach may trigger legal obligations for organizations that use Anthem to provide or support employee health insurance plans
Norton Rose Fulbright’s Data Privacy co-chairs authored a blog post that reported on the recent Anthem breach and the consequential cybersecurity risks for its customers. See Anthem breach posts significant cybersecurity risks for Anthem’s customers; may trigger legal obligations,…