Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a

On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.

On February 8, 2016, the U.S. Food and Drug Administration (FDA) issued a Product Problem Report concerning the following device: Merge Hemo Programmable Diagnostic Computer, manufactured by Merge Healthcare. The Merge Hemo device monitors, measures and records physiological data from patients undergoing cardiac catheterization procedures and transfers this data to a monitoring station that runs on a personal computer.  This FDA report is the first identifying antimalware as the cause of a medical device failure.

Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is built to exploit the inherent value assigned to data security and control, by taking it away from the user. It does this by combing for critical system files and potentially valuable user data (word documents, excel spreadsheets, pdf files, outlook messages, and the like).  As these target files are identified, a strong encryption algorithm is applied to prevent infected computer systems from properly functioning while inhibiting bewildered users from accessing their own files, unless and until the attackers are paid to provide the decryption key.

On January 15, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” outlining recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices.  The FDA stresses that an effective cybersecurity  risk management program should address potential cybersecurity risks throughout the product’s entire lifecycle.   The draft guidance addresses the shared concerns of the FDA, manufacturers, providers, and consumers about the risks to the safety and efficacy of medical devices and private patient data and the difficulties in detecting new cybersecurity threats.  The 2016 draft guidance builds on premarket approval cybersecurity risk management recommendations published by the FDA in its 2014 guidance.

On January 6, 2015, the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS) issued a final rule modifying certain provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The modifications grant to certain covered entities a narrowly tailored permission to disclose limited information concerning individuals subject to the Federal mental health prohibitor, as needed for National Instant Criminal Background Check System (NICS) reporting.