HHS Issues Guidance on Processor Vulnerabilities

In a follow up to an earlier alert regarding the critical problems in modern processors recently reported by Google, HHS issued its own “Technical Report.”  In Google’s “white papers,” they explain that their teams and other analysts and academics discovered and reported on vulnerabilities dubbed “Spectre” and “Meltdown.”  These are described as vulnerabilities that affect nearly every computer chip manufactured in the last 20 years. Recently, the patches also have come under scrutiny as Intel reports reboot problems and slowdowns following implementation.  Microsoft then reported new updates for Windows 10 to resolve such issues.

The fault arises from features built into chips that are supposed to help them run faster.  There is no evidence that the flaws have been exploited but reportedly such exploits may be difficult to detect.

HHS cautions in its alert that the vulnerabilities have the potential to expose sensitive information, such as protected health information (PHI), which is processed on these chips.  HHS warns that entities should employee risk management processes to address the vulnerabilities and ensure the security of medical records.  HHS list the major concerns as:

  • Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
  • Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
  • Web browsers: Possible PHI/PII data leakage
  • Patches: Potential for service degradation and/or interruption from patches

 

Searching medical

Privately disclosed to chipmakers in June 2017, the bugs became public after a series of leaks in early January 2018.  Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. HHS notes that although medical devices and support equipment may not resemble PCs, their operating systems (Windows, Linux) run on processors that could be vulnerable.  HHS states: “The risks of PHI data leakage is especially acute in shared infrastructure like cloud computing instances.”  Amazon Web Services, Google Cloud and Microsoft Azure all immediately deployed patches against the Meltdown attack.  HHS cautions that while the major platforms handled the response in a timely way, there are other cloud managed service providers and institutional or private cloud instances that may not have known about the vulnerabilities before January 3, 2018.

The HHS alert provides technical details and mitigation tactics.  The alert includes links to various references, support pages and press reports.  Technical Report on Widespread Processor Vulnerabilities

For more information on the vulnerabilities: The Meltdown and Spectre security flaws.  One congressman from California has sent a letter to Intel, AMD and ARM requesting  briefing on the vulnerabilities and the companies’ handling of them.  Congressman Requests Briefing

 

Largest HIPAA Settlement: $4.8 mil

medicaldollariStock_000021393857SmallHHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations.  Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results.  NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.

In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.

NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.

HHS press release: http://www.hhs.gov/news/press/2014pres/05/20140507b.html

 

Report on Healthcare – Increase in Threats

Image
IoT and Healthcare

A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.”  The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.

Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised.  These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers.  The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”

Notable Devices/Applications:-

  • Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
  • Internet facing personal health data (example: web-based call center for medical supply entity);
  • Security systems and edge devices (example: enterprise network controllers).

The report details the findings of a study that reviewed the largest sources of malicious traffic.

To get a copy of the report, go to:http://norse-corp.com

Image

Cases and Classes: Updates on Litigation, Decisions Relating to Data Breaches

Sony

In the Sony Gaming Networks litigation, currently pending in the U.S. District Court for the Southern District of California, the trial court entered a decision on January 21, 2014 ruling on Sony’s Motion to Dismiss class action litigation, which arose out of the April 2011 breach of Sony’s PlayStation Network. Sony sought dismissal of plaintiffs’ First Amended Complaint on several grounds, including standing. Sony argued that plaintiffs did not have standing to pursue non-Ohio state law claims on behalf of non-Ohio residents (the consolidated action includes Named Plaintiffs from Massachusetts, New Hampshire, Florida, California, Missouri, Michigan, Texas, Ohio and New York – fifty-one claims in the consolidated action, included negligence, negligent misrepresentation, breach of express/implied warranty, violation of state consumer protection statutes, violation of the CA Database Breach Act, violation of FCRA and bad faith). The court dismissed without leave to amend the Ohio and FCRA claims. In addition, Sony sought to dismiss on the basis of Article III standing – that plaintiffs’ allegations failed to allege an “injury-in-fact” as a result of the intrusion. Essentially, Sony sought another ruling on the issue in light of the Supreme Court’s ruling in the Clapper v. Amnesty International ruling. In Clapper, journalists and human rights activists alleged they were potential targets of the government under the Foreign Intelligence Surveillance Act (“FISA”) because their work requires them to communicate with international subjects. The Clapper plaintiffs argued that they would be targeted under the Act and they already had undertaken costly and burdensome measures to protect the confidentiality of international sources. The Supreme Court found that the claimants failed to show that the “threatened injury” was “certainly impending.” The Supreme Court stated that a “speculative chain of possibilities … based on potential future surveillance” was not enough. The Supreme Court also noted that if parties could base Article III standing on reasonably incurred costs to avoid the risk of future harm, this would water down the fundamental requirements of Article III.
Sony argued that the Clapper ruling resulted in a more “tightened ‘injury-in-fact’ analysis” than the standard relied upon by the trial court (under Krottner v. Starbucks). Judge Battaglia in the Sony Gaming decision refused to acknowledge a distinction between the analyses he previously made based on Krottner and the Supreme Court’s standards outlined in Clapper. Judge Battaglia stated that courts in the Ninth Circuit “have routinely denied motions to dismiss based on Article III standing where a plaintiff alleges that his personal information was collected and then wrongfully disclosed…” Judge Battaglia said that although Sony argued that plaintiffs’ allegations were insufficient because none of the named plaintiffs alleged that their personal information was actually accessed by a third party, nonetheless, plaintiffs “plausibly alleged a ‘credible threat’ of impending harm…”
So, another test of the injury-in-fact issue relating to so-called fear of identity theft. The cases cited by Judge Battaglia addressed whether personal information was disclosed (Facebook), whether personal information was even exposed (LinkedIn) or whether personal information had been disseminated (Google). The distinctions in the cases regarding whether a plaintiff can allege some kind of injury, for now, appear to relate to whether a court finds that the plaintiff(s) have alleged sufficient facts to show some kind of collection and disclosure of personal information. As more and more data breach scenarios are tested in class litigation, we likely will see courts continue to refine this analysis.
Kaiser
In other breach news, the Attorney General for the State of California filed suit on January 24, 2014 against Kaiser Foundation Health Plan alleging violations of unfair business codes because of Kaiser’s alleged delay in disclosing a breach of its security systems. The AG alleges that on September 24, 2011, Kaiser learned that an external hard drive containing unencrypted personal information of former and current Kaiser employees had been purchased by a member of the public at a thrift store in Santa Cruz. Included in the data were employee names, SSNs, DOBs, addresses and personal information of some employee spouses and children (data going back to 2009). Kaiser secured the data and conducted an exam revealing over 30,000 SSNs and other sensitive information, which exam was completed by December 28, 2011. Kaiser continued the inventory and the AG alleges that Kaiser had sufficient information to identify and notify at least some individuals between December 2011 and February 2012. Instead, the AG notes, Kaiser began mailing letters on or about March 19, 2012. The AG also alleges that Kaiser violated CA code by publicly posting or displaying SSNs of 20,000 plus residents. The AG seeks $2500 for each violation.
Horizon
On January 28, 2014, a putative nationwide class action suit was filed against Horizon Healthcare Services (d/b/a Horizon Blue Cross Blue Shield of New Jersey) alleging that Horizon failed to secure PII and PHI including names, DOBs, SSNs, addresses, demographic information, medical histories, lab results, insurance information and other data collected by Horizon. The allegations deal with an incident in November 2013 when two unencrypted laptops were stolen from Horizon’s headquarters in Newark, New Jersey. Plaintiffs allege violations of the Horizon privacy policy; that Horizon did not undertake encryption measures even though it suffered a similar breach in 2008; that Horizon ignored government and industry warnings regarding encryption. The counts include violations of FCRA, negligence, breach of contract (the members’ health insurance contracts or handbook include privacy representations/safeguards), violations of NJ consumer fraud statutes (misrepresentations/omissions re: privacy policies and encryption; failure to destroy unneeded records; failure to expediently notify following a breach).
Yet another example of how the healthcare, health insurer industry will continue to remain a target given the wealth of member information they manage. As with the recent Target data breaches, predictably, legislators took the opportunity to investigate and interrogate company officials.  See article at:
http://www.nj.com/politics/index.ssf/2014/01/nj_senate_health_panel_grills_horizon_about_two_stolen_laptops.html

lawkeyshutterstock_148983662

The Office Workhorse is a Digital Machine

copyiStock_000004950258XSmall

And it is worth sanitizing.

On August 14, 2013, HHS announced a settlement with Affinity Health Plan, Inc. after investigating the finding of sensitive health data stored on copier hard drives.

photocopieriStock_000003018037XSmall

Affinity Health Plan, a not-for-profit managed care plan serving the New York metropolitan area, was informed by CBS Evening News that CBS had purchased a photocopier previously used by Affinity that contained confidential medical information on the hard drive.  Affinity turned around and reported this breach to the HHS Office for Civil Rights on April 15, 2010.  Affinity estimated that up to 344,579 individuals may have been affected by the breach.

OCR reports that its investigation revealed that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  Affinity and OCR negotiated a settlement, which included a $1.2 million payment and “a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.”

See HHS press release: http://www.hhs.gov/news/press/2013pres/08/20130814a.html

HHS Issues Final Omnibus Rule under HIPAA

HHS Issues Final Rule
Final Rule Keeps Tiered Penalties, Now Addresses “Subcontractors”

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a press release announcing the modifications to the HIPAA Privacy and Security rules. The HHS issued the final rule to:
-modify the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under HITECH to strengthen privacy and security protection for individuals’ health information (applying Security Rule standards, certain Privacy Rules directly to business associates);
-modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under HITECH Act (access/disclosure of PHI not permitted is presumed a breach);
-modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing GINA provision (Genetic Information Nondiscrimination Act of 2008);
-make certain other modifications to the HIPAA Rules in order to improve effectiveness, flexibility.

The final rule is effective March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.

The regulations transform the relationship between covered entities and business associates, and, for the first time, regulates a new type of HIPAA entity: “subcontractors.” The rule replaces the  “harm” standard in breach notification rules with a four-step determination as to whether notification is required.

The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider’s healthcare data-miners and health information technology service providers.

Final modifications to the Privacy, Security and Enforcement Rules (per HITECH) include:
• Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
• Strengthen the limitations on the use and disclosure of protected health information without individual authorization.
• Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009 interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

The final rule adopts the tiered civil money penalty structure. This included the modified “reasonable cause” definition, i.e., the second tier of the penalties (knew/should have known with reasonable diligence of violation but not willful neglect). The HITECH tiered penalty scheme is as follows:

(1) for violations in which it is established that the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, an amount not less than $100 or more than $50,000 for each violation;
(2) for a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, an amount not less than $1000 or more than $50,000 for each violation;
(3) for a violation in which it is established that the violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation; and
(4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation; except that a penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.

(Emphasis added).

In applying these amounts, HHS says it will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts as required by the statute (i.e., based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors).

The final rule adopts the language that expressly designates as business associates: (1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.

HHS declined to provide a definition for Health Information Organization.

Data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates.

The official publication for the new rule is scheduled for January 25, 2013.