T2P Information Protection & Privacy News

HHS Publishes HITECH Act Accounting of Disclosures NPRM

2011-05-31T12:38:36Z

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in the May 31, 2011, Federal Register the Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (76(104), pp. 31426-31449). This NPRM is available online in pdf. Comments on the NPRM are requested to be submitted on or before August 1, 2011. The Summary of the NPRM with abbreviations, as noted, on p. 31426, is:

“HHS is issuing this NPRM to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. The purpose of these modifications is, in part, to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record. Pursuant to both the HITECH Act and its more general authority under HIPAA, the Department [HHS] proposes to expand the accounting provision to provide individuals with the right to receive an access report indicating who has accessed electronic protected health information in a designated record set. Under its more general authority under HIPAA, the Department also proposes changes to the existing accounting requirements to improve their workability and effectiveness.”

There are several points worth noting in the NPRM. First, HHS includes “a direct reference to business associates in the standard to make clear that the covered entity must include accounting information for all disclosures by the covered entity’s business associates that create, receive, maintain, or transmit designated record set information.” [p. 31430, emphasis added] Second, “[c]overed entities must provide individuals with notices of privacy practices that detail how the covered entity may use and disclose protected health information and individuals’ rights with respect to their own health information. Beginning on January 1, 2013, individuals would have the right to receive a report of who accessed their electronic protected health information that covers a three-year period from the date of the request. Covered entities would have to revise their privacy notices to reflect this change.” [p. 31445] HHS estimates that 669,000 health care providers would have to revise and reissue their notices of privacy practices. Next, HHS is “proposing that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication [in the Federal Register]). We are proposing that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009. ” [p. 31429]. Finally, HHS expects to review comments and publish the Accounting of Disclosures Final Rule by the end of 2011, which means that compliance with the accounting of disclosures requirement would begin sometime during the summer of 2012. [20110531]

Identity of Anonymous Wikipedia Editors Not Protected by First Amendment

2011-05-27T18:39:48Z

Jonathan D. Frieden writes:

In Faconnable USA Corporation v. John Does 1-10, 2011 WL 2015515 (D. Colo. May 24, 2011), the United States District Court for the District of Colorado rejected a ISP’s motion to quash a subpoena issued to discover the identity of anonymous editors of Wikipedia. Plaintiff alleges that the anonymous editors violated the Lanham Act and comitted trade libel and commercial disparaging by falsely posting that plaintiff is a support of Hezbollah, a Shiite Islamist militia and political party which has been designated as a terrorist organization.

Enterprises Get New Guidance on PCI Compliance in Virtual Environments

2011-06-15T04:00:00Z

Enterprises got some much needed clarification on the implementation of PCI requirements in virtualized environments on Tuesday.

Survivability Rather Than Security Metrics

2011-03-02T19:29:32Z

(Note: this is a somewhat incomplete thought.)
There's been a lot of talk of late about security metrics, but I'm increasingly inclined to think that we're shooting at the wrong elusive target. Why do we keep chasing after measuring relatively immeasurable things? Instead, I think we should be starting with the things that we can measure. After all, security is a feeling, not a tangible outcome, right?

Instead of measuring something so squishy, let's instead look at the operational metrics that we can absolutely measure. For example:
- Uptime
- Availability
- Performance (e.g., TPS, MIPS)
- Time-to-Fix
- MTBF (for a broad definition of "failure")
- SNR (representative here - i.e., how much "background noise" do we get from scans vs. detected legit attacks)
- Visibility (into code, into environment, etc.)

These strike me as useful metrics to track, at least operationally, with an ability to then roll them up into tactical, and even strategic, reports. Thinking about this all in terms of survivability, then, we want to be able to answer these questions:
- Have operations been negatively impacted?
- Were we able to continue operations despite degraded conditions?
- What measurable impact occurred during the impact period?
- How quickly can we resolve issues once detected?

These, I think, are very useful metrics to monitor. One could rightly argue that they're primarily IT operations metrics, but they go directly toward key infosec objectives, too. In terms of survivability, they help us gain a better picture about resiliency, such as benchmarking how recoverability, as well as to a degree defensibility.

Defensibility, of course, is where we start potentially getting back into squishiness. We have a similar problem with performing a FAIR risk analysis, too, when we look at the "Vulnerability" factor, since there's no simple, reliable, consistent way to measure it (i.e., this is one of the more subjective values in the overall scheme of things).

Putting this thought into a properly framed risk management context, based around survivability as the main driver, I think that metrics developed along these lines are more useful today, while also being reasonably accurate and precise. It's time to put aside fuzzy "security" metrics in favor of something that tells the business just how reliable its systems and applications are.

Five virtualisation management issues CIOS must manage

2011-03-27T03:00:00Z

Virtualisation is powerful and creates welcome efficiencies and savings, but can also introduce some new IT management challenges. We explain five of them â€“ and how to meet the challenge and create smarter virtual infrastructure â€“ in this tip.

Threats vs. Vulnerabilities

2011-03-23T11:34:58Z

I found this article on the difference between threats and vulnerabilities to be very interesting. I like his taxonomy.

FTC Accepts Final Settlement with Twitter

2011-03-14T19:25:47Z

On March 11, 2011, the Federal Trade Commission finalized a proposed settlement with Twitter, which resolved allegations that Twitter deceived consumers and failed to safeguard their personal information. The FTC first announced the proposed settlement in June 2010. Specifically, the FTC claimed that Twitter, contrary to its privacy policy statements, did not provide reasonable and appropriate security to prevent unauthorized access to consumers’ personal information and did not honor the consumers’ privacy choices in designating certain tweets as nonpublic. Intruders exploited these failures and obtained administrative control of the Twitter system. These intruders were able to gain unauthorized access to nonpublic tweets and user information, reset any user’s password, and send unauthorized tweets from any user account.

Under the terms of the settlement, Twitter must implement a comprehensive information security program that is reasonably designed to protect the privacy and security of nonpublic consumer information, and it is prohibited from misrepresenting the extent to which it protects such information. An independent auditor must conduct biennial assessments for 10 years to determine whether Twitter’s information security program adequately protects consumer information as required by the settlement. Twitter is further required to make available to the FTC any privacy policy statements, consumer complaints, subpoenas and other documents that relate to Twitter’s activities in the FTC complaint or Twitter’s compliance in the settlement. Finally, Twitter must file a report describing its compliance with the settlement and alert the FTC to any change in the corporation that may affect its compliance obligations. Any violation of the FTC order, which is in effect for 20 years, may result in a civil penalty of up to $16,000. The order is in effect for 20 years.

What’s Next for the FTC’s Proposed Privacy Framework?

2011-03-24T13:38:52Z

Richard L. Santalesa writes:

The December 2010 release of the FTC’s much anticipated Privacy Framework (see our coverage here, here, here and the report itself here), included the typical public comment period, which ended in February. We’ve looked at the 442 separate submitted comments received by the FTC, available here, from individuals and associations, corporations and organizations to uncover what themes, trends and thoughts have been raised by the FTC’s framework, and in turn, what feedback the FTC will be weighing in future changes of the report and ultimately any resulting recommendations for additional legislation and regulation.

Experts: Data Security Paramount When Retiring Tech Assets

2011-03-27T22:54:38Z

Law Suit Filed: Google Faces Class Action over Gmail Scanning

2011-03-16T21:00:21Z

Google Faces Class Action over Gmail Scanning

BlackBerry Users Advised to Disable JavaScript

2011-03-27T22:43:41Z

RIM's BlackBerry OS was exploited at Pwn2own, leaving users potentially at risk.

Nearly 8.3 Million Individuals Impacted by 249 Privacy and Security Breaches Reported by HHS; More Training on Safeguarding PHI Required

2011-03-22T12:47:00Z

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches on its Web site.

As of March 17, 2011, OCR had posted on its Web site 249 breaches that had impacted 8,289,236 individuals reported by covered entities. [1] The dates of these breaches ranged from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to January 12, 2011. Forty-eight cases reported by covered entities—19.3%–were breaches that involved a business associate. Excluding 12 breaches without identifying information, approximately 75% (177) of the total involved electronic protected health information (PHI) and 25% (58) hard copy formatted PHI. Several reported breaches involved electronic and hard copy formatted PHI.

With regard to type of breach, there were 24 of 249 reported breaches without sufficient detail. Of the remainder, 139 breaches, or just about 62%, involved theft, and 37 breaches, or just over 16%, involved loss. Together, theft and loss accounted for 168 reported breaches, or just over 78% of the total number of breaches that impacted 500 or more individuals per incident. The remaining types of the most prevalent breaches included unauthorized access (38), hacking (22), and improper disposal (14). Twenty-five of reported breaches involved a combination of types.

With regard to the 177 privacy and security breaches involving electronic PHI, 104, or approximately 59%, involved laptops and portable electronic devices (PEDs)—not otherwise identified. All but 4 of these reported breaches of laptops and PEDs involved theft or loss. These breaches should not be occurring!

On August 24, 2009, HHS issued its Interim Final Rule on Breach Notification, which included Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. This Guidance identifies readily available safeguards—encryption processes and disposal methods—for securing PHI. It is either through indifference to or neglect of implementing encryption safeguards on portable and mobile electronic devices that unnecessary costs of breach notification are being incurred by covered entities and their business associates that breach unsecured electronic PHI. Those costs do not include costs borne by individuals impacted by breach, and costs related to loss of business and reputation and to required mitigation by the breaching party.

Covered entities and business associates must take greater responsibility to safeguard PHI, starting with more emphasis on training their workforce members who work with PHI.[2] The HITECH Act increased financial penalties for noncompliance from $100 for a single violation to $50,000, and the maximum for a repeat of a single violation in a calendar year from $25,000 to $1.5 million. In addition, the HITECH Act provided for compliance audits[3] in addition to complaint investigations. As a result, the likelihood of discovery of noncompliance and the financial consequences of such discovery—especially of willful neglect-not corrected—are raised considerably now under the Breach Notification Interim Final Rule for covered entities and business associates, and will be enhanced even further with simultaneous release of final HITECH Act privacy, security, and breach notification rules in 2011[4] that extend privacy and security obligations to business associates of covered entities and to sub-contractors of business associates.

Indicative of the forthcoming tightening of HIPAA and HITECH Act privacy and security enforcement is the commentary of OCR Director Georgina Verdugo in the News Release pertaining to the Resolution Agreement whereby Massachusetts General Hospital agreed to pay $1 million to settle Potential HIPAA Privacy Rule violations.[5] Note the following commentary:

“’We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.’ … “’To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.’ … ‘A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.’” [emphasis added]

Ed Jones [20110318]

[1] As of the end of 2010, OCR had received more than 14,000 reports of smaller breach incidents (fewer than 500 impacted individuals). See “Federal Audits Still in Development,” Healthcare Info Security, February 22, 2011, which is available online here.

[2] For example, “one-third of recently surveyed physician practices and 14 percent of surveyed hospitals do not conduct a regular security risk analysis of their electronic health information.” See “Survey Details the Security Landscape,” HDM Breaking News, November 5, 2010. The risk analysis is the foundation of preparing safeguard policies and procedures and initiating a meaningful training program for workforce members on “awareness and understanding” of and abiding by those policies and procedures.

[3] “OCR, which hired the consulting firm Booz Allen Hamilton to help design the auditing program, ‘is still working through what will give us the most bang for the buck,’ Greene said. For example, it’s still weighing whether to audit a random sample of healthcare organizations or ‘going wider,’ he said.” Statement of Adam Greene, senior health IT and privacy advisor in OCR, on February 21, 2011. See “Federal Audits Still in Development,” Healthcare Info Security, February 22, 2011, which is available online here.

[4] Statement of Adam Greene, senior health IT and privacy advisor in OCR, on February 21, 2011. See Greg Gillespie, “OCR Plans to Tighten Up HITECH Privacy, Security, Breach Regs,” HDM Breaking News, February 21, 2011, which is available online here.

[5] See HHS, “Massachusetts General Hospital Settles Potential HIPAA Violations,” news release, February 24, 2011, which is available online here.

Bank staff arrested over $10m fraud conspiracy

2011-03-11T09:35:00Z

US authorities have charged 12 people - including several bank employees - in relation to a $10 million fraud conspiracy.

PCI Security Standards Council offers phone-based payments guidance

2011-03-21T09:28:00Z

The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security ...

Half of mobile phones contain recoverable sensitive data - community blog from Nick Jones

2011-03-21T14:48:23Z

Check Your Password Security - community blog from Robert Siciliano

2011-03-19T05:32:46Z

Data Destruction Policies – Is the data really gone?

2011-03-22T17:49:49Z

Following a year focused on preservation related instruction, we have a much better understanding of what is and is not permissible when it comes to data retention and destruction. Corporate legal departments and outside counsel should, at this point, have a set of working guidelines detailing the different steps of a litigation hold, protections provided by Safe Harbor provisions, and the legal ability to continue corporate data destruction procedures following completion of a litigation hold. At that point, it comes down to an IT exercise which can be very daunting given the potential multiple data sources and now, the additional 3^rd party service providers who may be in possession ofcontinue…

Cloud storage a steep climb

2011-03-21T10:00:00Z

Organizations in industries such as healthcare, finance, manufacturing and media are as concerned as ever about data security and privacy, but they aren't shying away from cloud storage.

Health Net discloses loss of data to 1.9 million customers

2011-03-15T16:01:00Z

Health Net is notifying some 1.9 million customers that personal and health data may have been contained on drives that went missing from a data center in California.

Malware ads hit London Stock Exchange Web site

2011-03-01T08:20:00Z

Visitors to the London Stock Exchange's Web site were hit with malicious ads over the weekend, designed to pop up fake security messages on their computers.