HIPAA Compliance for Medical Practices
59.2K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Massive data breach could affect every federal agency

Massive data breach could affect every federal agency | HIPAA Compliance for Medical Practices | Scoop.it

China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time.


The Department of Homeland Security said in a statement that data from the Office of Personnel Management — the human resources department for the federal government — and the Interior Department had been compromised.


"The FBI is conducting an investigation to identify how and why this occurred," the statement Thursday said.

The hackers were believed to be based in China, said Sen. Susan Collins, a Maine Republican.


Collins, a member of the Senate Intelligence Committee, said the breach was "yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances."


A spokesman for the Chinese Embassy in Washington called such accusations "not responsible and counterproductive."


"Cyberattacks conducted across countries are hard to track and therefore the source of attacks is difficult to identify," spokesman Zhu Haiquan said Thursday night. He added that hacking can "only be addressed by international cooperation based on mutual trust and mutual respect."


A U.S. official, who declined to be named because he was not authorized to publicly discuss the data breach, said it could potentially affect every federal agency. One key question is whether intelligence agency employee information was stolen. Former government employees are affected as well.


The Office of Personnel Management conducts more than 90 percent of federal background investigations, according to its website.

The agency said it is offering credit monitoring and identity theft insurance for 18 months to individuals potentially affected. The National Treasury Employees Union, which represents workers in 31 federal agencies, said it is encouraging members to sign up for the monitoring as soon as possible.


In November, a former DHS contractor disclosed another cyberbreach that compromised the private files of more than 25,000 DHS workers and thousands of other federal employees.


Cybersecurity experts also noted that the OPM was targeted a year ago in a cyberattack that was suspected of originating in China. In that case, authorities reported no personal information was stolen.

Chinese groups have persistently attacked U.S. agencies and companies, including insurers and health-care providers, said Adam Meyers, vice president for intelligence at Irvine, California-based CrowdStrike, which has studied Chinese hacking groups extensively.


The Chinese groups may be looking for information that can be used to approach or compromise people who could provide useful intelligence, Meyers said. "If they know someone has a large financial debt, or a relative with a health condition, or any other avenues that make them susceptible to monetary targeting or coercion, that information would be useful."


One expert said hackers could use information from government personnel files for financial gain. In a recent case disclosed by the IRS, hackers appear to have obtained tax return information by posing as taxpayers, using personal information gleaned from previous commercial breaches, said Rick Holland, an information security analyst at Forrester Research.


"Given what OPM does around security clearances, and the level of detail they acquire when doing these investigations, both on the subjects of the investigations and their contacts and references, it would be a vast amount of information," Holland added.


DHS said its intrusion detection system, known as EINSTEIN, which screens federal Internet traffic to identify potential cyberthreats, identified the hack of OPM's systems and the Interior Department's data center, which is shared by other federal agencies.


It was unclear why the EINSTEIN system didn't detect the breach until after so many records had been copied and removed.


"DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion," the statement said.


Cybersecurity expert Morgan Wright of the Center for Digital Government, an advisory institute, said EINSTEIN "certainly appears to be a failure at this point. The government would be better off outsourcing their security to the private sector where's there at least some accountability."


Senate Intelligence Committee Chairman Richard Burr, R-N.C., said the government must overhaul its cybersecurity defenses. "Our response to these attacks can no longer simply be notifying people after their personal information has been stolen," he said. "We must start to prevent these breaches in the first place."

more...
No comment yet.
Scoop.it!

States ramp up data security laws

States ramp up data security laws | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations not only must heed federal data security laws; they also have state laws to keep in mind. And a growing trend has states making these regulations tougher than ever. One state that currently has no laws requiring organizations to implement certain data security protections has proposed legislation that would hold entities fully responsible for failing to safeguard consumer data.  

 
As businesses continue to demonstrate grievous security failings, New York state has decided to join a growing number of states that have chosen to ramp up their data security laws. The announcement last week from the state's Attorney General Eric T. Schneiderman comes on the heels of a reportlast year, finding that nearly 23 million New Yorkers have had their personal records compromised since 2006. 
 
New York entities are only required to notify individuals of a data security breach if "private information" has been compromised. Private information, as state officials pointed out, has a very narrow definition and does not include email addresses and passwords; medical data and health insurance data, among other items. 
 
The proposed law would broaden the definition of private information to include email addresses, security questions and medical and health insurance data. The law would also establish a safe harbor rule for companies that implement specific data security plans and standards that officials say would minimize the chance of a breach. 
 
In 2013 – a "record-setting" breach year for New York – these data security breaches cost organizations a whopping $1.37 billion statewide. Some 40 percent of those breaches were hacking related, according to a 2014 N.Y. Attorney General report
 
What's more, healthcare organizations proved to be the biggest offenders, with healthcare data breaches being responsible for compromising the largest number of records of New Yorkers since 2006. "As the healthcare industry moves toward increasing digitization, it has become a repository for large troves of sensitive information, making the industry uniquely susceptible to data loss, particularly through lost or stolen electronic storage equipment," Schneiderman wrote in the report.  
 
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," said Schneiderman in a Jan. 15 press release. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
 
One of the state's biggest data breaches ever reported was announced by the New York City Health & Hospitals Corporation's North Bronx Healthcare Network, which compromised the health records of some 1.7 millionemployees, vendors and patients. 
 
In light of the increase in scope and frequency of these data security breaches, just last month, Oregon's AG Ellen Rosenblum called on the state's legislature to update and toughen Oregon's data breach law, which does not protect medical or health insurance data. Indiana's AG also in December proposed similar legislation that would tighten data security laws in the state. 


more...
No comment yet.
Scoop.it!

Obama's data-breach initiative has privacy advocates optimistic, cautious

Obama's data-breach initiative has privacy advocates optimistic, cautious | HIPAA Compliance for Medical Practices | Scoop.it

There may finally be a standard set of rules for how US companies protect customer's data in the aftermath of a breach, if new proposed rules from the president become law.

For years, companies in America have contended with a patchwork of laws regarding how they treat customer information. Some states have strict rules, designed to ensure consumer protection. Others have none.

President Barack Obama wants that to change, and so do consumers. A Pew Research study conducted last year found 18 percent of consumers have seen their credit card, bank account, or Social Security number stolen, up from 11 percent only six months earlier.

They have reason to be concerned. The Identity Theft Resource Center said data breaches in the US were up 27.5 percent in 2014 over the year before. The past couple of years have been filled with headlines about catastrophic data breaches from Target and Home Depot, as well as arts and crafts chain Michaels and restaurant chain P.F. Chang's. In November, Sony Pictures suffered one of the worst hacks in corporate history.

Now, the government may step in, at least to ensure consumers are protected. President Obama on Monday proposed a new law called the Personal Data Notification and Protection Act, which would create a basic set of rules for how companies handle their customer information. It also would criminalize international trade in stolen personal identity information.

Aside from one specific rule that would require companies to notify customers within 30 days of the discovery of a data breach, there aren't many other details available yet about Obama's proposal. The president is expected to outline more specifics in his State of the Union speech next week.

In the mean time, tech industry executives and privacy advocates are excited at the prospect of a renewed effort to create a national standard. They say the bills that succeed are typically aimed at the government and how it handles information, rather than corporations.

Now that could change.

"This is a huge shot in the arm to a much-needed advancement for our legislative protections," said Scott Talbott, who heads up government relations for the trade group Electronic Transactions Association.

Some, like Alvaro Bedoya, the executive director of the Center on Privacy and Technology at Georgetown University, are cautiously optimistic. "Some states tend to have very strong data breach laws," he said. "We're going to need to put the Obama proposal side-by-side with those states' laws and see how they stack up."

Many questions still remain

While 47 states have laws requiring companies to at least notify consumers of security breaches involving their personal information, according to the National Conference of State Legislatures, the similarities often end there.

The toughest state laws, said Bedoya, have strong provisions for credit monitoring, requiring companies give affected consumers at least a year of free credit protection. Companies must notify consumers that their information has been compromised within 30 days. California, for example, lets its residents attempt to recover damages, making it one of most aggressive.

But South Dakota, Alabama and New Mexico have no data breach protections at all for consumers, according to Heidi Shey, a security and risk analyst at research firm Forrester.

The Electronic Privacy Information Center, a research group that tracks privacy and civil liberties issues, said the proposal would greatly impact consumers in those places, while also creating a minimum set of rules that all companies would have to follow.

President Obama isn't the first to propose such nationwide measures. In the previous session of Congress alone, which lasted from 2013 to 2015, there were four similar bills in the House of Representatives and two in the Senate. All of them went nowhere.

But that was before the latest string of privacy breaches. "It's important to have this in place from a consumer perspective," said Forrester's Shey. "If we have 50 separate laws, it makes it so much harder for a company to respond. It gets easy to drop the ball."


more...
No comment yet.
Scoop.it!

Illinois joins other states that are not waiting for federal data breach legislation

Illinois joins other states that are not waiting for federal data breach legislation | HIPAA Compliance for Medical Practices | Scoop.it

Illinois is joining several other states in passing legislation that would dramatically increase the potential liability for marketers in the event of a data breach.  The Illinois Senate voted 35-13 to approve a bill (SB1833) drafted by the Illinois Attorney General that would add "consumer marketing information" to the definition of personal information under the state's data breach law. It would require notification if there is a breach of "information related to a consumer's online browsing history, online search history, or purchasing history."  Illinois Bill SB1833 now moves to the Illinois House of Representatives, where it will likely have substantial support.


At first blush this certainly sounds appealing considering all the data breaches that have occurred in recent times; however, for those that market products on the internet, the inconsistent laws across the country are truly a field of potential liability landmines.


Several industry groups, including the ANA (Association of National Advertisers) are working together to lobby for federal data breach legislation that would pre-empt the patchwork of 47 inconsistent state data breach laws that currently exist.  Only Alabama, New Mexico, and South Dakota currently do not have security breach laws on the books. The ANA calls the Illinois bill the "poster child" example of why federal legislation is necessary as state legislatures rush to curb media-infused consumer fears over data breaches that the ANA purports result in unreasonable laws with the potential for significant liability to companies.


Everyone certainly agrees that consumers should be notified if there is a breach of personal information that creates a risk of identity theft or some other financial harm to consumers. However, the state laws typically contain no clear specific trigger for breach notification. The vast preponderance of consumer marketing information does not present a risk of identity theft or financial harm to consumers.

This unprecedented expansion of the scope of the current data breach law could cost Illinois companies millions of dollars each year to protect non-sensitive information that poses no material risk of identity theft or financial harm to residents. In addition, consumers could eventually succumb to "notice fatigue" if they receive notices about breaches that involve no serious risk of harm to them.


more...
No comment yet.
Scoop.it!

Does Obama privacy push have oomph?

Does Obama privacy push have oomph? | HIPAA Compliance for Medical Practices | Scoop.it
President Barack Obama’s rollout of privacy and data security policies Monday offered big promises to protect consumer information online, but the reality is his legislative ideas are a long shot in Congress and his voluntary industry initiatives lack enforcement teeth.

The package of proposals — including a data-breach notification law and a privacy bill of rights — are mostly a rehash of previous administration proposals. While some lawmakers have expressed interest in data breach and student privacy bills, such legislation has made little progress in the past. Congress has even less enthusiasm for the base-line privacy bill that Obama says he will release in coming weeks.

The president’s announcement comes on the heels of the high-profile Sony hacking case and after a year of major retail hacks that compromised millions of Americans’ credit cards. But the glacial progress of privacy and data security legislation shows just how difficult it has been for Washington to come up with workable new laws in this area.

In a 15-minute speech at the Federal Trade Commission, Obama previewed proposals that will be part of his State of the Union address on Jan. 20. Pressing Congress to take action, the president led his speech with recent headlines from the Sony hack.

“This mission, protecting our information and privacy in the information age, this should not be a partisan issue,” Obama said. “It’s one of those new challenges in our modern society that crosses the old divides — transcends politics, transcends ideology. Liberal, conservative, Democrat, Republican, everybody is online, and everybody understands the risks and vulnerabilities as well as opportunities that are presented by this new world.”

White House press secretary Josh Earnest later put it more bluntly. “I do think that, certainly, in the aftermath of some of the more recent cyberattacks we’ve seen that have been carried out against a number of private companies, including most recently Sony, hopefully that got the attention of people on Capitol Hill,” he said.

Obama’s data-breach proposal would impose a national standard for companies to notify consumers, in the event their information is stolen or compromised, within 30 days of the discovery of an incident. His student privacy bill, modeled on a California measure, would impose new restrictions on companies that collect or store student data while providing products and services to K-12 schools.

The president also announced that JPMorgan Chase and Bank of America are joining a list of firms making credit scores available for free to consumers to combat identity theft, the top consumer complaint for 14 years running at the FTC.

Some privacy advocates, while bullish for laws that will tighten consumer privacy, remain skeptical that Obama’s push will have any oomph behind it, seeing it more as a public relations maneuver designed to reassure European privacy officials as they work to complete a trade deal by the end of the year.

“An unannounced but intended audience for the administration’s plan is to remove a serious obstacle to its plans for a U.S.-EU trade deal, known as TTIP,” or the Transatlantic Trade and Investment Partnership, said Jeff Chester, executive director of the Center for Digital Democracy. Consumer privacy has been one of the sticking points with EU officials who worry that the U.S. doesn’t have a comprehensive privacy framework.

There is some support for a data-breach bill in the new Congress, and industry groups and the FTC have long pressed for a federal law to streamline the 49 different state breach rules they have to follow. Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) say they are already working on a data-breach bill.

“There has been consensus and a call from many in the business community several years running for data-breach legislation,” said Stu Ingis, a partner at Venable and counsel to the Digital Advertising Alliance, which represents several marketing and advertising groups.

But such legislation has repeatedly run into fears that a federal standard would weaken stricter rules enacted by states — a theme some privacy advocates hit again Monday.

“The Personal Data Notification and Protection Act would pre-empt stronger state laws and contains no private right of action,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. He said the president’s student privacy plan “looks promising,” adding the country ultimately needs a more comprehensive approach to online privacy issues.

“The White House announcement is a step in that direction. But more needs to be done,” Rotenberg said.

Obama touted the 75 education tech companies that have voluntarily committed to keeping student data private, including Microsoft. Apple, which did not sign on initially, has now committed to the pledge. But other major players in the ed tech market, including Google and Pearson, are still not listed as signatories.

Concerns over student privacy have grown steadily as the use of online tools has exploded in classrooms. Ed tech companies can scoop up millions of data points on each child by monitoring them as they click through digital textbooks, educational games and online homework assignments. They can build detailed profiles of students’ academic ability — and also of their cognitive skills, including their learning styles.

The prospect of such intimate information being mined for possible commercial gain has mobilized parent privacy activists from across the political spectrum.

The administration has eyed privacy and data security measures since the president’s first term and proposed a national data-breach standard as part of a cybersecurity proposal in 2011. It unveiled a blueprint for a consumer privacy bill of rights in 2012.

Some parts of the tech industry said the president should have broadened his proposal to include surveillance reform, a key issue for Internet companies following Edward Snowden’s leaks about the National Security Agency.

“The president missed an opportunity to address the continued push by law enforcement and intelligence agencies to weaken security for the purpose of surveillance,” said Daniel Castro, senior analyst for the Information Technology and Innovation Foundation. “These actions threaten the competitiveness of the U.S. tech sector and discourage consumer confidence in digital products and services.”
more...
No comment yet.