HIPAA Compliance for Medical Practices
82.6K views | +35 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

DOJ Charges Suspect in Largest Known Data Breach

DOJ Charges Suspect in Largest Known Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Justice may not always be swift, but the U.S government has proven itself to be tenacious in tracking down alleged cyber-criminals to the ends of the Earth. The U.S Department of Justice (DOJ) announced Feb. 17 that Russian national Vladimir Drinkman appeared in a federal court in New Jersey in connection with cyber-attacks that occurred between 2007 and 2009 and affected up to 160 million credit cards.

Drinkman has pleaded not guilty and is being detained without bail ahead of a trial scheduled for April 27, 2015. Before being extradited to the United States to stand trial, Drinkman had been in detention by authorities in the Netherlands since he was first arrested June 28, 2012.

According to the indictment, Drinkman did not act alone in his activities and there were other co-conspirators, including Alexandr Kalinin of St. Petersburg, Russia; Roman Kotov, of Moscow; Mikhail Rytikov of Odessa, Ukraine; and Dmitriy Smilianets of Moscow. The Justice Department noted that Smilanets is currently in U.S. federal custody, while Kalinin, Kotov and Rytikov remain at large.

The Justice Department previously identified Drinkman and Kalinin as "Hacker 1" and "Hacker 2" in a 2009 indictment in which Albert Gonzalez was also charged. That indictment involved the corporate data breach that impacted Heartland Payment Systems, Hannaford Brothers and 7-Eleven.

All told, the Justice Department claims that Drinkman and his co-conspirators acquired at least 160 million credit card numbers by way of various hacking activities. Those activities include SQL injection attacks against the victims, whereby the attackers were able to inject malware.

"This malware created a back door, leaving the system vulnerable and helping the defendants maintain access to the network," the U.S Department of Justice noted in a statement. "In some cases, the defendants lost access to the system due to companies' security efforts, but were allegedly able to regain access through persistent attacks."

Though Drinkman was first identified back in 2009 as Hacker 1 in the Gonzalez indictment, it took until 2015 for the U.S. government to bring him before a federal court. That six-year gap is not uncommon, said Phil Smith, senior vice president, Government Solutions and Special Investigations, at security specialist Trustwave. The extradition process is lengthy and can be cumbersome, he added.

"Criminals will often flee to countries where extradition to the U.S. or NATO countries is lengthy or can be subverted," Smith told eWEEK. "We have even seen cases where the U.S. has pending criminal charges and requested to extradite individuals only to see them tried, convicted and jailed in a foreign country and then extradited back to their home countries to serve out their sentences."

Smith added that, in some cases he is aware of, once criminals have been returned to their home countries, the charges were thrown out and the criminals have been released. "It is very frustrating. So when you are able to get one of these individuals extradited to the U.S., it's a great victory and I applaud the efforts of the prosecutors and agents," he said.

No comment yet.

HIPAA needs a makeover | mHealthNews

HIPAA needs a makeover | mHealthNews | HIPAA Compliance for Medical Practices | Scoop.it

The pace of mHealth innovation shows no signs of slowing down. New technologies are not only improving the lives of patients, but also empowering clinicians. However, healthcare is a highly regulated space dominated by major vendors, and it is vital that the regulatory environment keep up with the changing world. Specifically, it’s time for the Department of Health and Human Services to take a fresh look at the Health Insurance Portability and Accountability Act (HIPAA) to ensure it better fits today’s mobile world.

Current HIPAA guidelines – while critical – need to be revised to support smaller companies that can transform the space. Leading app developers across the industry are working together to seek clearer guidelines that will encourage innovation. The App Association recently joined with AirStrip, CareSync and other mHealth companies urging government representatives to look at this issue so we can better align our practices with theirs and together work towards the goal of improved patient care.

We recommend:

1. Make existing regulation more accessible for tech companies

Information on HIPAA is still mired in a Washington, D.C. mindset that revolves around reading the Federal Register or hiring expert consultants to "explain" what should be clear in the regulation itself. Not surprisingly, app makers do not find the Federal Register to be an effective resource when developing health apps.

Additionally, there are limited user-friendly resources available for app developers, who are mostly solo inventors or small groups of designers, not large companies with the resources to easily hire counsel or consultants who can help through the regulatory process.

Proposed solution: HHS must provide HIPAA information in a manner that is accessible and useful to the community who needs it. The agency should draft new FAQs that directly address mobile developer concerns.

2. Improve and update guidance from OCR on acceptable implementations

The current technical safeguards documentation available on the hhs.gov website is significantly out of date. Without new documentation that speaks to more modern uses, it will be difficult for developers to understand how to implement HIPAA in an effective way for patients.

Proposed solution: HHS and the OCR must update the "Security Rule Guidance Material" and provide better guidance regarding mobile implementations and standards – or examples of standard implementations that would not trigger an enforcement action – instead of leaving app makers to learn about these through an audit.

3. Improve outreach to new entrants in the healthcare space

Some of the most innovative new products in the mobile health space are coming from companies outside the traditional healthcare marketplace. Yet HHS appears attached to ‘traditional’ healthcare communities.

Proposed solution: In order to ensure the expansion of innovative new technologies, it is essential that HHS, the OCR and others expand their outreach to the communities that are driving innovation.

These issues are critical to the mobile health economy. By working more closely together, we can create a regulatory environment that encourages innovation in this life-changing marketplace.

No comment yet.