Photo of Dianne Bourque

Dianne Bourque is a Member in the firm and practices in the Boston office. She advises health care clients on issues including licensure, regulatory, contractual, risk management, and patient care matters as well as issues involving HIPAA and other medical privacy laws. Before joining Mintz Levin, Dianne was an associate staff attorney at the Lahey Clinic. She is also an adjunct professor at Stonehill College, where she teaches a course on health care law.

UPDATE:  Europol chief Rob Wainwright told the BBC, “Companies need to make sure they have updated their systems and ‘patched where they should’ before staff arrives for work on Monday morning.”

By now, you may have heard about the global ransomware attacks affecting organizations throughout the world. Estimates range from between 150,000 to 200,000 groups in nearly 150 countries, and those numbers could be higher.  The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it.

How does ransomware get onto a system generally? 

Ransomware installs on a victim’s computer when a user clicks on a malicious link in a “phishing” email (or an email designed to trick the user into thinking that it is from a known or legitimate source). Ransomware can also be downloaded through infected file attachments or visiting a website that is malicious in nature. WannaCry appears to be delivered through links in phishing emails. You can read more about ransomware generally here, here and here.   See graphic of malicious file message.

How does WannaCry work? WannaCry affects systems that are behind in their Windows patching. There is actually a patch for the vulnerability exploited by WannaCry (see, US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010).   See the following links for additional technical information:

Is any system particularly vulnerable? 

Because Windows Server 2003 or older, and Windows XP or older on the desktop, have been discontinued by Microsoft and are unsupported, these systems are particularly vulnerable. In response, Microsoft has taken the highly unusual step of releasing emergency security patches to defend against the malware for these unsupported versions of Windows, such as XP and Server 2003. Everyone should be actively checking systems and updating.   This may be the first time that Microsoft has ever issued patches for decommissioned software.

What are immediate steps for an organization that is attacked?

An organization that is attacked should immediately isolate the affected systems and networks to avoid the spread of the malware and contact law enforcement.

How can a WannaCry victim regain access to data? 

Once WannaCry or other ransomware installs and locks up a victim’s data, the only alternatives are: 1) restore data from clean backup systems; or 2) pay the ransom.

How can WannaCry and other types of ransomware be avoided?

  • A comprehensive and continually updated security risk assessment
  • A security risk assessment that doesn’t address ransomware is out of date
  • Workforce training on ransomware – make sure that the workforce understands the importance of avoiding suspicious email messages, links and attachments
  • Workforce testing on ransomware – send suspect phishing emails and see how many click on the suspicious links.
  • Maintain comprehensive data backup systems – make sure that they are easily accessible in the event of an emergency (practice accessing them in a non-emergency)!

We will provide further information on the WannaCry attack as it becomes available.

At long last, the Department of Health and Human Services Office for Civil Rights (OCR) has released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.

The protocol covers the following subject areas:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Breach Notification Rule requirements.

OCR has also released other materials that shed light on the logistics of the audit process, including a copy of the Audit Pre-Screening Questionnaire that it will use to collect demographic information about covered entities and business associates. OCR will use this information to create a pool of potential auditees.

Entities selected for audit will be required by OCR to identify and provide detailed information regarding their business associates.  The information collected by OCR will be used to help identify business associates for the Phase 2 audits. OCR has released a template with the information that covered entities will have to provide, including the business associate’s name, contact information, type of services, and website.

Covered entities and business associates should be working to ensure that they have the required compliance documents and materials ready, especially given OCR’s aggressive timetable: if selected for an audit, an auditee will have only 10 days to respond to OCR.

As we have discussed previously on this blog, the audit protocol is an excellent HIPAA compliance tool, especially for audit readiness assessment.  Unfortunately, the version of the tool on the OCR website can be unwieldy to use in practice.   In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.

 

Originally posted to Mintz Levin’s Health Law & Policy Matters Blog on 4/20/16

The HHS Office for Civil Rights (“OCR”) officially launched  the long-awaited (and dreaded) Phase 2 of the HIPAA Audits Program on March 21st. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails (check your spam filter!) from OCR that will begin the audit process.

Why Audits? Why Now?

The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2. Continue Reading Phase 2 HIPAA Audits Coming to You: Check Your Spam Filter!

As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015. Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information. We also saw the release of an Office of Inspector General (OIG) report that was highly critical of the Federal government’s ability to effectively enforce HIPAA, followed almost immediately by signs of more aggressive enforcement from the Office for Civil Rights (OCR), perhaps in response. We waited for commencement of the second round of HITECH-mandated audits, but it never came. As regulated entities prepare for a new year of regulatory challenges, we review the highlights — and lowlights — of HIPAA 2015, and prepare for what’s to come in 2016.

Massive Data Breaches

The year began inauspiciously, with one of the largest data breaches to ever hit the U.S. health care industry. We are, of course, referring to the theft of approximately 80 million personal records from health insurer Anthem Inc. The theft spanned over 14 states, and included names, birthdates, email addresses, Social Security numbers, and other personal data. The Anthem breach, however, was not an isolated incident. There were at least four other multi-million record data breaches affecting the health care industry in 2015, including:

Premera Blue Cross (11 million individuals affected)

Carefirst BlueCross BlueShield (1.1 million individuals affected)

UCLA Health (4.5 million individuals affected)

Excellus (10 million individuals affected)

One common thread throughout these breaches, beyond their sheer magnitude, is the inability of the entities to quickly identify and report the breach. For example, Excellus hired a security firm to conduct a forensic analysis of its computer system. The analysts concluded that their breach had occurred as early as December of 2013. UCLA Health faced similar delays in identifying their breach. One reason for this may be a result of another common thread: the advanced nature of the attacks. While not independently verified, a number of the affected entities have reported that the acts were “very sophisticated.” While the culprits of these mega-breaches have not been identified by name, many suspect state sponsorship of the attacks by China. Continue Reading HIPAA and Health Care Data Privacy – 2015 in Review

The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers.  OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents.  Every federal agency is potentially affected by this breach.  Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail.  OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.

OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach.  Early reports suggest that the breach originated in China.

Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website  notice that the agency recently implemented an “aggressive effort” to update its network security.  Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.

OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests.  In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.

As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure.  According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:

At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.

It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities.  According to Kevin McGinty, Mintz Levin privacy class action litigator:

As day follows night, class actions typically follow data breaches.  Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue.  The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM.  Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.

We will have more on this story as it evolves.